registry  /  @blockquote-web-components/blockquote-base-style-helpers  /  1.4.35

@blockquote-web-components/blockquote-base-style-helpers@1.4.35

Webcomponent blockquote-base-style-helpers following open-wc recommendations

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious payload was found in source. The only risky surface is an install-time postinstall script that invokes npx for package JSON sorting, which is unnecessary for runtime style helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
Potential install-time execution of an external CLI and local package.json mutation, but no package source evidence of exfiltration, persistence, or destructive behavior.
Mechanism
install-time npx formatter invocation
Rationale
Source inspection supports a warning for unnecessary install-time npx execution, not a publish block. Runtime entrypoints are package-aligned style helpers with no concrete attack behavior.
Evidence
package.jsonsrc/index.jssrc/setDocumentStyles.jssrc/setComponentSharedStyles.jssrc/getComponentSharedStyles.js

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • sort:package runs npx sort-package-json during install, an unnecessary install-time tool invocation
  • postinstall can mutate package.json ordering in the installed package context
Evidence against
  • src/index.js only re-exports style helper modules
  • src/setDocumentStyles.js only adopts or appends CSS styles in the browser document
  • src/setComponentSharedStyles.js stores Lit CSSResult values via BlockquoteBaseMeta
  • src/getComponentSharedStyles.js retrieves stored CSSResult values
  • No child_process, fs, eval, dynamic require/import, credential access, or exfiltration code found in package source
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 8.57 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present