registry  /  @datalackey/typescript-build-config  /  0.0.20

@datalackey/typescript-build-config@0.0.20

Shared build configuration for TypeScript projects — ESLint, and future tsconfig/Prettier presets

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Installing the package automatically executes `src/postinstall.js`. It creates configuration files in the consuming project's root if none of its target files exist. No exfiltration or remote execution is present.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation of `@datalackey/typescript-build-config@0.0.20`
Impact
Unconsented project-file mutation; can add or replace the expected initial build-tool configuration set.
Mechanism
postinstall copies bundled configuration templates into the consumer project root
Rationale
The package is not concretely malicious, but its install-time lifecycle hook silently mutates consumer-project files. The mutation is package-aligned and guarded against existing targets, so a warning is more appropriate than a block.
Evidence
package.jsonsrc/postinstall.jssrc/top-level/eslint.config.jssrc/top-level/prettier.config.jssrc/top-level/tsconfig.jsonsrc/top-level/gitignoresrc/top-level/tsconfig.test.jsonsrc/top-level/tsconfig.eslint.json.gitignoretsconfig.jsontsconfig.test.jsontsconfig.eslint.jsoneslint.config.jsprettier.config.js

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines automatic `postinstall`.
  • `src/postinstall.js` uses `INIT_CWD`/cwd as consumer project root.
  • `src/postinstall.js` writes six root-level project configuration files on install.
  • Writes occur without an explicit user command when none of the destinations exist.
Evidence against
  • No network endpoints or HTTP clients in inspected package files.
  • No credential harvesting, shell execution, eval, dynamic loading, or payload download.
  • `src/postinstall.js` refuses to overwrite if any target already exists.
  • Copied files are package-aligned TypeScript, ESLint, Prettier, and gitignore templates.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 3.81 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node src/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node src/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings