registry  /  spark-ssr  /  1.2.0

spark-ssr@1.2.0

Zero-config SSR for spark-html on Bun. The HTML template infers everything: filesystem routing, layouts, <spark-ssr> declarative data (SQL, URLs, globs, modules), auto CRUD with validation, guards, no-JS forms, schema + seeds, live updates, SEO. Precompil

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Observed dynamic execution, fetch, filesystem, and process.env use are aligned with a Bun SSR framework and activated by user runtime or CLI commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/runs spark-ssr server or invokes spark-ssr CLI commands.
Impact
No evidence of credential exfiltration, install-time mutation, persistence, destructive behavior outside explicit build output, or remote payload loading.
Mechanism
SSR framework runtime, configured data sources, API handlers, jobs, and build output generation.
Rationale
Static inspection shows scanner hits are expected framework features: user-authored template/API evaluation, configured fetch/mail sources, env-based config, and explicit build/db CLI actions. There are no lifecycle hooks, hardcoded external endpoints, credential harvesting, broad AI-agent control-surface writes, or unconsented install/import-time mutation.
Evidence
package.jsonbin/cli.jssrc/sources.jssrc/routes.jssrc/render.jssrc/jobs.jssrc/crud.jssrc/config.jssrc/static.jsdist/dist/__server.jsdist/Dockerfileproject files under pages/ components/ api/ seed/ content/ lib/ public/

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle scripts; entrypoints are main ./src/index.js and user-run bin ./bin/cli.js.
    • bin/cli.js file writes/removes are limited to user project dist/ during explicit build; Bun.spawnSync invokes bun build only for that command.
    • src/sources.js fetch/import/readFile implement declared SSR URL, glob, and module data sources with root path containment checks.
    • src/routes.js and src/render.js dynamic Function/AsyncFunction compile project-authored templates, api/*.html, and middleware.html at runtime; no install-time execution.
    • src/jobs.js webhook fetch and mail module import are driven by spark.json configuration; no hardcoded exfiltration endpoint.
    • src/crud.js password handling hashes/removes auth-table passwords rather than harvesting secrets.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 19 file(s), 233 KB of source

    Source & flagged code

    3 flagged · loading source
    src/crud.jsView file
    128patternName = generic_password severity = medium line = 128 matchedText = if (!Str...ed';
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/crud.jsView on unpkg · L128
    src/render.jsView file
    23if (!fn) { L24: try { fn = new Function('__scope__', 'with (__scope__) { return (' + expr + '); }'); } L25: catch { fn = () => undefined; }
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    src/render.jsView on unpkg · L23
    src/server.jsView file
    435// Resolve from the APP's root, not this module's own location — a bare L436: // `import('spark-html-theme/init')` would resolve relative to L437: // server.js, which only works when the installer hoists the app's deps
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/server.jsView on unpkg · L435

    Findings

    4 Medium4 Low
    MediumSecret Patternsrc/crud.js
    MediumDynamic Requiresrc/server.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowEvalsrc/render.js
    LowFilesystem
    LowHigh Entropy Strings