registry  /  pier-front-common-toolkits-vue-2  /  3.13.30

pier-front-common-toolkits-vue-2@3.13.30

内部使用vue2组件

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a bundled Vue 2 component/toolkit library with user-invoked HTTP/auth helpers and UI utilities.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the library or loading lib/demo.html in a browser
Impact
Package-aligned browser behavior; no install-time execution or covert host compromise observed
Mechanism
Vue plugin registration and browser utility/helper functions
Rationale
Static inspection found noisy scanner primitives in minified bundled frontend dependencies and package-aligned auth/request utilities, but no concrete malicious behavior. With no lifecycle hooks, shell execution, persistence, or exfiltration path, this should be marked clean.
Evidence
package.jsonREADME.mdlib/pier.common.jslib/pier.umd.jslib/pier.umd.min.jslib/demo.html
Network endpoints4
login.sichuanair.comlocalhost192.168.199.205:5401${location.host}/#login

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares dependency "fs" but it is the npm security placeholder, not a lifecycle hook or bundled payload.
  • lib bundles browser request/auth helpers with endpoints such as login.sichuanair.com and an internal IP.
  • Bundled code references document.cookie/localStorage in auth/cache helpers.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts and main is lib/pier.common.js.
  • Package contains only README.md, package.json, and built lib/demo/html/js files.
  • lib/pier.common.js exports Vue components/utilities and installs only when user imports or window.Vue exists.
  • eval/Function/crypto hits appear in bundled dependencies/polyfills such as moment/xlsx/crypto-js patterns, not custom loader code.
  • No child_process, shell execution, persistence, destructive writes, credential harvesting, or exfiltration flow found.
Behavioral surface
Source
ChildProcessCryptoEvalShell
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 5.41 MB of source, external domains: element.eleme.io, login.sichuanair.com, momentjs.com, www.w3.org

Source & flagged code

3 flagged · loading source
lib/pier.umd.min.jsView file
1((e,t)=>{"object"==typeof exports&&"object"==typeof module?module.exports=t(require("vue")):"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.pier...
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/pier.umd.min.jsView on unpkg · L1
1((e,t)=>{"object"==typeof exports&&"object"==typeof module?module.exports=t(require("vue")):"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.pier...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/pier.umd.min.jsView on unpkg · L1
package.jsonView file
Runtime dependency names matching Node built-ins: fs
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High5 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowEvallib/pier.umd.min.js
LowWeak Cryptolib/pier.umd.min.js
LowHigh Entropy Strings
LowUrl Strings