AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Process execution and file writes are explicit CLI build, deploy, and documentation features; there is no install-time execution or credential-exfiltration path.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall/prepare lifecycle hooks.
- dist/cli/index.mjs dispatches subcommands only after explicit `nitro` CLI use.
- dist/cli/_chunks/docs.mjs invokes package runners only for explicit `nitro docs`.
- dist/cli/_chunks/deploy.mjs executes a configured deploy command only for explicit `nitro deploy`.
- dist/_presets.mjs writes deployment files under configured project/output paths during builds.
- dist/THIRD-PARTY-LICENSES.md.gz expands to bundled-dependency license text, not a payload.
Source & flagged code
11 flagged · loading sourcePackage source references child process execution.
dist/_presets.mjsView on unpkg · L721Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/_presets.mjsView on unpkg · L162Package source references a known benign dynamic code generation pattern.
dist/_libs/pluginutils.mjsView on unpkg · L112Package source references dynamic require/import behavior.
dist/_dev.mjsView on unpkg · L141This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/_build/common.mjsView on unpkgPackage source references weak cryptographic algorithms.
dist/_build/common.mjsView on unpkg · L75Package ships high-entropy non-source blobs.
dist/THIRD-PARTY-LICENSES.md.gzView on unpkgPackage ships compressed or archive-like blobs.
dist/THIRD-PARTY-LICENSES.md.gzView on unpkgHardcoded password in dist/docs/0.docs/3.routing.md
dist/docs/0.docs/3.routing.mdView on unpkg · L469Hardcoded password in dist/docs/0.docs/3.routing.md
dist/docs/0.docs/3.routing.mdView on unpkg · L614