registry  /  srvx-nightly  /  0.11.19

srvx-nightly@0.11.19

Universal Server.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The suspicious primitives are user-invoked server, loader, static-file, TLS, and fetch CLI functionality expected for this package.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the srvx CLI or imports a runtime adapter.
Impact
No unconsented exfiltration, persistence, destructive action, or install-time execution identified.
Mechanism
User-directed HTTP server/fetch tooling with dynamic loading of local server entrypoints.
Rationale
Static inspection shows srvx-nightly is a server framework/CLI with expected child process, dynamic import, env-file, and network primitives gated by explicit CLI/import use. There are no lifecycle hooks or concrete indicators of malware behavior.
Evidence
package.jsonbin/srvx.mjsdist/cli.mjsdist/loader.mjsdist/static.mjsdist/adapters/node.mjsdist/adapters/bun.mjsdist/adapters/deno.mjs.env.env.production.env.localpublic/user-specified --entryuser-specified @fileuser-specified TLS cert/key

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cli.mjs imports node:child_process fork for dev/watch CLI re-exec.
  • dist/cli.mjs fetch mode can request a user-supplied remote URL.
  • dist/loader.mjs dynamically imports the user-selected server entry file.
  • dist/cli.mjs can load .env files and read @file request bodies when explicitly invoked.
Evidence against
  • package.json has no install/postinstall lifecycle hooks.
  • bin/srvx.mjs only imports dist/cli.mjs and calls main for the srvx CLI.
  • dist/cli.mjs child process target is its own bin with forwarded CLI args and runtime flags.
  • dist/loader.mjs dynamic import is for local server entrypoints such as server.ts/js.
  • No credential harvesting, hardcoded exfiltration endpoint, persistence, or destructive writes found.
  • Network behavior is aligned with a universal server/CLI curl feature.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 19 file(s), 84.0 KB of source, external domains: github.com, srvx.h3.dev

Source & flagged code

4 flagged · loading source
dist/cli.mjsView file
4import { fileURLToPath } from "node:url"; L5: import { fork } from "node:child_process"; L6: import { createReadStream, existsSync, statSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/cli.mjsView on unpkg · L4
372async function forkCLI(args, runtimeArgs) { L373: const child = fork(fileURLToPath(globalThis.__SRVX_BIN__ || new URL("../bin/srvx.mjs", import.meta.url)), [...args], { execArgv: [...process.execArgv, ...runtimeArgs].filter(Boolea... L374: child.on("error", (error) => {
High
Shell

Package source references shell execution.

dist/cli.mjsView on unpkg · L372
4Cross-file remote execution chain: dist/cli.mjs spawns dist/loader.mjs; helper contains network access plus dynamic code execution. L4: import { fileURLToPath } from "node:url"; L5: import { fork } from "node:child_process"; L6: import { createReadStream, existsSync, statSync } from "node:fs"; ... L11: try { L12: if (!process.env.NODE_ENV) process.env.NODE_ENV = cliOpts.prod ? "production" : "development"; L13: let server; ... L90: } L91: async function cliFetch(cliOpts) { L92: const stdin = cliOpts.stdin || process.stdin; L93: const stdout = cliOpts.stdout || process.stdout; L94: const stderr = cliOpts.stderr || process.stderr; ... L103: if (cliOpts.verbose && loaded.url) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L4
dist/loader.mjsView file
41if (opts.interceptHttpListen !== false) { L42: const loaded = await interceptListen(() => import(url), opts); L43: mod = loaded.res;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/loader.mjsView on unpkg · L41

Findings

3 High4 Medium4 Low
HighChild Processdist/cli.mjs
HighShelldist/cli.mjs
HighCross File Remote Execution Contextdist/cli.mjs
MediumDynamic Requiredist/loader.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings