registry  /  react-semaphor  /  0.1.426

react-semaphor@0.1.426

Fully interactive and customizable dashboards for your apps.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The dashboard custom-visual feature can download and execute ES modules from a configured library URL. It can also evaluate configured dynamic renderer code in the browser.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A consumer configures and renders a custom-visual library URL or dynamic renderer.
Impact
A party controlling the configured visual URL or renderer can run JavaScript in the consuming dashboard's browser context.
Mechanism
Runtime remote module import and custom renderer evaluation.
Rationale
No evidence shows malicious installation, harvesting, persistence, or stealthy exfiltration. The package nevertheless exposes an unguarded remote/custom-code execution capability, so it warrants a warning rather than a block.
Evidence
package.jsondist/chunks/dashboard-JNK2ly_e.jsdist/chunks/code-editor-tfzm8LWW.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/chunks/dashboard-JNK2ly_e.js` dynamically imports `<configured URL>/index.js` via `new Function`.
  • The same bundle fetches `<configured URL>/manifest.json` and renders exported remote components.
  • `dist/chunks/code-editor-tfzm8LWW.js` validates then parses custom renderer source with `new Function`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No `child_process`, filesystem-read/write, shell-execution, or credential-file primitives were found.
  • No AI-agent control-surface paths, cookie access, or fixed suspicious exfiltration endpoint were found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 98 file(s), 4.71 MB of source, external domains: 127.0.0.1, bit.ly, docs.semaphor.cloud, drafts.csswg.org, github.com, lea.verou.me, opensource.org, semaphor-data-app.localhost, stackoverflow.com, tanstack.com, unpkg.com, www.chartjs.org, www.w3.org
Oversized source lightweight scan
dist/chunks/dashboard-JNK2ly_e.js3.32 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringstanstack.comwww.w3.org
dist/chunks/dashboard-ZoKNg47G.js4.85 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStrings

Source & flagged code

6 flagged · loading source
dist/chunks/code-editor-tfzm8LWW.jsView file
136*/var t=function(r){var o=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,i=0,a={},s={manual:r.Prism&&r.Prism.manual,disableWorkerMessageHandler:r.Prism&&r.Prism.disableWorkerMessageHand... L137: `),v.hasAttribute("data-start")||v.setAttribute("data-start",String(T+1))}C.textContent=I,t.highlightElement(C)},function(I){v.setAttribute(s,u),C.textContent=I})}}),t.plugins.file... L138: `).length,[e]),v=Math.max(2,String(m).length),C=Ee.useId(),g=h??C,y=u??c;return x.jsxs("div",{className:`code-editor relative h-full min-h-0 overflow-auto font-mono text-[12px] lea...
High
Child Process

Package source references child process execution.

dist/chunks/code-editor-tfzm8LWW.jsView on unpkg · L136
50* See the LICENSE file in the root directory of this source tree. L51: */const hm=Se.createLucideIcon("Upload",[["path",{d:"M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4",key:"ih7n3h"}],["polyline",{points:"17 8 12 3 7 8",key:"t8dd8p"}],["line",{x1:"12",x... L52: `),i=o.findIndex(s=>s.includes("api.setState"));if(i<0)return;const a=((n=o[i+1])==null?void 0:n.trim())||"";return((t=Zm.exec(a))==null?void 0:t[1])||((r=Jm.exec(a))==null?void 0:... ... L56: `);const g=C.state[s];if(g==null)return;JSON.stringify(o.getState())!==JSON.stringify(g)&&h(g);return}Os(o)&&o.dispatch(C)});case"DISPATCH":switch(m.payload.type){case"RESET":retur... L57: `;)t+=1;return t}function Qc(e,n){let t=n+2;for(;t<e.length-1;){if(e[t]==="*"&&e[t+1]==="/")return t+1;t+=1}return e.length-1}function Zc(e,n,t,r){let o=1,i=n+1;for(;i<e.length;){c... L58: .`.concat(vw,` {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunks/code-editor-tfzm8LWW.jsView on unpkg · L50
matchType = previous_version_dangerous_delta matchedPackage = react-semaphor@0.1.424 matchedIdentity = npm:cmVhY3Qtc2VtYXBob3I:0.1.424 similarity = 0.652 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunks/code-editor-tfzm8LWW.jsView on unpkg
56`);const g=C.state[s];if(g==null)return;JSON.stringify(o.getState())!==JSON.stringify(g)&&h(g);return}Os(o)&&o.dispatch(C)});case"DISPATCH":switch(m.payload.type){case"RESET":retur... L57: `;)t+=1;return t}function Qc(e,n){let t=n+2;for(;t<e.length-1;){if(e[t]==="*"&&e[t+1]==="/")return t+1;t+=1}return e.length-1}function Zc(e,n,t,r){let o=1,i=n+1;for(;i<e.length;){c... L58: .`.concat(vw,` {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunks/code-editor-tfzm8LWW.jsView on unpkg · L56
dist/types/index.cjsView file
1"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const e=require("../chunks/common-types-C73-Ud1-.js"),a={mode:"all"},E={tz:"UTC",weekStart:1,anchor:...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/types/index.cjsView on unpkg · L1
dist/chunks/dashboard-ZoKNg47G.jsView file
path = dist/chunks/dashboard-ZoKNg47G.js kind = oversized_source_file sizeBytes = 5081384 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/dashboard-ZoKNg47G.jsView on unpkg

Findings

4 High4 Medium5 Low
HighChild Processdist/chunks/code-editor-tfzm8LWW.js
HighSame File Env Network Executiondist/chunks/code-editor-tfzm8LWW.js
HighOversized Source Filedist/chunks/dashboard-ZoKNg47G.js
HighPrevious Version Dangerous Deltadist/chunks/code-editor-tfzm8LWW.js
MediumDynamic Requiredist/types/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunks/code-editor-tfzm8LWW.js
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings