registry  /  @blockquote-web-components/blockquote-controller-rxjs  /  1.4.34

@blockquote-web-components/blockquote-controller-rxjs@1.4.34

Webcomponent blockquote-controller-rxjs following open-wc recommendations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The only confirmed risk is an install-time postinstall script that runs npx sort-package-json. No malicious runtime behavior or exfiltration was found in package source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
Unnecessary install-time execution and possible package.json mutation; no confirmed malicious payload.
Mechanism
install-time npx formatter invocation
Rationale
Static inspection confirms a real but limited install-time lifecycle risk from npx sort-package-json, while the package runtime source is benign and package-aligned. This supports warning rather than blocking.
Evidence
package.jsonsrc/index.jssrc/BlockquoteControllerRxjs.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines install-time postinstall: npm run sort:package
  • package.json sort:package runs npx sort-package-json, invoking external CLI during install
  • postinstall appears to rewrite/sort package.json, an unnecessary install-time mutation
Evidence against
  • src/index.js only re-exports BlockquoteControllerRxjs
  • src/BlockquoteControllerRxjs.js only manages RxJS subscriptions for a Lit controller
  • No source use of fs, child_process, eval, env harvesting, credential access, or package-defined network endpoints
  • No AI-agent control surface writes, persistence, destructive behavior, or import-time attack code found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.06 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present