registry  /  @blockquote-web-components/blockquote-controller-context-meta  /  1.5.14

@blockquote-web-components/blockquote-controller-context-meta@1.5.14

Webcomponent blockquote-controller-context-meta following open-wc recommendations

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No malicious payload is present in package source. The unresolved risk is an install-time postinstall hook that invokes npx sort-package-json, causing external CLI execution during npm install.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
Potential unpinned third-party CLI execution and package.json rewrite at install time; no exfiltration or persistence found in source.
Mechanism
install-time npx CLI execution for package sorting
Rationale
This is not confirmed malware, but an install lifecycle hook that delegates to npx during install is a real supply-chain risk and should be warned rather than blocked. Runtime source behavior is package-aligned Lit context metadata handling.
Evidence
package.jsonsrc/index.jssrc/BlockquoteControllerContextMeta.jssrc/BaseContextMetaElement.jssrc/directives/context-meta-provider.jssrc/directives/cache-context-meta-provider.js

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • package.json sort:package runs npx sort-package-json during install
  • install hook can execute an external CLI and mutate package.json in the installed package
Evidence against
  • src/index.js only re-exports package modules
  • src/BlockquoteControllerContextMeta.js implements Lit context provider/consumer behavior
  • src/directives/*.js only cache and apply Lit context metadata
  • rg found no fetch/XHR, child_process, eval/Function, fs reads, credential harvesting, or AI-agent config writes
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 12.3 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present