registry  /  @10stars/config  /  16.0.0

@10stars/config@16.0.0

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a developer configuration CLI with user-invoked commands that can format, lint, typecheck, update project config, run user-provided commands, or kill requested ports.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI invocation such as config prepare, lint, run, or killPort
Impact
User-invoked project configuration changes and local process management; no evidence of unconsented install-time execution or exfiltration.
Mechanism
developer tooling command runner and project config writer
Rationale
Static inspection shows risky primitives are aligned with an explicit developer tooling CLI, not install-time malware: shell execution, package install, symlinks, and port killing are only reached through user-selected commands. There are no network endpoints, credential collection, persistence hooks beyond user-invoked husky setup, or foreign AI-agent control-surface mutations.
Evidence
package.jsonsrc/index.tssrc/vscode-config.tssrc/manage-overrides.tssrc/link-packages.tssrc/runner.ts.oxfmtrc.json.vscode/extensions.json.vscode/settings.jsonnode_modules/<linked-package>

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly; no install/postinstall/prepare lifecycle for consumers
    • src/index.ts CLI dispatch requires explicit command and prints help by default
    • src/index.ts prepare is user-invoked and skips in CI; it runs husky, VSCode setup, overrides, and optional local package linking
    • src/vscode-config.ts writes only project .vscode/extensions.json and settings.json with editor config
    • src/manage-overrides.ts edits project package.json overrides and runs bun install only during explicit prepare
    • No network endpoints, credential harvesting, AI-agent control-surface writes, or import-time payload found
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
    Supply chainNo supply-chain packaging signals triggered.
    Manifest
    NoLicense
    scanned 6 file(s), 22.5 KB of source

    Source & flagged code

    4 flagged · loading source
    src/vscode-config.tsView file
    1import { execSync } from "node:child_process" L2: import fs from "node:fs/promises"
    High
    Child Process

    Package source references child process execution.

    src/vscode-config.tsView on unpkg · L1
    src/link-packages.tsView file
    21export const checkIsMonorepo = async (pathPkg: string) => { L22: const pkgJson = await import(path.join(pathPkg, `package.json`)) L23: return Boolean(pkgJson.workspaces)
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/link-packages.tsView on unpkg · L21
    src/manage-overrides.tsView file
    60console.info(`Written: ${pkgPath}`) L61: execSync(`bunx oxfmt ${pkgPath}`, { cwd, stdio: `inherit` }) L62:
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    src/manage-overrides.tsView on unpkg · L60
    src/index.tsView file
    matchType = previous_version_dangerous_delta matchedPackage = @10stars/config@15.6.4 matchedIdentity = npm:QDEwc3RhcnMvY29uZmln:15.6.4 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    src/index.tsView on unpkg

    Findings

    1 Critical3 High3 Medium4 Low
    CriticalPrevious Version Dangerous Deltasrc/index.ts
    HighChild Processsrc/vscode-config.ts
    HighShell
    HighRuntime Package Installsrc/manage-overrides.ts
    MediumDynamic Requiresrc/link-packages.ts
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowNo License