registry  /  vue-spear-tip  /  0.6.34

vue-spear-tip@0.6.34

⚠ Under review

Vue 3 TypeScript Class Components with @Watch, Computed (as getter), @Prop decorators. And UI KIT on them.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEvalNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 51 file(s), 8.12 MB of source, external domains: bun.com, developer.mozilla.org, github.com, nodejs.org, prosemirror.net, pugjs.org, sass-lang.com, stuk.github.io, tailwindcss.com, unocss.dev, vite.dev, w3c.github.io, www.npmjs.com, www.typescriptlang.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/FilesArea-BlitqjL_.cjsView file
13`,s=new Blob([E],{type:"text/html"});this.pdfUrl=URL.createObjectURL(s)}this.loading=!1}beforeUnmount(){this.pdfUrl&&URL.revokeObjectURL(this.pdfUrl)}},b(Fe,"PdfViewer"),Fe);Ze([Q.... L14: \0`,q+=l(P,2),q+=$.magic,q+=l(S,2),q+=l(D,2),q+=l(ee.crc32,4),q+=l(ee.compressedSize,4),q+=l(ee.uncompressedSize,4),q+=l(W.length,2),q+=l(f.length,2),{fileRecord:k.LOCAL_FILE_HEADE... L15: <br><div class="text-center"><b>&#8226; ${m.join("</b><br><b>&#8226; ")}</b><br>
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/FilesArea-BlitqjL_.cjsView on unpkg · L13
dist/SelectField-8t-KuLrQ.cjsView file
38contains invisible/control Unicode U+200B (zero width space) <U+200B>`);for(var d=a.nextSibling,u="";d;)u+=d.textContent,d=d.nextSibling;u.trim()&&F(a.previousSibling)}else a.previousSibling&&!T(a.previousSibling)||a.before("<U+200B>")}),s.removedNodes.forEach(function(a){a&&a.nodeName=="BR"&&z.call(
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/SelectField-8t-KuLrQ.cjsView on unpkg · L38
Trigger-reachable chain: manifest.main -> dist/vue-spear-tip.cjs.js -> dist/index-Dq78fBt5.cjs -> dist/SelectField-8t-KuLrQ.cjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/SelectField-8t-KuLrQ.cjsView on unpkg

Findings

2 Critical2 Medium6 Low
CriticalTrojan Source Unicodedist/SelectField-8t-KuLrQ.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/SelectField-8t-KuLrQ.cjs
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/FilesArea-BlitqjL_.cjs
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings