registry  /  gt-next  /  6.16.36

gt-next@6.16.36

A Next.js library for automatic internationalization.

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime network and env access support the package's Next.js internationalization functionality.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing gt-next modules or invoking withGTConfig/loadTranslations in a Next.js app
Impact
Loads translations and locale configuration for the consuming application
Mechanism
Next.js i18n config, generated-module loading, and configured remote translation fetch
Rationale
Static inspection shows a legitimate Next.js internationalization package with configuration/env access, local generated module resolution, and translation cache fetches aligned to its purpose. I found no install-time execution, exfiltration, persistence, shell execution, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/config.jsdist/config-dir/getI18NConfig.jsdist/config-dir/loadTranslation.jsdist/resolvers/resolveTranslationLoader.jsdist/resolvers/resolveDictionaryLoader.jsdist/request/utils/getRequestFunction.jsdist/client.jsgt.config.json.gt/gt.config.json.locadex/gt.config.jsongt-next/_load-translationsgt-next/_load-dictionarygt-next/internal/_getLocalegt-next/internal/_getRegiongt-next/internal/_getDomain

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/config.js reads local GT config files and env vars during explicit Next config plugin use.
  • dist/config-dir/loadTranslation.js fetches remote translations from configured cacheUrl/projectId at runtime.
  • dist/resolvers/*.js use package subpath require only for generated/user GT loaders when env flags enable them.
Evidence against
  • No evidence of credential harvesting beyond GT_PROJECT_ID/GT_API_KEY configuration use.
  • No child_process, eval/vm, persistence, destructive behavior, or AI-agent control-surface writes found in inspected files.
  • Network use is translation-service aligned and driven by user/project config, not install-time.
  • Dynamic requires target gt-next package subpaths for generated app integration, not arbitrary remote code.
Behavioral surface
Source
DynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 214 KB of source, external domains: generaltranslation.com

Source & flagged code

2 flagged · loading source
dist/client.jsView file
2Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" }); L3: require("./_virtual/_rolldown/runtime.js"); L4: let gt_react_client = require("gt-react/client");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client.jsView on unpkg · L2
dist/config.jsView file
307package = gt-next; repositoryIdentity = gt; dependency = @generaltranslation/compiler L307: if (mergedConfig.experimentalCompilerOptions?.type === "babel") try { L308: const { webpack: gtUnplugin } = require("@generaltranslation/compiler"); L309: webpackConfig.plugins.unshift(gtUnplugin(mergedConfig.experimentalCompilerOptions || {}));
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/config.jsView on unpkg · L307

Findings

1 High4 Medium4 Low
HighCopied Package Dependency Bridgedist/config.js
MediumDynamic Requiredist/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings