registry  /  hn-workflow-components  /  1.0.6

hn-workflow-components@1.0.6

一个基于 React + TypeScript 的可视化工作流编排组件库,提供工作流编辑器与执行进度查看器两种模式。

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network behavior is a documented workflow editor/viewer feature using the host app's configured backend.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Rendering/using exported React components
Impact
workflow data exchange with application backend chosen by caller
Mechanism
axios calls to caller-provided baseUrl workflow APIs
Rationale
Static source inspection shows a React workflow component library with no lifecycle execution, hidden exfiltration endpoint, credential harvesting, persistence, or destructive behavior. Scanner findings are explained by bundled dependencies and documented browser component behavior.
Evidence
package.jsonREADME.mddist/workflow-components.es.jsdist/workflow-components.umd.jsdist/mockServiceWorker.jslocalStorage:startNode
Network endpoints1
api.example.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks
    • Entrypoints are dist React component bundles exporting WorkflowComponents/WorkflowViewerComponents
    • README documents caller-supplied baseUrl and workflow API routes
    • Bundled axios calls use configured baseURL plus /bpmn/* paths
    • No bidi/invisible Unicode controls found in bundled JS
    • Dangerous-looking primitives are from bundled dependencies/MSW worker
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    Manifest
    NoLicense
    scanned 3 file(s), 2.08 MB of source, external domains: ant.design, bit.ly, github.com, redux-toolkit.js.org, redux.js.org, styled-components.com, u.ant.design, www.styled-components.com, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/workflow-components.es.jsView file
    37606contains invisible/control Unicode U+200C (zero width non-joiner) position: relative<U+200C>;
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/workflow-components.es.jsView on unpkg · L37606
    dist/workflow-components.umd.jsView file
    Trigger-reachable chain: manifest.main -> dist/workflow-components.umd.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/workflow-components.umd.jsView on unpkg

    Findings

    2 Critical3 Medium4 Low
    CriticalTrojan Source Unicodedist/workflow-components.es.js
    CriticalTrigger Reachable Dangerous Capabilitydist/workflow-components.umd.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License