registry  /  @giveitsmaller/contracts  /  0.57.0

@giveitsmaller/contracts@0.57.0

Generated contract types for GISL (Give It Smaller)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is generated API contracts and model bindings; network use requires consumer code to invoke the OpenAPI runtime request method.

Static reason
One or more suspicious static signals were detected.
Trigger
A consuming application explicitly calls a generated API client request method.
Impact
No install-time, import-time, persistence, exfiltration, or destructive behavior established.
Mechanism
Consumer-configured fetch dispatch to an API base path.
Rationale
The suspicious secret pattern is a false positive from OpenAPI examples. Source inspection shows a generated contracts package with no automatic execution or concrete malicious behavior.
Evidence
package.jsondist/index.jsdist/openapi/index.jsdist/openapi/runtime.jsopenapi/api.yaml
Network endpoints1
localhost:8080

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `openapi/api.yaml` contains token/password-looking example values that explain the scanner hit.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `dist/index.js` only re-exports generated contract modules.
  • `dist/openapi/index.js` exports runtime and models; it performs no request on import.
  • `dist/openapi/runtime.js` calls `fetch` only through an explicit API request method.
  • No child-process, filesystem, eval, dynamic-loading, or credential-harvesting code was found in JavaScript.
  • The flagged YAML values are documented request examples, not embedded credentials.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 301 file(s), 1.63 MB of source

Source & flagged code

5 flagged · loading source
openapi/api.yamlView file
3081patternName = generic_password severity = medium line = 3081 matchedText = passwo...
Medium
Secret Pattern

Package contains a possible secret pattern.

openapi/api.yamlView on unpkg · L3081
3461patternName = generic_password severity = medium line = 3461 matchedText = password...tpw"
Medium
Secret Pattern

Hardcoded password in openapi/api.yaml

openapi/api.yamlView on unpkg · L3461
3546patternName = generic_password severity = medium line = 3546 matchedText = current_...tpw"
Medium
Secret Pattern

Hardcoded password in openapi/api.yaml

openapi/api.yamlView on unpkg · L3546
3547patternName = generic_password severity = medium line = 3547 matchedText = new_pass...tpw"
Medium
Secret Pattern

Hardcoded password in openapi/api.yaml

openapi/api.yamlView on unpkg · L3547
4031patternName = generic_password severity = medium line = 4031 matchedText = current_...tpw"
Medium
Secret Pattern

Hardcoded password in openapi/api.yaml

openapi/api.yamlView on unpkg · L4031

Findings

5 Medium1 Low
MediumSecret Patternopenapi/api.yaml
MediumSecret Patternopenapi/api.yaml
MediumSecret Patternopenapi/api.yaml
MediumSecret Patternopenapi/api.yaml
MediumSecret Patternopenapi/api.yaml
LowScripts Present