AI Security Review
scanned 2h ago · by lpm-firewall-aiNo package-owned malicious attack surface is confirmed. Dynamic code, networking, imports, and filesystem writes implement declared SSR application features and are activated by developer-authored project content or explicit CLI commands.
Decision evidence
public snapshot- src/page.js compiles project page <script> content with AsyncFunction at request time.
- src/sources.js fetches developer-declared URL sources and imports root-contained modules.
- bin/cli.js can remove and recreate the user project’s dist/ during explicit build.
- package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
- No hard-coded external endpoint, credential harvesting, shell execution, or agent-control-surface path was found.
- src/sources.js and src/jobs.js constrain module paths to the configured project root.
- bin/cli.js filesystem writes and Bun.spawnSync occur only under explicit CLI build commands.
- src/static.js blocks serving project config, databases, seed data, and server-side directories.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
src/render.jsView on unpkg · L23Package source references dynamic require/import behavior.
src/server.jsView on unpkg · L494