registry  /  @inixiative/config  /  0.5.7

@inixiative/config@0.5.7

Shared toolchain for the inixiative ecosystem: tsconfig/biome/tsup presets, a version manifest (BOM), and a sync/check CLI

AI Security Review

scanned 7h ago · by lpm-firewall-ai

The prepare hook installs Lefthook VCS hooks. Explicit `sync` and `train` commands can modify managed project files and run package-manager/git/npm commands.

Static reason
One or more suspicious static signals were detected.
Trigger
Package prepare lifecycle, or an explicit `inixiative-config sync`/`train` command.
Impact
Can add a pre-commit hook and, when explicitly invoked, alter project configuration, lockfiles, commits, and publish selected ecosystem packages.
Mechanism
Lefthook installation plus user-invoked ecosystem configuration and release automation.
Rationale
Warn due to prepare-time VCS-hook installation and powerful release automation. Source inspection does not establish malicious intent or covert exfiltration.
Evidence
package.jsondist/cli.jslefthook/base.ymlREADME.mdversions.jsonlefthook.yml.gitignore.bun-versionbun.lockbun.lockbtsconfig.jsonbiome.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json: prepare runs `lefthook install`, creating VCS-hook setup during lifecycle.
  • dist/cli.js: sync/train can rewrite project config and invoke bun install/update.
  • dist/cli.js: train can fetch, commit, and npm publish after explicit CLI invocation.
Evidence against
  • No preinstall/install/postinstall hook is declared.
  • CLI actions are command-gated (`check`, `sync`, `scan`, `train`), not import-time.
  • No credential/env harvesting, eval, dynamic loading, or fixed exfiltration endpoint found.
  • lefthook/base.yml only runs typecheck and biome on staged TypeScript files.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 27.7 KB of source

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
3// src/cli.ts L4: import { spawnSync as spawnSync2 } from "child_process"; L5: import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
291level: "error", L292: message: "bun.lock missing \u2192 run bun install and commit the lockfile" L293: }); L294: } else { L295: const ignoreStatus = spawnSync("git", ["check-ignore", "-q", "bun.lock"], { L296: cwd: dir2
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L291

Findings

3 High3 Low
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem