registry  /  vue-spear-tip  /  0.6.31

vue-spear-tip@0.6.31

Vue 3 TypeScript Class Components with @Watch, Computed (as getter), @Prop decorators. And UI KIT on them.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime networking is an explicit file-upload component action directed to the consuming application's configured endpoint.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consuming application renders FilesArea and a user initiates file upload.
Impact
Uploads selected files to the consumer-configured server; no package-controlled endpoint, credential harvesting, persistence, or remote payload chain was found.
Mechanism
User-triggered XMLHttpRequest to configured uploadPath.
Rationale
Static inspection indicates a Vue UI component package with caller-configured file upload and browser-local component persistence. Scanner hits derive from bundled dependencies and benign UI behavior; no concrete malicious chain was found.
Evidence
package.jsondist/vue-spear-tip.es.jsdist/vue-spear-tip.cjs.jsdist/FilesArea-BU5HNYTm.jsdist/SelectField-B1Y2Fpx6.jsdist/TextField-BmyvM2dZ.jsdist/index--nWsnz6x.jsdist/index-CXxDalwu.cjsdist/FilesArea-BI-2pgWB.cjsdist/SelectField-CD7n4IhA.cjs

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with high false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall/prepare hooks.
    • Entrypoints only export Vue components from `dist/index--nWsnz6x.js` / `dist/index-CXxDalwu.cjs`.
    • `dist/FilesArea-BU5HNYTm.js` posts user-selected files only to caller-provided `uploadPath`.
    • `dist/SelectField-B1Y2Fpx6.js` uses localStorage solely for component state persistence.
    • Dynamic `Function`/`eval` matches are bundled library compatibility/global-detection code, not payload execution.
    • Six invisible characters in `dist/TextField-BmyvM2dZ.js` occur in editor/docs/entity data; no bidi override controls found.
    Behavioral surface
    Source
    ChildProcessCryptoEvalNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 51 file(s), 8.12 MB of source, external domains: bun.com, developer.mozilla.org, github.com, nodejs.org, prosemirror.net, pugjs.org, sass-lang.com, stuk.github.io, tailwindcss.com, unocss.dev, vite.dev, w3c.github.io, www.npmjs.com, www.typescriptlang.org, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/FilesArea-BI-2pgWB.cjsView file
    13`,s=new Blob([E],{type:"text/html"});this.pdfUrl=URL.createObjectURL(s)}this.loading=!1}beforeUnmount(){this.pdfUrl&&URL.revokeObjectURL(this.pdfUrl)}},b(Fe,"PdfViewer"),Fe);Ze([Q.... L14: \0`,q+=l(P,2),q+=$.magic,q+=l(S,2),q+=l(D,2),q+=l(ee.crc32,4),q+=l(ee.compressedSize,4),q+=l(ee.uncompressedSize,4),q+=l(W.length,2),q+=l(f.length,2),{fileRecord:k.LOCAL_FILE_HEADE... L15: <br><div class="text-center"><b>&#8226; ${m.join("</b><br><b>&#8226; ")}</b><br>
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/FilesArea-BI-2pgWB.cjsView on unpkg · L13
    dist/TextField-BmyvM2dZ.jsView file
    1585contains invisible/control Unicode U+200B (zero width space) Get the _n_<U+200B>th outgoing edge from this node in the finite
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/TextField-BmyvM2dZ.jsView on unpkg · L1585
    dist/SelectField-CD7n4IhA.cjsView file
    Trigger-reachable chain: manifest.main -> dist/vue-spear-tip.cjs.js -> dist/index-CXxDalwu.cjs -> dist/SelectField-CD7n4IhA.cjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/SelectField-CD7n4IhA.cjsView on unpkg

    Findings

    2 Critical2 Medium6 Low
    CriticalTrojan Source Unicodedist/TextField-BmyvM2dZ.js
    CriticalTrigger Reachable Dangerous Capabilitydist/SelectField-CD7n4IhA.cjs
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldist/FilesArea-BI-2pgWB.cjs
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings