registry  /  @blockquote-web-components/blockquote-base-meta  /  1.5.35

@blockquote-web-components/blockquote-base-meta@1.5.35

Webcomponent blockquote-base-meta following open-wc recommendations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only suspicious primitive is a postinstall formatting command, not source-backed exfiltration, persistence, payload loading, or AI-agent control mutation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall; importing the package loads src/index.js
Impact
postinstall may rewrite package.json formatting; runtime stores caller-provided values in a global Map
Mechanism
install-time package-json sorter and runtime in-memory metadata registry
Rationale
Static inspection found a noisy lifecycle-script signal but no concrete malicious behavior in the shipped source. Runtime code is package-aligned web-component metadata storage with no exfiltration, remote execution, destructive action, or agent control-surface writes.
Evidence
package.jsonsrc/index.jssrc/BlockquoteBaseMeta.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has install-time postinstall: npm run sort:package, which calls npx sort-package-json.
Evidence against
  • src/index.js only re-exports src/BlockquoteBaseMeta.js.
  • src/BlockquoteBaseMeta.js implements an in-memory global Map-backed metadata helper; no filesystem, process, shell, eval, dynamic import, or credential access.
  • No runtime network code; URL matches are documentation/comment links only.
  • No AI-agent config files or control-surface mutations found in package files.
  • Published files are limited to /src/ plus manifest metadata; no binary/native payloads found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 5.60 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present