registry  /  spark-ssr  /  1.3.3

spark-ssr@1.3.3

Zero-config SSR for spark-html on Bun. The HTML template infers everything: filesystem routing, layouts, <spark-ssr> declarative data (SQL, URLs, globs, modules), auto CRUD with validation, guards, no-JS forms, schema + seeds, live updates, SEO. Precompil

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No package-owned malicious attack surface is confirmed. Dynamic code, networking, imports, and filesystem writes implement declared SSR application features and are activated by developer-authored project content or explicit CLI commands.

Static reason
One or more suspicious static signals were detected.
Trigger
Developer runs the CLI/server or supplies page, job, module, URL, and mail configuration.
Impact
No unconsented install-time execution, exfiltration, persistence, or foreign control-surface mutation found.
Mechanism
Project-scoped SSR rendering, data loading, jobs, and build assembly.
Rationale
The flagged primitives are intentional framework capabilities scoped to a developer’s project configuration and runtime. Source inspection found no lifecycle execution or concrete malicious chain.
Evidence
package.jsonbin/cli.jssrc/config.jssrc/jobs.jssrc/page.jssrc/request.jssrc/render.jssrc/sources.jssrc/static.jsdist/uploads/

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/page.js compiles project page <script> content with AsyncFunction at request time.
  • src/sources.js fetches developer-declared URL sources and imports root-contained modules.
  • bin/cli.js can remove and recreate the user project’s dist/ during explicit build.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No hard-coded external endpoint, credential harvesting, shell execution, or agent-control-surface path was found.
  • src/sources.js and src/jobs.js constrain module paths to the configured project root.
  • bin/cli.js filesystem writes and Bun.spawnSync occur only under explicit CLI build commands.
  • src/static.js blocks serving project config, databases, seed data, and server-side directories.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 251 KB of source

Source & flagged code

3 flagged · loading source
src/crud.jsView file
138patternName = generic_password severity = medium line = 138 matchedText = if (!Str...ed';
Medium
Secret Pattern

Package contains a possible secret pattern.

src/crud.jsView on unpkg · L138
src/render.jsView file
23if (!fn) { L24: try { fn = new Function('__scope__', 'with (__scope__) { return (' + expr + '); }'); } L25: catch { fn = () => undefined; }
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/render.jsView on unpkg · L23
src/server.jsView file
494// Resolve from the APP's root, not this module's own location — a bare L495: // `import('spark-html-theme/init')` would resolve relative to L496: // server.js, which only works when the installer hoists the app's deps
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/server.jsView on unpkg · L494

Findings

4 Medium4 Low
MediumSecret Patternsrc/crud.js
MediumDynamic Requiresrc/server.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvalsrc/render.js
LowFilesystem
LowHigh Entropy Strings