registry  /  @avesbox/magpie  /  0.1.6

@avesbox/magpie@0.1.6

Acceptance criteria scenarios on top of Vitest.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The CLI is explicitly user-invoked and launches the local Vitest binary; reporting writes configured test artifacts.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the magpie CLI or enables its Vitest reporter.
Impact
Runs the caller's local Vitest configuration and may create or prune package-owned/configured report files.
Mechanism
Vitest argument/env forwarding and local report generation.
Rationale
Static inspection shows a test-framework wrapper and reporter, not credential harvesting, remote payload loading, persistence, or install-time mutation. The scanner's runtime-install signal is a false positive caused by an error message containing npm install.
Evidence
package.jsondist/bin.jsdist/io.jsdist/vitest-bridge.jsdist/vitest-reporter.jsdist/plugin.js.magpie/vitest-records

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly build; no install lifecycle hook.
    • dist/bin.js runs only when the user invokes magpie and spawns the locally resolved Vitest entry.
    • The npm-install text in dist/bin.js is an error hint, not an executed package-manager command.
    • dist/bin.js forwards user arguments and MAGPIE_* filter variables to Vitest; no network client or exfiltration code is present.
    • dist/io.js and reporting modules write only caller-configured test report files.
    • dist/vitest-bridge.js limits record cleanup to the package-owned .magpie/vitest-records directory.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 16 file(s), 102 KB of source

    Source & flagged code

    3 flagged · loading source
    dist/bin.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @avesbox/magpie@0.1.5 matchedIdentity = npm:QGF2ZXNib3gvbWFncGll:0.1.5 similarity = 0.385 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/bin.jsView on unpkg
    1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { readFileSync } from "node:fs";
    High
    Child Process

    Package source references child process execution.

    dist/bin.jsView on unpkg · L1
    49catch { L50: process.stderr.write("magpie: could not resolve vitest — install it first: npm install --save-dev vitest\n"); L51: process.exitCode = 1; ... L53: } L54: const child = spawn(process.execPath, [vitestEntry, ...forwardedArgv], { L55: env,
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/bin.jsView on unpkg · L49

    Findings

    1 Critical3 High2 Medium4 Low
    CriticalPrevious Version Dangerous Deltadist/bin.js
    HighChild Processdist/bin.js
    HighShell
    HighRuntime Package Installdist/bin.js
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings