registry  /  vue-spear-tip  /  0.6.32

vue-spear-tip@0.6.32

Vue 3 TypeScript Class Components with @Watch, Computed (as getter), @Prop decorators. And UI KIT on them.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. File transfer APIs are component features activated with consumer-supplied URLs.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer renders FilesArea and invokes configured download, preview, or upload behavior.
Impact
No unconsented package-side impact identified.
Mechanism
User-configured browser file transfer.
Rationale
The scanner's Trojan Source finding is a false positive: the inspected characters are U+200B caret placeholders in a bundled tag-input dependency, not directional overrides. The package contains ordinary Vue UI components; its network behavior is explicit, runtime, and driven by consumer-configured file endpoints.
Evidence
package.jsondist/vue-spear-tip.cjs.jsdist/SelectField-rFxG_MB7.cjsdist/FilesArea-ChdqaB2j.cjsdist/index-DJhJzeAi.cjsdist/.vite/manifest.jsonREADME.md

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks.
    • dist/vue-spear-tip.cjs.js only re-exports Vue library components.
    • dist/SelectField-rFxG_MB7.cjs zero-width characters are Tagify caret placeholders, not bidi controls.
    • dist/FilesArea-ChdqaB2j.cjs network calls use consumer-provided file URIs/uploadPath.
    • No Node filesystem, child-process, credential, or agent-control code found in shipped CJS modules.
    Behavioral surface
    Source
    ChildProcessCryptoEvalNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 51 file(s), 8.12 MB of source, external domains: bun.com, developer.mozilla.org, github.com, nodejs.org, prosemirror.net, pugjs.org, sass-lang.com, stuk.github.io, tailwindcss.com, unocss.dev, vite.dev, w3c.github.io, www.npmjs.com, www.typescriptlang.org, www.w3.org

    Source & flagged code

    3 flagged · loading source
    docs/static/main-gedgkk0T.jsView file
    12<div id="sm-modal-prompt-error" class="text-danger" style="display: none; font-size: 11px"></div> L13: </div>`,po={...typeof Gn=="object"?Gn:{},id:Jn,content:(typeof Gn=="string"?Gn:Gn?.content??"")+co,onCancel:Gn?.onCancel,confirmCloseDisable:!0,onOpen(mo){let vo,bo;if(typeof Kn=="... L14: h2(class="absolute l-25 t-2 bg-stone-100 px9px py2px rounded-md") Result:
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    docs/static/main-gedgkk0T.jsView on unpkg · L12
    dist/SelectField-rFxG_MB7.cjsView file
    38contains invisible/control Unicode U+200B (zero width space) <U+200B>`);for(var d=a.nextSibling,u="";d;)u+=d.textContent,d=d.nextSibling;u.trim()&&F(a.previousSibling)}else a.previousSibling&&!T(a.previousSibling)||a.before("<U+200B>")}),s.removedNodes.forEach(function(a){a&&a.nodeName=="BR"&&z.call(
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/SelectField-rFxG_MB7.cjsView on unpkg · L38
    Trigger-reachable chain: manifest.main -> dist/vue-spear-tip.cjs.js -> dist/index-DJhJzeAi.cjs -> dist/SelectField-rFxG_MB7.cjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/SelectField-rFxG_MB7.cjsView on unpkg

    Findings

    2 Critical2 Medium6 Low
    CriticalTrojan Source Unicodedist/SelectField-rFxG_MB7.cjs
    CriticalTrigger Reachable Dangerous Capabilitydist/SelectField-rFxG_MB7.cjs
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldocs/static/main-gedgkk0T.js
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings