registry  /  spark-ssr  /  1.1.1

spark-ssr@1.1.1

Zero-config SSR for spark-html on Bun. The HTML template infers everything: filesystem routing, layouts, <spark-ssr> declarative data (SQL, URLs, globs, modules), auto CRUD with validation, guards, no-JS forms, schema + seeds, live updates, SEO. Precompil

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are framework features for a Bun SSR server and are activated by user project templates, CLI commands, or runtime HTTP requests.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes spark-ssr CLI or imports serve() for a project.
Impact
Package-aligned server behavior; no install-time mutation, persistence, credential exfiltration, or remote payload execution found in package source.
Mechanism
SSR framework with project-file routing, user-declared fetch/module/script execution, DB CRUD, uploads, and build output generation.
Rationale
Static inspection shows a Bun SSR framework whose dynamic imports, fetches, code generation, DB access, uploads, and filesystem writes are package-aligned and user/project-driven. There are no lifecycle hooks, hidden network endpoints, credential harvesting, AI-agent control-surface writes, or unconsented install/import-time behavior indicating malware.
Evidence
package.jsonbin/cli.jssrc/server.jssrc/sources.jssrc/routes.jssrc/render.jssrc/request.jssrc/config.jssrc/crud.jssrc/schema.jssrc/jobs.jsdist/dist/__server.jsdist/Dockerfileuploads/spark.jsonproject pages/api/middleware/seed/content/lib files

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; main is src/index.js and bin is bin/cli.js.
    • bin/cli.js only serves/builds/db-diffs user project roots; writes dist/, Dockerfile, and runs bun build only on explicit build command.
    • src/sources.js fetches user-declared URLs, reads project globs, and imports project modules constrained under root.
    • src/routes.js/src/render.js use AsyncFunction/new Function to run project templates, API files, and middleware at user request time.
    • src/config.js resolves ENV.* config values locally; no credential harvesting or exfiltration path found.
    • src/crud.js/schema.js handle app DB CRUD, auth hashing, schema creation, and seed import for declared project tables.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 19 file(s), 229 KB of source

    Source & flagged code

    3 flagged · loading source
    src/crud.jsView file
    128patternName = generic_password severity = medium line = 128 matchedText = if (!Str...ed';
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/crud.jsView on unpkg · L128
    src/render.jsView file
    23if (!fn) { L24: try { fn = new Function('__scope__', 'with (__scope__) { return (' + expr + '); }'); } L25: catch { fn = () => undefined; }
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    src/render.jsView on unpkg · L23
    src/server.jsView file
    426// Resolve from the APP's root, not this module's own location — a bare L427: // `import('spark-html-theme/init')` would resolve relative to L428: // server.js, which only works when the installer hoists the app's deps
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/server.jsView on unpkg · L426

    Findings

    4 Medium4 Low
    MediumSecret Patternsrc/crud.js
    MediumDynamic Requiresrc/server.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowEvalsrc/render.js
    LowFilesystem
    LowHigh Entropy Strings