registry  /  @blockquote-web-components/blockquote-directive-svg-to-data-image  /  1.5.35

@blockquote-web-components/blockquote-directive-svg-to-data-image@1.5.35

This directive receives a `Lit SVG Template Result` and returns a data URI string.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time lifecycle hook executes npx sort-package-json, which is unnecessary for package consumers and may fetch/execute an external CLI. Runtime source appears package-aligned and benign.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package postinstall
Impact
Potential install-time external code execution and package.json rewrite; no confirmed exfiltration or destructive behavior in package source.
Mechanism
install lifecycle invokes npx formatter CLI
Rationale
The package has a real install-time execution risk via npx, but source inspection did not show credential theft, persistence, payload staging, or malicious runtime behavior. This warrants a warning rather than a publish block.
Evidence
package.jsonsrc/index.jssrc/BlockquoteDirectiveSvgToDataImage.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • package.json sort:package runs npx sort-package-json at install time
  • npx can resolve and execute an external CLI during consumer install
  • sort-package-json may rewrite package.json in the installed package directory
Evidence against
  • src/index.js only re-exports the directive
  • src/BlockquoteDirectiveSvgToDataImage.js only converts Lit SVG template data to a data:image URI
  • No credential/env harvesting, filesystem scanning, child_process, eval, or dynamic import in src/
  • No package source network endpoints beyond documentation links
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.66 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present