registry  /  @utoo/pack  /  1.4.22

@utoo/pack@1.4.22

> 🌖 High-performance bundler core for the Utoo toolchain, powered by [Turbopack](https://turbo.build/pack).

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Suspicious primitives are aligned with a bundler/dev-server package and are user-invoked rather than install-time or import-time behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User calls build(), serve(), HTTPS dev certificate generation, webpack compatibility, or ANALYZE mode.
Impact
Expected project build/dev effects such as writing dist files, .turbopack lock/cache, optional certificates, and serving/proxying configured dev traffic.
Mechanism
bundler/dev-server operations with optional native binding, proxying, certificate generation, and analyzer launch
Rationale
Static source inspection shows a legitimate Rust/NAPI-backed bundler with dev-server helpers; network, shell, and filesystem writes are tied to explicit build/dev features, not covert install-time execution or exfiltration. No credential harvesting, stealth persistence, destructive behavior beyond configured output cleaning, or AI-agent control-surface mutation was found.
Evidence
package.jsonesm/index.jsesm/commands/build.jsesm/commands/dev.jsesm/utils/mkcert.jsesm/config/readWebpackConfig.jsesm/binding.jsesm/core/proxyHono.jsesm/utils/cleanOutput.jsesm/utils/lockfile.jsdist or configured output directory.turbopack/lockcertificates/localhost-key.pemcertificates/localhost.pem.gitignore
Network endpoints1
github.com/FiloSottile/mkcert/releases/download/v1.4.4/

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly; no preinstall/install/postinstall lifecycle execution.
    • esm/index.js only exports build, serve, defineConfig, and types; no import-time network or mutation.
    • esm/utils/mkcert.js downloads mkcert from GitHub only when HTTPS dev certificate generation is requested.
    • esm/commands/build.js spawns npx webpack-bundle-analyzer only when ANALYZE is set and stats.json exists.
    • esm/config/readWebpackConfig.js requires local webpack config for webpack compatibility, a user-directed bundler behavior.
    • esm/binding.js loads package-aligned optional native bindings under @utoo/pack-* names.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 54 file(s), 229 KB of source, external domains: github.com

    Source & flagged code

    4 flagged · loading source
    esm/utils/mkcert.jsView file
    1import { execSync } from "node:child_process"; L2: import { createPrivateKey, X509Certificate } from "node:crypto";
    High
    Child Process

    Package source references child process execution.

    esm/utils/mkcert.jsView on unpkg · L1
    esm/commands/build.jsView file
    114stdio: "inherit", L115: shell: true, L116: });
    High
    Shell

    Package source references shell execution.

    esm/commands/build.jsView on unpkg · L114
    112return new Promise((resolve, reject) => { L113: const analyzer = spawn("npx", ["webpack-bundle-analyzer", statsPath], { L114: stdio: "inherit",
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    esm/commands/build.jsView on unpkg · L112
    esm/config/readWebpackConfig.jsView file
    12.find(fs.existsSync); L13: const config = require(configFile || configPath); L14: if (typeof config === "function") {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    esm/config/readWebpackConfig.jsView on unpkg · L12

    Findings

    3 High4 Medium4 Low
    HighChild Processesm/utils/mkcert.js
    HighShellesm/commands/build.js
    HighRuntime Package Installesm/commands/build.js
    MediumDynamic Requireesm/config/readWebpackConfig.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowUrl Strings