registry  /  @apex-stack/core  /  0.24.0

@apex-stack/core@0.24.0

The full-stack meta-framework for Alpine.js — CLI and runtime

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Process and filesystem actions are tied to explicit CLI scaffold, upgrade, extension-install, and MCP-server commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes apex commands or explicitly starts apex mcp-server.
Impact
May modify the selected project or globally update the package only when the corresponding command and confirmation/options are used; no covert behavior established.
Mechanism
User-directed project scaffolding, upgrades, editor extension installation, and local stdio MCP tooling.
Rationale
Scanner signals map to a framework CLI's explicit commands and a declarative VS Code syntax extension. Source inspection found no install-time execution, secret collection, exfiltration, stealth persistence, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/cli.jsdist/upgrade-363YDSK6.jsdist/chunk-TWAGSGFN.jsdist/mcp-server-A3NNCBI4.jsvscode/apex-alpine.vsix

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hook.
    • dist/cli.js only runs scaffolding, git, and dependency installation after explicit apex new options.
    • dist/upgrade-363YDSK6.js self-updates only a global install after an interactive or --self confirmation.
    • dist/chunk-TWAGSGFN.js installs the bundled syntax extension only after a user prompt or --vscode.
    • The VSIX contains only declarative language-support assets; no executable extension entrypoint.
    • No credential harvesting, exfiltration endpoint, eval/vm use, or AI-agent configuration writes found.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 45 file(s), 169 KB of source, external domains: 127.0.0.1, openapi.vercel.sh

    Source & flagged code

    8 flagged · loading source
    dist/upgrade-363YDSK6.jsView file
    16// src/commands/upgrade.ts L17: import { spawnSync as spawnSync2 } from "child_process"; L18: import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from "fs";
    High
    Child Process

    Package source references child process execution.

    dist/upgrade-363YDSK6.jsView on unpkg · L16
    50} L51: async function maybeSelfUpdate(reexecArgv, choice) { L52: if (choice === false) return false;
    High
    Shell

    Package source references shell execution.

    dist/upgrade-363YDSK6.jsView on unpkg · L50
    48function installGlobalLatest() { L49: return spawnSync("npm", ["install", "-g", `${PKG}@latest`], { stdio: "inherit", shell: WIN }).status === 0; L50: } ... L62: if (!yes) { L63: log(` ${color.gray("Skipped. Update later with")} ${color.cyan(`npm i -g ${PKG}@latest`)} L64: `);
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/upgrade-363YDSK6.jsView on unpkg · L48
    dist/migrate-IKSGKDDU.jsView file
    23try { L24: const require2 = createRequire(join(root, "package.json")); L25: data = await import(pathToFileURL(require2.resolve("@apex-stack/data")).href);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/migrate-IKSGKDDU.jsView on unpkg · L23
    vscode/apex-alpine.vsixView file
    path = vscode/apex-alpine.vsix kind = high_entropy_blob sizeBytes = 33222 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    vscode/apex-alpine.vsixView on unpkg
    path = vscode/apex-alpine.vsix kind = compressed_blob sizeBytes = 33222 magicHex = [redacted]
    Medium
    Ships Compressed Blob

    Package ships compressed or archive-like blobs.

    vscode/apex-alpine.vsixView on unpkg
    path = vscode/apex-alpine.vsix kind = nested_archive_needs_inspection sizeBytes = 33222 magicHex = [redacted]
    Low
    Nested Archive Needs Inspection

    Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

    vscode/apex-alpine.vsixView on unpkg
    dist/cli.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @apex-stack/core@0.22.0 matchedIdentity = npm:QGFwZXgtc3RhY2svY29yZQ:0.22.0 similarity = 0.837 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/cli.jsView on unpkg

    Findings

    1 Critical4 High5 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/cli.js
    HighChild Processdist/upgrade-363YDSK6.js
    HighShelldist/upgrade-363YDSK6.js
    HighRuntime Package Installdist/upgrade-363YDSK6.js
    HighShips High Entropy Blobvscode/apex-alpine.vsix
    MediumDynamic Requiredist/migrate-IKSGKDDU.js
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Compressed Blobvscode/apex-alpine.vsix
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNested Archive Needs Inspectionvscode/apex-alpine.vsix