AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The risky primitives are framework features for a Bun SSR server and are activated by user project templates, CLI commands, or runtime HTTP requests.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall hooks; main is src/index.js and bin is bin/cli.js.
- bin/cli.js only serves/builds/db-diffs user project roots; writes dist/, Dockerfile, and runs bun build only on explicit build command.
- src/sources.js fetches user-declared URLs, reads project globs, and imports project modules constrained under root.
- src/routes.js/src/render.js use AsyncFunction/new Function to run project templates, API files, and middleware at user request time.
- src/config.js resolves ENV.* config values locally; no credential harvesting or exfiltration path found.
- src/crud.js/schema.js handle app DB CRUD, auth hashing, schema creation, and seed import for declared project tables.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
src/render.jsView on unpkg · L23Package source references dynamic require/import behavior.
src/server.jsView on unpkg · L426