AI Security Review
scanned 3h ago · by lpm-firewall-aiConditional dev-server HTTPS setup downloads and executes a `mkcert` release binary. No unconsented install-time execution or credential exfiltration was established.
Decision evidence
public snapshot- `esm/utils/mkcert.js` fetches a platform binary from GitHub, chmods it, then executes it.
- The downloaded binary has no checksum or signature verification before execution.
- `esm/commands/build.js` starts `npx webpack-bundle-analyzer` with `shell: true` when `ANALYZE` is set.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- `esm/index.js` exports build/serve APIs and does not invoke them at import time.
- The binary download is reached only when HTTPS dev-server mode is enabled.
- No AI-agent control-surface paths, credential-harvesting paths, eval/vm use, or destructive filesystem calls were found.
- Dynamic require in `config/readWebpackConfig.js` loads the caller's explicit webpack config.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
esm/utils/mkcert.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
esm/commands/build.jsView on unpkg · L112Package source references dynamic require/import behavior.
esm/config/readWebpackConfig.jsView on unpkg · L12This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
cjs/commands/dev.jsView on unpkg