registry  /  gt-next  /  6.16.37

gt-next@6.16.37

A Next.js library for automatic internationalization.

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Next.js internationalization library with runtime/build-time config helpers and optional translation cache network access under application configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports gt-next APIs or calls withGTConfig in Next.js config.
Impact
Expected package behavior; may read GT_* environment variables and fetch configured translation cache data when enabled.
Mechanism
Next.js i18n configuration, locale resolution, and translation loading
Rationale
Static source inspection found package-aligned Next.js i18n behavior, with config-file reads, environment variable reads, and optional translation cache fetches but no install-time execution or unconsented mutation/exfiltration. Scanner dynamic-require and network findings map to documented locale/request hook resolution and translation loading rather than malware.
Evidence
package.jsondist/index.server.jsdist/client.jsdist/server.jsdist/config.jsdist/config-dir/loadTranslation.jsdist/request/utils/getRequestFunction.jsdist/request/utils/legacyGetRequestFunction.jsgt.config.json.gt/gt.config.json.locadex/gt.config.jsondictionary/loadDictionary/loadTranslations/request function paths when configured by the app

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks or bin entrypoints.
    • dist/index.server.js and dist/client.js primarily re-export gt-next/gt-react/server APIs.
    • dist/config.js reads gt.config/env and returns a Next.js config object; it does not write files or mutate agent control surfaces.
    • dist/config-dir/loadTranslation.js performs user-configured runtime translation cache fetches only when gt-next config enables remote translations.
    • Dynamic require paths in dist/request/utils/*.js resolve package/user-configured gt-next request hooks for locale/region/domain handling.
    • No child_process, eval, persistence, credential harvesting, destructive actions, or exfiltration behavior found.
    Behavioral surface
    Source
    DynamicRequireEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 78 file(s), 215 KB of source, external domains: generaltranslation.com

    Source & flagged code

    2 flagged · loading source
    dist/client.jsView file
    2Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" }); L3: require("./_virtual/_rolldown/runtime.js"); L4: let gt_react_client = require("gt-react/client");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/client.jsView on unpkg · L2
    dist/config.jsView file
    309package = gt-next; repositoryIdentity = gt; dependency = @generaltranslation/compiler L309: if (mergedConfig.experimentalCompilerOptions?.type === "babel") try { L310: const { webpack: gtUnplugin } = require("@generaltranslation/compiler"); L311: webpackConfig.plugins.unshift(gtUnplugin(mergedConfig.experimentalCompilerOptions || {}));
    High
    Copied Package Dependency Bridge

    Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

    dist/config.jsView on unpkg · L309

    Findings

    1 High4 Medium4 Low
    HighCopied Package Dependency Bridgedist/config.js
    MediumDynamic Requiredist/client.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings