registry  /  vue-spear-tip  /  0.6.26

vue-spear-tip@0.6.26

Vue 3 TypeScript Class Components with @Watch, Computed (as getter), @Prop decorators. And UI KIT on them.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime network behavior is limited to component file upload/download features controlled by the consuming app.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User interaction with Vue components, especially FilesArea upload/download/view actions
Impact
No credential theft, persistence, remote payload execution, or install-time mutation identified
Mechanism
Package-aligned frontend component behavior
Rationale
Static source inspection shows a Vue component library with bundled UI dependencies and user-driven upload/download code, not install-time or import-time attack behavior. Scanner findings appear to be noisy matches on browser APIs, bundled libraries, and minified artifacts.
Evidence
package.jsondist/vue-spear-tip.cjs.jsdist/vue-spear-tip.es.jsdist/FilesArea-DvLk50rV.jsdist/FilesArea-DY0W_C4Z.cjsdocs/static/FilesArea-DH7ifHSz.jsdist/SelectField-BEhDHa74.jsdist/SelectField-Ce-ksjur.cjs

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; scripts are dev/build only.
    • Entrypoints dist/vue-spear-tip.cjs.js and dist/vue-spear-tip.es.js only re-export Vue components/helpers.
    • dist/FilesArea-DvLk50rV.js network use is user-invoked file upload/download via props uploadPath, uploadHeaders, and file.uri.
    • No source evidence of child_process, fs access, credential/env harvesting, persistence, or AI-agent control-surface writes.
    • Scanner unicode/control-character hits align with bundled/minified JSZip/binary-signature strings, not hidden control flow.
    • SelectField files implement bundled Tagify/select UI behavior; timeout/hook code is UI event handling.
    Behavioral surface
    Source
    ChildProcessCryptoEvalNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 51 file(s), 8.12 MB of source, external domains: bun.com, developer.mozilla.org, github.com, nodejs.org, prosemirror.net, pugjs.org, sass-lang.com, stuk.github.io, tailwindcss.com, unocss.dev, vite.dev, w3c.github.io, www.npmjs.com, www.typescriptlang.org, www.w3.org

    Source & flagged code

    3 flagged · loading source
    docs/static/FilesArea-DH7ifHSz.jsView file
    13`,a=new Blob([k],{type:"text/html"});this.pdfUrl=URL.createObjectURL(a)}this.loading=!1}beforeUnmount(){this.pdfUrl&&URL.revokeObjectURL(this.pdfUrl)}},b(Ze,"PdfViewer"),Ze);ht([se... L14: \0`,q+=o(P,2),q+=L.magic,q+=o(E,2),q+=o(D,2),q+=o(ee.crc32,4),q+=o(ee.compressedSize,4),q+=o(ee.uncompressedSize,4),q+=o(W.length,2),q+=o(u.length,2),{fileRecord:_.LOCAL_FILE_HEADE... L15: <br><div class="text-center"><b>&#8226; ${p.join("</b><br><b>&#8226; ")}</b><br>
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    docs/static/FilesArea-DH7ifHSz.jsView on unpkg · L13
    dist/SelectField-BEhDHa74.jsView file
    946contains invisible/control Unicode U+200B (zero width space) <U+200B>`);
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/SelectField-BEhDHa74.jsView on unpkg · L946
    dist/SelectField-Ce-ksjur.cjsView file
    Trigger-reachable chain: manifest.main -> dist/vue-spear-tip.cjs.js -> dist/index-Dxo3fKNO.cjs -> dist/SelectField-Ce-ksjur.cjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/SelectField-Ce-ksjur.cjsView on unpkg

    Findings

    2 Critical2 Medium6 Low
    CriticalTrojan Source Unicodedist/SelectField-BEhDHa74.js
    CriticalTrigger Reachable Dangerous Capabilitydist/SelectField-Ce-ksjur.cjs
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldocs/static/FilesArea-DH7ifHSz.js
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings