registry  /  @ytsaurus/ui  /  3.17.0

@ytsaurus/ui@3.17.0

User interface for a [YTsaurus platform](https://ytsaurus.tech) cluster.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are runtime server features for a YTsaurus UI application and are configuration/user-route driven, not install-time or import-time payloads.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the packaged server or explicit npm scripts such as start/build/dev.
Impact
No evidence of unconsented credential exfiltration, persistence, destructive action, or lifecycle execution.
Mechanism
configured web UI backend, API proxy, OAuth/VCS/AI integrations
Rationale
Static inspection shows a built YTsaurus UI server with expected network proxy, auth, VCS, and AI-chat integrations gated by runtime config and user/API actions. Scanner findings map to bundled frontend/polyfills, server proxy code, and build/test scripts rather than concrete malicious behavior.
Evidence
package.jsondist/server/render-layout.jsdist/server/components/requestsSetup.jsdist/server/controllers/yt-api.jsdist/server/components/ai-chat.jsdist/server/controllers/vcs.jsdist/server/components/vcs/GithubApi.jsdist/server/components/vcs/GitlabApi.jsdist/server/configure-app.jsdist/server/index.jsdist/server/configs/common.jsdist/server/configs/local.jsdist/run/server.sockdist/public/build/assets-manifest.jsonsecrets/yt-interface-secret.jsonclusters-config.json
Network endpoints2
github.com/ytsaurus/ytsaurus-ui/tree/main/packages/uigithub.com/ytsaurus/ytsaurus-ui/issues/new

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall/prepare hooks; only prepublishOnly builds package artifacts.
    • dist/server/render-layout.js only loads @gravity-ui/app-layout and an assets manifest for layout rendering.
    • dist/server/components/requestsSetup.js reads configured ytInterfaceSecret/YT_TOKEN for YTsaurus auth, not unsolicited harvesting.
    • dist/server/controllers/yt-api.js proxies authenticated user requests to configured YTsaurus cluster API endpoints.
    • dist/server/components/ai-chat.js and VCS clients call configured service base URLs in response to app routes.
    • Bidi/Trojan-source grep on dist/public/build/js/6988.30d090b8.chunk.js found no matching control characters.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 426 file(s), 11.0 MB of source, external domains: developer.mozilla.org, fb.me, github.com, h.yandex-team.ru, monitoring-service.my-domain.com, my.monitoring.service, www.eclipse.org, www.w3.org, yastatic.net, ytsaurus.tech
    Oversized source lightweight scan
    dist/public/build/js/6096.111e12fd.chunk.js3.14 MB file, sampled 256 KB
    ChildProcessHighEntropyStringsMinified

    Source & flagged code

    5 flagged · loading source
    dist/public/build/js/main.fb4e71cd.jsView file
    1(self.webpackChunk_ytsaurus_ui=self.webpackChunk_ytsaurus_ui||[]).push([["6909"],{64477:function(){},93503:function(e,t,r){var n={"./ru":"46653"};function i(e){return r(o(e))}funct... L2: font-size: .6rem;
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/public/build/js/main.fb4e71cd.jsView on unpkg · L1
    dist/server/render-layout.jsView file
    5Object.defineProperty(exports, "__esModule", { value: true }); L6: const path_1 = __importDefault(require("path")); L7: const app_layout_1 = require("@gravity-ui/app-layout");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/server/render-layout.jsView on unpkg · L5
    dist/public/build/json.5239aa2e.worker.jsView file
    1(()=>{"use strict";var e={1472:function(e,t,r){var n=r(6299),i=r(6790),o=TypeError;e.exports=function(e){if(n(e))return e;throw new o(i(e)+" is not a function")}},3762:function(e,t... L2: //# sourceMappingURL=json.5239aa2e.worker.js.map
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/public/build/json.5239aa2e.worker.jsView on unpkg · L1
    dist/public/build/js/6988.30d090b8.chunk.jsView file
    2contains invisible/control Unicode U+2068 (first strong isolate) Please try using another token.`),{type:"literal",contentType:"letter"})}(t),i=function(e,t,a){if("digit"!==e)return!1;switch(t){case"year":if(H(a))return"0001"===(0,j.dateTime)().set("year",1).format(a);return"01"===(0,j.dateTime)().set("y
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/public/build/js/6988.30d090b8.chunk.jsView on unpkg · L2
    dist/public/build/js/6096.111e12fd.chunk.jsView file
    path = dist/public/build/js/6096.111e12fd.chunk.js kind = oversized_source_file sizeBytes = 3288367 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/public/build/js/6096.111e12fd.chunk.jsView on unpkg

    Findings

    1 Critical3 High5 Medium9 Low
    CriticalTrojan Source Unicodedist/public/build/js/6988.30d090b8.chunk.js
    HighChild Process
    HighSame File Env Network Executiondist/public/build/json.5239aa2e.worker.js
    HighOversized Source Filedist/public/build/js/6096.111e12fd.chunk.js
    MediumDynamic Requiredist/server/render-layout.js
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/public/build/js/main.fb4e71cd.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License