registry  /  @apex-stack/core  /  0.15.0

@apex-stack/core@0.15.0

The full-stack meta-framework for Alpine.js — CLI and runtime

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a framework CLI/runtime with user-invoked scaffolding, build, dev server, MCP inspection, self-update, and optional VS Code syntax extension installation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs apex commands such as new, upgrade, dev, start, build, mcp, or passes --vscode.
Impact
Creates or updates project files and optionally installs dependencies or a bundled syntax extension; no unconsented install-time execution or exfiltration observed.
Mechanism
User-invoked CLI project mutation and package-aligned npm/editor commands
Rationale
Static inspection shows no lifecycle hooks or import-time malicious behavior; the flagged child_process, npm install, network, and VSIX behaviors are explicit CLI features aligned with a framework scaffold/update workflow. The bundled VSIX is a declarative syntax-highlighting extension and is installed only through a prompt or explicit flag.
Evidence
package.jsondist/cli.jsdist/upgrade-3PQYAMDO.jsdist/chunk-TWAGSGFN.jsdist/mcp-CH7L4GF3.jsvscode/apex-alpine.vsixtemplates/defaultvscode/version.txt
Network endpoints4
localhost:3000localhost:3000/mcpapexjs.sitegithub.com/andrecorugda/apexjs

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/upgrade-3PQYAMDO.js can run npm view/install during explicit apex upgrade self-update flow
  • dist/chunk-TWAGSGFN.js can install bundled vscode/apex-alpine.vsix into detected editors after prompt or --vscode
  • dist/cli.js scaffolds projects, runs package manager install, and initializes git when user runs apex new
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • CLI entry dist/cli.js only dispatches subcommands; risky actions are user-invoked
  • vscode/apex-alpine.vsix contains declarative language grammar files and no extension main/activation script
  • No credential harvesting, broad filesystem scanning, remote payload download, or exfiltration endpoint found
  • Network use is package-aligned: npm version checks/installs and localhost MCP client/server URLs
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 133 KB of source

Source & flagged code

8 flagged · loading source
dist/upgrade-3PQYAMDO.jsView file
12// src/commands/upgrade.ts L13: import { spawnSync as spawnSync2 } from "child_process"; L14: import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from "fs";
High
Child Process

Package source references child process execution.

dist/upgrade-3PQYAMDO.jsView on unpkg · L12
46} L47: async function maybeSelfUpdate(reexecArgv, choice) { L48: if (choice === false) return false;
High
Shell

Package source references shell execution.

dist/upgrade-3PQYAMDO.jsView on unpkg · L46
44function installGlobalLatest() { L45: return spawnSync("npm", ["install", "-g", `${PKG}@latest`], { stdio: "inherit", shell: WIN }).status === 0; L46: } ... L58: if (!yes) { L59: log(` ${color.gray("Skipped. Update later with")} ${color.cyan(`npm i -g ${PKG}@latest`)} L60: `);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/upgrade-3PQYAMDO.jsView on unpkg · L44
dist/start-EYOIPHWS.jsView file
59const publicConfig = runtimeConfig.public ?? {}; L60: const importServer = (relFile) => import(pathToFileURL(join(dir, "server", relFile)).href); L61: const registry = {};
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/start-EYOIPHWS.jsView on unpkg · L59
vscode/apex-alpine.vsixView file
path = vscode/apex-alpine.vsix kind = high_entropy_blob sizeBytes = 33222 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

vscode/apex-alpine.vsixView on unpkg
path = vscode/apex-alpine.vsix kind = compressed_blob sizeBytes = 33222 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

vscode/apex-alpine.vsixView on unpkg
path = vscode/apex-alpine.vsix kind = nested_archive_needs_inspection sizeBytes = 33222 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

vscode/apex-alpine.vsixView on unpkg
dist/server-44DKXG7P.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @apex-stack/core@0.8.3 matchedIdentity = npm:QGFwZXgtc3RhY2svY29yZQ:0.8.3 similarity = 0.643 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server-44DKXG7P.jsView on unpkg

Findings

1 Critical4 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/server-44DKXG7P.js
HighChild Processdist/upgrade-3PQYAMDO.js
HighShelldist/upgrade-3PQYAMDO.js
HighRuntime Package Installdist/upgrade-3PQYAMDO.js
HighShips High Entropy Blobvscode/apex-alpine.vsix
MediumDynamic Requiredist/start-EYOIPHWS.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobvscode/apex-alpine.vsix
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNested Archive Needs Inspectionvscode/apex-alpine.vsix