registry  /  @wix/editor-react-components  /  1.2320.0

@wix/editor-react-components@1.2320.0

React components for the Wix Editor

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package has no install-time execution; inspected network use loads component media and icons at runtime.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer renders components requiring SVG, icon, animation, or social-media metadata.
Impact
No credential theft, persistence, destructive action, or remote payload execution established.
Mechanism
Runtime media and UI-resource fetching
Rationale
Scanner findings map to ordinary bundled UI behavior: a guarded Lottie expression engine and intentional bidi formatting characters. Direct inspection found no concrete malicious execution or data-exfiltration chain.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/Tooltip.jsdist/site/components/chunks/svg.jsdist/site/components/TextInput/component.jsdist/site/components/SocialPlayerVimeo/component.jsdist/site/components/extensions.js

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/site/components/Lottie/component.js` contains a guarded `eval` for Lottie expressions.
  • `dist/site/components/chunks/Tooltip.js` contains bidi isolates in date-time literal strings.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook and exports browser component modules only.
  • Lottie expression evaluation is gated by `renderConfig.runExpressions` and supports animation data; no process, filesystem, or network chain follows it.
  • Tooltip bidi characters are literal directional markers around editable hour segments, not concealed executable syntax.
  • `dist/site/components/chunks/svg.js`, `TextInput/component.js`, and `SocialPlayerVimeo/component.js` fetch user-facing SVG, icon, and oEmbed/media resources only.
  • No child-process, filesystem harvesting, credential access, persistence, agent-control mutation, or exfiltration behavior was found in inspected JavaScript.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 311 file(s), 6.08 MB of source, external domains: aomedia.org, api.whatsapp.com, base-ui.com, editor.wix.com, facebook.com, fb.me, files.wix.com, github.com, maps.googleapis.com, pinterest.com, static.filesuser.com, static.parastorage.com, static.wixstatic.com, twitter.com, video.wixstatic.com, vimeo.com, visgl.github.io, www.facebook.com, www.google.com, www.instagram.com, www.linkedin.com, www.snapchat.com, www.tiktok.com, www.w3.org, www.wix.com, www.youtube.com

Source & flagged code

3 flagged · loading source
dist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt; L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0]; L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/site/components/Lottie/component.jsView on unpkg · L13712
dist/site/components/chunks/Tooltip.jsView file
7191contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/site/components/chunks/Tooltip.jsView on unpkg · L7191
dist/site/components/chunks/constants3.jsView file
61patternName = generic_password severity = medium line = 61 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/site/components/chunks/constants3.js

dist/site/components/chunks/constants3.jsView on unpkg · L61

Findings

1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings