CollectUICollectUI

Security Audit Report

Security audit summary for the heroui-pro npm packages.

Audit scope

PackageVersionType
heroui-pro1.0.0-beta.9CLI tool plus auth, CDN, and cache helpers
@heroui-pro/react1.0.0-beta.3React Pro component package
heroui-native-pro1.0.0-beta.3React Native Pro component package

Core conclusion

The installer is designed to fetch package tarballs and write generated files into the local project. The main operational risk is API key exposure, so keys must be handled as secrets.

Recommendations

  • Use scoped keys for teams and CI environments.
  • Store keys in secret managers.
  • Review generated files before committing.
  • Keep the installer package updated.
  • Rotate keys after personnel or infrastructure changes.

HTTP MCP (Deprecated Soon)

HTTP transport configuration for MCP. Deprecated soon; migrate to Local MCP.

Privacy and Data Collection

Data collection behavior of hpsetup and its dependencies.

On this page

Audit scopeCore conclusionRecommendations