registry  /  @inixiative/config  /  0.5.0

@inixiative/config@0.5.0

Shared toolchain for the inixiative ecosystem: tsconfig/biome/tsup presets, a version manifest (BOM), and a sync/check CLI

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a shared config/toolchain CLI whose risky primitives are explicit maintenance commands that mutate project config, locks, git state, or publish ecosystem packages.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit invocation of inixiative-config sync, scan, or train; package development prepare script runs lefthook install.
Impact
Can modify project configuration and lockfiles, install dependencies, commit/publish packages when deliberately run, but no covert install-time or import-time attack behavior was found.
Mechanism
User-invoked toolchain synchronization and release automation
Rationale
Static inspection shows a package-aligned config CLI with explicit sync/scan/train commands; the scanner findings map to documented git/bun/npm maintenance actions rather than covert lifecycle execution or exfiltration. The only lifecycle script is prepare:"lefthook install" in the package manifest, with no consumer install hook or foreign AI-agent/control-surface mutation.
Evidence
package.jsondist/cli.jsREADME.mdlefthook/base.ymlversions.jsondist/tsup.js.bun-versionbun.lockbbun.lock.gitignorelefthook.ymltsconfig.jsonbiome.json
Network endpoints2
git+https://github.com/inixiative/config.gitbiomejs.dev/schemas/2.5.2/schema.json

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cli.js uses child_process spawnSync for git, bun, and npm commands in user-invoked CLI modes.
  • dist/cli.js sync path can write project config files and run bun install unless --no-install is passed.
  • dist/cli.js train mode can run npm view/npm publish across ecosystem repos.
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepare is only lefthook install for this package workflow.
  • README.md documents check/sync/scan/train behavior matching dist/cli.js functionality.
  • dist/cli.js command gate requires explicit check/sync/scan/train CLI invocation; import does not run sync behavior.
  • No credential/env harvesting, secret scanning, remote payload loading, AI-agent control-surface writes, or hidden exfiltration found.
  • Network-capable npm/git/bun operations are release/toolchain maintenance actions and package-aligned.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 27.7 KB of source

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @inixiative/config@0.4.2 matchedIdentity = npm:QGluaXhpYXRpdmUvY29uZmln:0.4.2 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
3// src/cli.ts L4: import { spawnSync as spawnSync2 } from "child_process"; L5: import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
291level: "error", L292: message: "bun.lock missing \u2192 run bun install and commit the lockfile" L293: }); L294: } else { L295: const ignoreStatus = spawnSync("git", ["check-ignore", "-q", "bun.lock"], { L296: cwd: dir2
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L291

Findings

1 Critical3 High3 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem