registry  /  @zjlab-fe/data-hub-ui  /  0.26.0

@zjlab-fe/data-hub-ui@0.26.0

`import { InputTag } from '@zjlab-fe/data-hub-ui`

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network/file behavior is user-invoked UI preview/upload functionality rather than install-time or import-time exfiltration.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User imports components and invokes preview or upload UI with application-provided URLs.
Impact
No unauthorized credential, filesystem, or environment access identified.
Mechanism
React UI library with file preview, asset loading, and chunk upload helpers
Rationale
Source inspection shows a bundled React component package with preview/upload features and static asset loading; the suspicious primitives are aligned with those features and require caller-supplied runtime inputs. No concrete attack behavior or unconsented lifecycle AI-agent control-surface mutation was found.
Evidence
package.jsones/index.jslib/index.jses/components/file-uploader/utils/upload-handler.jses/components/file-preview/util.jses/components/file-preview/excel-preview/index.jses/components/file-preview/pdf-preview/index.js.github/instructions/i.instructions.md
Network endpoints2
haina-datahub.zero2x.org/ossRoute/frontend/resources/www.unpkg.com/@zjlab-fe/fe-assets/logo-white.png

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare script "husky", but no install/postinstall hook or custom lifecycle payload found.
  • .github/instructions/i.instructions.md contains AI coding guidance, but it is inert packaged project metadata and not written by lifecycle code.
Evidence against
  • package.json entrypoints are lib/index.js and es/index.js for a React UI component library.
  • es/index.js only re-exports components and imports CSS side-effect modules.
  • Network use is package-aligned: file preview fetches caller-supplied filePath/httpHeaders and uploader PUTs caller-provided uploadUrl.
  • External URLs are static UI assets/CDN resources under haina-datahub.zero2x.org and logo from www.unpkg.com.
  • No child_process, fs harvesting, credential collection, destructive behavior, native binary loading, or install-time execution found.
  • Scanner-highlighted lib/index.js is a bundled UI artifact matching es component behavior.
Behavioral surface
Source
FilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 229 file(s), 1.04 MB of source, external domains: alidocs.dingtalk.com, haina-datahub.zero2x.org, www.unpkg.com, www.w3.org

Source & flagged code

1 flagged · loading source
lib/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zjlab-fe/data-hub-ui@0.23.0 matchedIdentity = npm:QHpqbGFiLWZlL2RhdGEtaHViLXVp:0.23.0 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

lib/index.jsView on unpkg

Findings

1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltalib/index.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings