registry  /  vercel  /  55.0.0

vercel@55.0.0

The command-line interface for Vercel

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a Vercel CLI with user-invoked network, token, shell, curl, sandbox, skills, and MCP setup features aligned to its documented command surface.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the vc/vercel CLI and selects commands/options.
Impact
No unconsented install-time execution, credential exfiltration, persistence, or foreign AI-agent control hijack confirmed.
Mechanism
legitimate CLI command execution and Vercel API interaction
Rationale
Scanner findings map to expected CLI behavior: Vercel API calls, explicit user-provided token handling, telemetry redaction, curl/sandbox/MCP/skills commands, and update checks. There are no lifecycle hooks or automatic broad agent-control writes, and highlighted risky primitives are guarded behind user-invoked CLI commands.
Evidence
package.jsondist/vc.jsdist/index.jsdist/commands-bulk.jsdist/chunks/chunk-X36ADWA5.jsdist/get-latest-worker.cjs
Network endpoints7
api.vercel.comregistry.npmjs.org/-/package/${name}/dist-tagsvercel.com/api/observability/agent-runsai-gateway.vercel.shmcp.vercel.comskills.sh/api/searchtelemetry.vercel.com/api/vercel-cli/v1/events

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json exposes only CLI bins vc/vercel and has no preinstall/install/postinstall lifecycle hooks.
    • dist/vc.js is a small CLI shim that handles --version/--help then imports dist/index.js; no install/import-time payload seen.
    • dist/index.js routes subcommands to commands-bulk.js and uses Vercel-aligned endpoints such as https://api.vercel.com and npm dist-tags for update checks.
    • dist/commands-bulk.js token/env handling is command-specific for Vercel Blob, curl trace, sandbox, tokens, and telemetry; no broad credential harvesting or external exfiltration found.
    • dist/commands-bulk.js MCP setup is explicit user-invoked vercel mcp behavior for Vercel MCP at https://mcp.vercel.com, not an npm lifecycle mutation.
    • child_process uses are for user-invoked curl, package-manager/update detection, MCP client setup, and skills command execution paths.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 127 file(s), 7.30 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, api.example.com, api.vercel.com, app.example.com, backend.internal, bitbucket.org, codeload.github.com, cursor.sh, dogs.are.great, err.sh, example.com, example.vercel.app, examples.vercel.sh, feross.org, fetch.spec.whatwg.org, gist.githubusercontent.com, github.com, gitlab.com, internal.example.com, mcp.vercel.com, mimesniff.spec.whatwg.org, mozilla.github.io, my-app-xxxxx.vercel.app, new-api.example.com, now.sh, openapi-internal.vercel.sh, openapi.vercel.sh, raw.githubusercontent.com, registry.npmjs.org, sites.google.com, stackoverflow.com, telemetry.vercel.com, tools.ietf.org, vercel.com, vercel.link, w3c.github.io, websockets.spec.whatwg.org, www.example.com, www.w3.org, your-project-abc123.vercel.app
    Oversized source lightweight scan
    dist/chunks/chunk-XHC5YRFY.js2.38 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsEvalShellDynamicRequireHighEntropyStringsUrlStringsbitbucket.orgfeross.orggithub.comgitlab.comstackoverflow.comtools.ietf.orgvercel.comvercel.linkwww.w3.org

    Source & flagged code

    11 flagged · loading source
    dist/index.jsView file
    464import { dirname, parse as parsePath, resolve as resolvePath } from "path"; L465: import { spawn } from "child_process"; L466: var import_fetch_dist_tags = __toESM(require_fetch_dist_tags(), 1);
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L464
    2Cross-file remote execution chain: dist/index.js spawns dist/chunks/chunk-OX7KI3LF.js; helper contains network access plus dynamic code execution. L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L118: if (stream == null) L119: stream = process.stdout; L120: if (callback == null) ... L141: var paths = __require("path"); L142: var isWinOS = /^win/i.test(process.platform); L143: function normalize_path(path2) { ... L188: const object = {}; L189: object.cache = () => process.env.XDG_CACHE_HOME || path2.join(osPaths.home() || osPaths.temp(), ".cache"); L190: object.config = () => process.env.XDG_CONFIG_HOME || path2.join(osPaths.home() || osPaths.temp(), ".config");
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/index.jsView on unpkg · L2
    dist/commands-bulk.jsView file
    2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L485: import { L486: require_execa L487: } from "./chunks/chunk-24FCBXI4.js"; ... L716: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L717: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L718: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L807: telemetry2.trackCliFlagHelp("agent"); L808: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L809: return 2;
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/commands-bulk.jsView on unpkg · L2
    2Trigger-reachable chain: manifest.bin -> dist/vc.js -> dist/index.js -> dist/commands-bulk.js L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L485: import { L486: require_execa L487: } from "./chunks/chunk-24FCBXI4.js"; ... L716: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L717: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L718: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L807: telemetry2.trackCliFlagHelp("agent"); L808: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L809: return 2;
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/commands-bulk.jsView on unpkg · L2
    485import { L486: require_execa L487: } from "./chunks/chunk-24FCBXI4.js";
    High
    Shell

    Package source references shell execution.

    dist/commands-bulk.jsView on unpkg · L485
    4682); L4683: const testUrl = `https://${deployment.url}${subpath}`; L4684: output_manager_default.log(`${import_chalk20.default.bold("Deployment URL:")} ${link_default(testUrl)}`); ... L4693: if (run3) { L4694: const proc = await (0, import_execa.default)(run3, [testUrl], { L4695: stdio: "inherit", ... L4697: env: { L4698: ...process.env, L4699: HOST: deployment.url,
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/commands-bulk.jsView on unpkg · L4682
    2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L485: import { L486: require_execa L487: } from "./chunks/chunk-24FCBXI4.js"; ... L716: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L717: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L718: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L807: telemetry2.trackCliFlagHelp("agent"); L808: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L809: return 2;
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/commands-bulk.jsView on unpkg · L2
    2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L485: import { L486: require_execa L487: } from "./chunks/chunk-24FCBXI4.js"; ... L716: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L717: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L718: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L807: telemetry2.trackCliFlagHelp("agent"); L808: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L809: return 2;
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/commands-bulk.jsView on unpkg · L2
    dist/get-latest-worker.cjsView file
    16L17: const { mkdirSync, writeFileSync } = require('fs'); L18: const { access, mkdir, readFile, unlink, writeFile } = require('fs/promises');
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/get-latest-worker.cjsView on unpkg · L16
    dist/chunks/chunk-XHC5YRFY.jsView file
    path = dist/chunks/chunk-XHC5YRFY.js kind = oversized_source_file sizeBytes = 2491531 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/chunks/chunk-XHC5YRFY.jsView on unpkg
    dist/chunks/chunk-X36ADWA5.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = vercel@54.20.1 matchedIdentity = npm:dmVyY2Vs:54.20.1 similarity = 0.817 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/chunks/chunk-X36ADWA5.jsView on unpkg

    Findings

    3 Critical6 High5 Medium8 Low
    CriticalCredential Exfiltrationdist/commands-bulk.js
    CriticalTrigger Reachable Dangerous Capabilitydist/commands-bulk.js
    CriticalPrevious Version Dangerous Deltadist/chunks/chunk-X36ADWA5.js
    HighChild Processdist/index.js
    HighShelldist/commands-bulk.js
    HighSame File Env Network Executiondist/commands-bulk.js
    HighSandbox Evasion Gated Capabilitydist/commands-bulk.js
    HighCross File Remote Execution Contextdist/index.js
    HighOversized Source Filedist/chunks/chunk-XHC5YRFY.js
    MediumDynamic Requiredist/get-latest-worker.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEval
    LowWeak Cryptodist/commands-bulk.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings