AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Observed dynamic execution, fetch, filesystem, and process.env use are aligned with a Bun SSR framework and activated by user runtime or CLI commands.
Decision evidence
public snapshot- package.json has no npm lifecycle scripts; entrypoints are main ./src/index.js and user-run bin ./bin/cli.js.
- bin/cli.js file writes/removes are limited to user project dist/ during explicit build; Bun.spawnSync invokes bun build only for that command.
- src/sources.js fetch/import/readFile implement declared SSR URL, glob, and module data sources with root path containment checks.
- src/routes.js and src/render.js dynamic Function/AsyncFunction compile project-authored templates, api/*.html, and middleware.html at runtime; no install-time execution.
- src/jobs.js webhook fetch and mail module import are driven by spark.json configuration; no hardcoded exfiltration endpoint.
- src/crud.js password handling hashes/removes auth-table passwords rather than harvesting secrets.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
src/render.jsView on unpkg · L23Package source references dynamic require/import behavior.
src/server.jsView on unpkg · L435