registry  /  react-semaphor  /  0.1.423

react-semaphor@0.1.423

Fully interactive and customizable dashboards for your apps.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface. The package exposes dashboard runtime features that can load a configured component URL and call configured APIs.

Static reason
No blocking static signals were detected.
Trigger
Application runtime with user or host-supplied dashboard/component configuration
Impact
Configured hosts can execute their own remote component code in the consuming application's browser context; no hidden payload, host-file access, or package-driven exfiltration was established.
Mechanism
Dynamic module loading and authenticated dashboard API requests
Rationale
Source inspection found no lifecycle execution, Node host-control primitives, credential harvesting, persistence, or concealed exfiltration. Dynamic import and code-validation primitives are explicit dashboard customization features and are configuration-driven rather than a concrete malicious chain.
Evidence
package.jsondist/chunks/index-BPM3gDRw.jsdist/chunks/switch-DMT7qf_R.jsdist/chunks/index-yHe0SeLO.js

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/chunks/index-BPM3gDRw.js` loads a user-configured remote component URL via dynamic import.
  • `dist/chunks/switch-DMT7qf_R.js` validates custom visual code with `new Function`.
Evidence against
  • `package.json` has no npm lifecycle hooks and no `bin` entry.
  • No imports of Node filesystem, OS, path, or child-process modules found in `dist`.
  • Environment reads are limited to `NODE_ENV` and `JEST_WORKER_ID`.
  • Custom visual validation rejects fetch, XHR, WebSocket, dynamic imports, and external scripts.
  • Observed fetches use caller-supplied API service URLs and bearer tokens for dashboard features.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 92 file(s), 4.61 MB of source, external domains: 127.0.0.1, bit.ly, docs.semaphor.cloud, drafts.csswg.org, github.com, semaphor-data-app.localhost, stackoverflow.com, tanstack.com, unpkg.com, www.chartjs.org, www.w3.org
Oversized source lightweight scan
dist/chunks/index-BPM3gDRw.js3.27 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringstanstack.comwww.w3.org
dist/chunks/index-yHe0SeLO.js4.79 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringstanstack.com

Source & flagged code

5 flagged · loading source
dist/chunks/switch-DMT7qf_R.jsView file
136*/var t=function(n){var o=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,i=0,a={},s={manual:n.Prism&&n.Prism.manual,disableWorkerMessageHandler:n.Prism&&n.Prism.disableWorkerMessageHand... L137: `),b.hasAttribute("data-start")||b.setAttribute("data-start",String(T+1))}S.textContent=I,t.highlightElement(S)},function(I){b.setAttribute(s,u),S.textContent=I})}}),t.plugins.file... L138: `).length,[e]),b=Math.max(2,String(m).length),S=le.useId(),g=h??S,y=u??c;return x.jsxs("div",{className:`code-editor relative h-full min-h-0 overflow-auto font-mono text-[12px] lea...
High
Child Process

Package source references child process execution.

dist/chunks/switch-DMT7qf_R.jsView on unpkg · L136
1"use strict";const ve=require("./x-B6ghREd2.js"),x=require("react/jsx-runtime"),le=require("react");require("./analyze-result-contract-DpDcImgk.js");const pl=require("react-dom"),u... L2: `),o=n.findIndex(a=>a.includes("api.setState"));if(o<0)return;const i=((r=n[o+1])==null?void 0:r.trim())||"";return(t=/.+ (.+) .+/.exec(i))==null?void 0:t[1]},Gp=(e,r={})=>(t,n,o)=... ... L6: `);const g=S.state[s];if(g==null)return;JSON.stringify(o.getState())!==JSON.stringify(g)&&h(g);return}o.dispatchFromDevtools&&typeof o.dispatch=="function"&&o.dispatch(S)});case"DI... L7: `;)t+=1;return t}function pc(e,r){let t=r+2;for(;t<e.length-1;){if(e[t]==="*"&&e[t+1]==="/")return t+1;t+=1}return e.length-1}function mc(e,r,t,n){let o=1,i=r+1;for(;i<e.length;){c... L8: * @license lucide-react v0.453.0 - ISC
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunks/switch-DMT7qf_R.jsView on unpkg · L1
6`);const g=S.state[s];if(g==null)return;JSON.stringify(o.getState())!==JSON.stringify(g)&&h(g);return}o.dispatchFromDevtools&&typeof o.dispatch=="function"&&o.dispatch(S)});case"DI... L7: `;)t+=1;return t}function pc(e,r){let t=r+2;for(;t<e.length-1;){if(e[t]==="*"&&e[t+1]==="/")return t+1;t+=1}return e.length-1}function mc(e,r,t,n){let o=1,i=r+1;for(;i<e.length;){c... L8: * @license lucide-react v0.453.0 - ISC
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunks/switch-DMT7qf_R.jsView on unpkg · L6
dist/types/index.cjsView file
1"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const e=require("../chunks/common-types-C73-Ud1-.js"),a={mode:"all"},E={tz:"UTC",weekStart:1,anchor:...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/types/index.cjsView on unpkg · L1
dist/chunks/index-BPM3gDRw.jsView file
path = dist/chunks/index-BPM3gDRw.js kind = oversized_source_file sizeBytes = 3433625 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/index-BPM3gDRw.jsView on unpkg

Findings

3 High4 Medium5 Low
HighChild Processdist/chunks/switch-DMT7qf_R.js
HighSame File Env Network Executiondist/chunks/switch-DMT7qf_R.js
HighOversized Source Filedist/chunks/index-BPM3gDRw.js
MediumDynamic Requiredist/types/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunks/switch-DMT7qf_R.js
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings