registry  /  spark-ssr  /  1.3.0

spark-ssr@1.3.0

Zero-config SSR for spark-html on Bun. The HTML template infers everything: filesystem routing, layouts, <spark-ssr> declarative data (SQL, URLs, globs, modules), auto CRUD with validation, guards, no-JS forms, schema + seeds, live updates, SEO. Precompil

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious package attack surface was established. Runtime network, filesystem, and dynamic-code features implement the documented SSR framework for the user’s project.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit CLI use or runtime serving of a user project.
Impact
No package-originated exfiltration, persistence, or unconsented install-time mutation found.
Mechanism
Project-defined routes, URL sources, modules, and build output.
Rationale
The flagged primitives are explicit SSR framework capabilities activated by user project content or CLI commands. Source inspection found no lifecycle execution or concrete malicious chain.
Evidence
package.jsonbin/cli.jssrc/server.jssrc/sources.jssrc/routes.jssrc/static.jssrc/jobs.jssrc/config.jssrc/db.jssrc/request.js

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hook.
    • bin/cli.js performs build and filesystem writes only after explicit CLI commands.
    • src/sources.js fetches URLs and imports modules supplied by the hosted app configuration.
    • src/routes.js compiles server scripts from the hosted app's api/middleware files, not package payloads.
    • No fixed external endpoint, credential harvesting, AI-agent mutation, or stealth persistence found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 20 file(s), 248 KB of source

    Source & flagged code

    3 flagged · loading source
    src/crud.jsView file
    128patternName = generic_password severity = medium line = 128 matchedText = if (!Str...ed';
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/crud.jsView on unpkg · L128
    src/render.jsView file
    23if (!fn) { L24: try { fn = new Function('__scope__', 'with (__scope__) { return (' + expr + '); }'); } L25: catch { fn = () => undefined; }
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    src/render.jsView on unpkg · L23
    src/server.jsView file
    493// Resolve from the APP's root, not this module's own location — a bare L494: // `import('spark-html-theme/init')` would resolve relative to L495: // server.js, which only works when the installer hoists the app's deps
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/server.jsView on unpkg · L493

    Findings

    4 Medium4 Low
    MediumSecret Patternsrc/crud.js
    MediumDynamic Requiresrc/server.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowEvalsrc/render.js
    LowFilesystem
    LowHigh Entropy Strings