registry  /  @10stars/config  /  16.1.0

@10stars/config@16.1.0

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a shareable developer config CLI with explicit commands that edit local project config and run formatter/linter/package-manager tools.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user invocation of `config <command>` or a consuming project choosing to call `config prepare`
Impact
Local project configuration changes and developer command execution; no evidence of stealth persistence, exfiltration, or install-time compromise
Mechanism
developer tooling CLI with local config writes and command execution
Rationale
Static inspection found dangerous primitives, but they are package-aligned developer tooling paths activated by explicit CLI commands and not by npm install hooks. No credential access, exfiltration, remote payload loading, or unconsented broad AI-agent control-surface mutation was found.
Evidence
package.jsonsrc/index.tssrc/runner.tssrc/manage-overrides.tssrc/vscode-config.tssrc/link-packages.tssrc/vanilla-extract/patch-vanilla-extract.tssrc/vanilla-extract/manage-side-effects.tsreadme.md.oxfmtrc.json.vscode/extensions.json.vscode/settings.jsonnode_modules/**/@vanilla-extract/integration/dist/*.jsnode_modules/<linked package>

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/index.ts exposes user-invoked execSync wrappers and killPort command
  • src/runner.ts runs user-supplied commands via Bun.spawn for `config run`
  • src/vanilla-extract/patch-vanilla-extract.ts rewrites installed @vanilla-extract integration files during `prepare` command
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly
  • CLI actions are explicit user commands through bin `config`, not import-time execution
  • No network clients, URLs, credential harvesting, or exfiltration endpoints found by rg/source inspection
  • Project writes are package-aligned config maintenance: .vscode, package.json overrides, sideEffects, local symlinks, formatter config
  • Runtime package install in src/manage-overrides.ts is conditional after package.json override changes during user-invoked prepare
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 8 file(s), 28.4 KB of source

Source & flagged code

4 flagged · loading source
src/vscode-config.tsView file
1import { execSync } from "node:child_process" L2: import fs from "node:fs/promises"
High
Child Process

Package source references child process execution.

src/vscode-config.tsView on unpkg · L1
src/link-packages.tsView file
21export const checkIsMonorepo = async (pathPkg: string) => { L22: const pkgJson = await import(path.join(pathPkg, `package.json`)) L23: return Boolean(pkgJson.workspaces)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/link-packages.tsView on unpkg · L21
src/manage-overrides.tsView file
60console.info(`Written: ${pkgPath}`) L61: execSync(`bunx oxfmt ${pkgPath}`, { cwd, stdio: `inherit` }) L62:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/manage-overrides.tsView on unpkg · L60
src/index.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @10stars/config@16.0.4 matchedIdentity = npm:QDEwc3RhcnMvY29uZmln:16.0.4 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/index.tsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/index.ts
HighChild Processsrc/vscode-config.ts
HighShell
HighRuntime Package Installsrc/manage-overrides.ts
MediumDynamic Requiresrc/link-packages.ts
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License