registry  /  react-semaphor  /  0.1.422

react-semaphor@0.1.422

Fully interactive and customizable dashboards for your apps.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious package attack surface. Runtime networking is tied to consumer-provided dashboard API configuration, while dynamic visual/module loading is an explicit dashboard feature.

Static reason
No blocking static signals were detected.
Trigger
A consuming application renders a dashboard and supplies API, token, custom-code, or component-URL configuration.
Impact
Custom code or remote modules could execute in the host page only if the consumer treats untrusted configuration as trusted; no install-time or stealth execution exists.
Mechanism
Browser-side dashboard API requests and configurable visual/component loading.
Rationale
The flagged primitives are consumer-runtime features of a dashboard SDK, not an autonomous or install-time attack chain. Static inspection found no concrete malicious behavior.
Evidence
package.jsondist/index.jsdist/types/index.cjsdist/chunks/index-OD6mLD7U.jsdist/chunks/switch-CWcWwwDJ.jsdist/data-app-sdk/index.jsdist/data-app-builder-browser-runtime/index.js

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/chunks/index-OD6mLD7U.js` evaluates custom visual/renderer code with `new Function`.
  • `dist/chunks/index-OD6mLD7U.js` dynamically imports a component URL supplied at runtime.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • Entrypoints are React/dashboard exports; no Node filesystem or child-process module imports were found.
  • `dist/chunks/switch-CWcWwwDJ.js` sends dashboard API requests only when given runtime API URL and bearer token.
  • No source evidence of credential harvesting, local file writes, persistence, agent-config mutation, or concealed endpoint.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 90 file(s), 4.93 MB of source, external domains: 127.0.0.1, bit.ly, docs.semaphor.cloud, drafts.csswg.org, github.com, semaphor-data-app.localhost, stackoverflow.com, tanstack.com, unpkg.com, www.chartjs.org, www.w3.org
Oversized source lightweight scan
dist/chunks/index-8y8XX7sX.js3.13 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringstanstack.com
dist/chunks/index-OD6mLD7U.js4.58 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringstanstack.com

Source & flagged code

5 flagged · loading source
dist/chunks/switch-DRNqX0v0.jsView file
136*/var t=function(n){var o=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,i=0,a={},s={manual:n.Prism&&n.Prism.manual,disableWorkerMessageHandler:n.Prism&&n.Prism.disableWorkerMessageHand... L137: `),b.hasAttribute("data-start")||b.setAttribute("data-start",String(T+1))}S.textContent=I,t.highlightElement(S)},function(I){b.setAttribute(s,u),S.textContent=I})}}),t.plugins.file... L138: `).length,[e]),b=Math.max(2,String(m).length),S=le.useId(),g=h??S,y=u??c;return x.jsxs("div",{className:`code-editor relative h-full min-h-0 overflow-auto font-mono text-[12px] lea...
High
Child Process

Package source references child process execution.

dist/chunks/switch-DRNqX0v0.jsView on unpkg · L136
1"use strict";const ve=require("./x-B6ghREd2.js"),x=require("react/jsx-runtime"),le=require("react");require("./analyze-result-contract-DpDcImgk.js");const ml=require("react-dom"),u... L2: `),o=n.findIndex(a=>a.includes("api.setState"));if(o<0)return;const i=((r=n[o+1])==null?void 0:r.trim())||"";return(t=/.+ (.+) .+/.exec(i))==null?void 0:t[1]},Gp=(e,r={})=>(t,n,o)=... ... L6: `);const g=S.state[s];if(g==null)return;JSON.stringify(o.getState())!==JSON.stringify(g)&&h(g);return}o.dispatchFromDevtools&&typeof o.dispatch=="function"&&o.dispatch(S)});case"DI... L7: `;)t+=1;return t}function pc(e,r){let t=r+2;for(;t<e.length-1;){if(e[t]==="*"&&e[t+1]==="/")return t+1;t+=1}return e.length-1}function mc(e,r,t,n){let o=1,i=r+1;for(;i<e.length;){c... L8: * @license lucide-react v0.453.0 - ISC
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunks/switch-DRNqX0v0.jsView on unpkg · L1
6`);const g=S.state[s];if(g==null)return;JSON.stringify(o.getState())!==JSON.stringify(g)&&h(g);return}o.dispatchFromDevtools&&typeof o.dispatch=="function"&&o.dispatch(S)});case"DI... L7: `;)t+=1;return t}function pc(e,r){let t=r+2;for(;t<e.length-1;){if(e[t]==="*"&&e[t+1]==="/")return t+1;t+=1}return e.length-1}function mc(e,r,t,n){let o=1,i=r+1;for(;i<e.length;){c... L8: * @license lucide-react v0.453.0 - ISC
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunks/switch-DRNqX0v0.jsView on unpkg · L6
dist/types/index.cjsView file
1"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const e=require("../chunks/common-types-C73-Ud1-.js"),a={mode:"all"},E={tz:"UTC",weekStart:1,anchor:...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/types/index.cjsView on unpkg · L1
dist/chunks/index-OD6mLD7U.jsView file
path = dist/chunks/index-OD6mLD7U.js kind = oversized_source_file sizeBytes = 4797922 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/index-OD6mLD7U.jsView on unpkg

Findings

3 High4 Medium5 Low
HighChild Processdist/chunks/switch-DRNqX0v0.js
HighSame File Env Network Executiondist/chunks/switch-DRNqX0v0.js
HighOversized Source Filedist/chunks/index-OD6mLD7U.js
MediumDynamic Requiredist/types/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunks/switch-DRNqX0v0.js
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings