registry  /  @10stars/config  /  16.0.4

@10stars/config@16.0.4

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a developer configuration CLI with powerful but package-aligned, user-invoked project maintenance actions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs the config CLI command, especially config prepare/run/killPort.
Impact
Can modify local project config, node_modules patches, symlinks, and package overrides when invoked by the user; no install-time persistence or exfiltration observed.
Mechanism
developer tooling that executes local commands and rewrites project config files
Rationale
The suspicious primitives are aligned with an explicitly invoked developer config CLI and are not delivered through npm install/import-time execution. Source inspection found no credential collection, network exfiltration, persistence, or unconsented foreign AI-agent control-surface mutation.
Evidence
package.jsonsrc/index.tssrc/vscode-config.tssrc/manage-overrides.tssrc/patch-vanilla-extract.tssrc/link-packages.tssrc/runner.ts.oxfmtrc.json.vscode/extensions.json.vscode/settings.jsonnode_modules/**/@vanilla-extract/integration/dist/*.jsnode_modules/@scope/package symlinks.git/COMMIT_EDITMSG

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/index.ts exposes user-invoked commands that run bunx tools, kill requested ports, and import local 10stars.config.
  • src/index.ts prepare action writes project config and calls husky/setup helpers when explicitly run.
  • src/manage-overrides.ts can rewrite package.json overrides and run bun install from the CLI prepare flow.
Evidence against
  • package.json has no install/postinstall/prepare lifecycle; only prepublishOnly for publisher-side checks.
  • package.json bin points to src/index.ts; behavior is CLI-activated, not import-time or install-time.
  • src/vscode-config.ts writes only .vscode/extensions.json and .vscode/settings.json with fixed editor settings.
  • src/patch-vanilla-extract.ts only patches installed @vanilla-extract integration files under node_modules.
  • No network fetch/exfiltration endpoints or credential harvesting found by source inspection.
  • No AI-agent control-surface files such as CLAUDE.md, .mcp.json, Codex/Cursor configs, or home-agent paths found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 7 file(s), 25.1 KB of source

Source & flagged code

4 flagged · loading source
src/vscode-config.tsView file
1import { execSync } from "node:child_process" L2: import fs from "node:fs/promises"
High
Child Process

Package source references child process execution.

src/vscode-config.tsView on unpkg · L1
src/link-packages.tsView file
21export const checkIsMonorepo = async (pathPkg: string) => { L22: const pkgJson = await import(path.join(pathPkg, `package.json`)) L23: return Boolean(pkgJson.workspaces)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/link-packages.tsView on unpkg · L21
src/manage-overrides.tsView file
60console.info(`Written: ${pkgPath}`) L61: execSync(`bunx oxfmt ${pkgPath}`, { cwd, stdio: `inherit` }) L62:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/manage-overrides.tsView on unpkg · L60
src/index.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @10stars/config@16.0.2 matchedIdentity = npm:QDEwc3RhcnMvY29uZmln:16.0.2 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/index.tsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/index.ts
HighChild Processsrc/vscode-config.ts
HighShell
HighRuntime Package Installsrc/manage-overrides.ts
MediumDynamic Requiresrc/link-packages.ts
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License