registry  /  nitro-nightly  /  3.0.1-20260711-222534-4cdcf288

nitro-nightly@3.0.1-20260711-222534-4cdcf288

Build and Deploy Universal JavaScript Servers

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Process execution and file writes are explicit CLI build, deploy, and documentation features; there is no install-time execution or credential-exfiltration path.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `nitro docs`, `nitro build`, or `nitro deploy` invocation.
Impact
Expected project build/deployment changes only; no unconsented host mutation established.
Mechanism
Framework build/deploy tooling generates configured platform output and runs user-invoked commands.
Rationale
Direct inspection shows a nightly Nitro framework artifact with expected CLI, deployment-preset, and bundled-library behavior. Static hints map to user-invoked functionality and a license archive, not a concrete malicious chain.
Evidence
package.jsondist/cli/index.mjsdist/cli/_chunks/docs.mjsdist/cli/_chunks/deploy.mjsdist/_presets.mjsdist/THIRD-PARTY-LICENSES.md.gzdist/cli/_chunks/build.mjs

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall/prepare lifecycle hooks.
    • dist/cli/index.mjs dispatches subcommands only after explicit `nitro` CLI use.
    • dist/cli/_chunks/docs.mjs invokes package runners only for explicit `nitro docs`.
    • dist/cli/_chunks/deploy.mjs executes a configured deploy command only for explicit `nitro deploy`.
    • dist/_presets.mjs writes deployment files under configured project/output paths during builds.
    • dist/THIRD-PARTY-LICENSES.md.gz expands to bundled-dependency license text, not a payload.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 141 file(s), 1.67 MB of source, external domains: blogs.msdn.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, foo.com, github.com, rollupjs.org

    Source & flagged code

    11 flagged · loading source
    dist/_presets.mjsView file
    721"node:buffer", L722: "node:child_process", L723: "node:cluster",
    High
    Child Process

    Package source references child process execution.

    dist/_presets.mjsView on unpkg · L721
    162Cross-file remote execution chain: dist/_presets.mjs spawns dist/_build/common.mjs; helper contains network access plus dynamic code execution. L162: entry: "./aws-amplify/runtime/aws-amplify", L163: manifest: { deploymentId: process.env.AWS_JOB_ID }, L164: serveStatic: true, ... L185: function prettyPath(p, highlight = true) { L186: p = relative$1(process.cwd(), p); L187: return highlight ? colors.cyan(p) : p; ... L198: try { L199: const currentNodeVersion = JSON.parse(await fsp.readFile(join$1(nitro.options.rootDir, "package.json"), "utf8")).engines.node; L200: if (supportedNodeVersions.has(currentNodeVersion)) nodeVersion = currentNodeVersion; ... L326: "node:diagnostics_channel", L327: "node:dns", L328: "node:dns/promises",
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/_presets.mjsView on unpkg · L162
    dist/_libs/nypm+tinyexec.mjsView file
    126]; L127: e = n.env?.comspec ?? "cmd.exe"; L128: n = {
    High
    Shell

    Package source references shell execution.

    dist/_libs/nypm+tinyexec.mjsView on unpkg · L126
    dist/_libs/pluginutils.mjsView file
    112function evalValue(rawValue) { L113: return new Function(` L114: var console, exports, global, module, process, require
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/_libs/pluginutils.mjsView on unpkg · L112
    dist/_dev.mjsView file
    141setTimeout(() => { L142: require(['vs/editor/editor.main'], function () { L143: monaco.editor.create(document.getElementById('editor'), ${JSON.stringify(options)})
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/_dev.mjsView on unpkg · L141
    dist/_build/common.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = nitro-nightly@3.0.1-20260702-173353-03122331 matchedIdentity = npm:bml0cm8tbmlnaHRseQ:3.0.1-20260702-173353-03122331 similarity = 0.892 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/_build/common.mjsView on unpkg
    75function cwd$1() { L76: if (typeof process !== "undefined" && typeof process.cwd === "function") return process.cwd().replace(/\\/g, "/"); L77: return "/"; ... L210: "buffer", L211: "child_process", L212: "cluster", ... L461: assert.ok(isImport === false); L462: return `Invalid "exports" main target ${JSON.stringify(target)} defined in the package config ${packagePath}package.json${base ? ` imported from ${base}` : ""}${relatedError ? "; t... L463: } ... L513: try { L514: parsed = JSON.parse(string); L515: } catch (error_) {
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/_build/common.mjsView on unpkg · L75
    dist/THIRD-PARTY-LICENSES.md.gzView file
    path = dist/THIRD-PARTY-LICENSES.md.gz kind = high_entropy_blob sizeBytes = 6635 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    dist/THIRD-PARTY-LICENSES.md.gzView on unpkg
    path = dist/THIRD-PARTY-LICENSES.md.gz kind = compressed_blob sizeBytes = 6635 magicHex = [redacted]
    Medium
    Ships Compressed Blob

    Package ships compressed or archive-like blobs.

    dist/THIRD-PARTY-LICENSES.md.gzView on unpkg
    dist/docs/0.docs/3.routing.mdView file
    469patternName = generic_password severity = medium line = 469 matchedText = '/admin/...} },
    Medium
    Secret Pattern

    Hardcoded password in dist/docs/0.docs/3.routing.md

    dist/docs/0.docs/3.routing.mdView on unpkg · L469
    614patternName = generic_password severity = medium line = 614 matchedText = password...et',
    Medium
    Secret Pattern

    Hardcoded password in dist/docs/0.docs/3.routing.md

    dist/docs/0.docs/3.routing.mdView on unpkg · L614

    Findings

    1 Critical4 High7 Medium6 Low
    CriticalPrevious Version Dangerous Deltadist/_build/common.mjs
    HighChild Processdist/_presets.mjs
    HighShelldist/_libs/nypm+tinyexec.mjs
    HighCross File Remote Execution Contextdist/_presets.mjs
    HighShips High Entropy Blobdist/THIRD-PARTY-LICENSES.md.gz
    MediumDynamic Requiredist/_dev.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Compressed Blobdist/THIRD-PARTY-LICENSES.md.gz
    MediumStructural Risk Force Deep Review
    MediumSecret Patterndist/docs/0.docs/3.routing.md
    MediumSecret Patterndist/docs/0.docs/3.routing.md
    LowScripts Present
    LowEvaldist/_libs/pluginutils.mjs
    LowWeak Cryptodist/_build/common.mjs
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings