registry  /  @hominis/fireforge  /  0.35.0

@hominis/fireforge@0.35.0

FireForge — a build tool for customizing Firefox

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Explicit CLI commands download Firefox source from fixed Mozilla archive hosts, extract it into the project workspace, and invoke local Git/toolchain commands.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs fireforge download/build/test or another explicit CLI command.
Impact
Expected project-local source, cache, Git, and build-tool modifications; no unconsented install-time mutation found.
Mechanism
User-invoked Firefox source management and local build orchestration.
Rationale
Source inspection shows a Firefox customization/build CLI with explicit download, extraction, Git, and toolchain operations. Risky primitives are package-aligned, user-invoked, bounded by fixed Mozilla archive URLs and extraction checks, with no concrete malicious chain.
Evidence
package.jsondist/bin/fireforge.jsdist/src/utils/process.jsdist/src/core/firefox-archive.jsdist/src/core/firefox-extract.jsdist/src/core/firefox-cache.jsdist/src/commands/download.jsdist/src/cli.jsdist/src/core/firefox-download.jsdist/src/core/git.js
Network endpoints2
archive.mozilla.org/pub/firefox/releasesarchive.mozilla.org/pub/devedition/releases

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall; missing prepare module is caught as ERR_MODULE_NOT_FOUND.
    • dist/bin/fireforge.js activates only when the user runs the CLI.
    • dist/src/core/firefox-archive.js limits downloads to Mozilla release archives and rejects unsafe version paths.
    • dist/src/core/firefox-extract.js preflights tar paths and link targets before extraction.
    • dist/src/utils/process.js uses spawn with argument arrays, not shell/eval execution.
    • No credential harvesting, exfiltration, AI-agent config paths, native loading, or hidden import-time actions found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 289 file(s), 2.20 MB of source, external domains: archive.mozilla.org, facebook.github.io, git-scm.com, github.com, mozilla.org, python.org, www.mozilla.org, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/src/core/typecheck-shim.jsView file
    48* content scripts wired via `browser.js`. L49: * - Dynamic `import("resource:-…")` / `import("chrome:-…")` under patch L50: * checkJs: imports of *patch-owned* modules resolve to their real
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/src/core/typecheck-shim.jsView on unpkg · L48
    dist/src/core/git.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @hominis/fireforge@0.34.2 matchedIdentity = npm:QGhvbWluaXMvZmlyZWZvcmdl:0.34.2 similarity = 0.908 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/src/core/git.jsView on unpkg

    Findings

    1 High4 Medium6 Low
    HighPrevious Version Dangerous Deltadist/src/core/git.js
    MediumDynamic Requiredist/src/core/typecheck-shim.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License