registry  /  @inixiative/config  /  0.5.8

@inixiative/config@0.5.8

Shared toolchain for the inixiative ecosystem: tsconfig/biome/tsup presets, a version manifest (BOM), and a sync/check CLI

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The only install-time side effect is a `prepare` hook that invokes Lefthook and can install repository Git hooks. Mutating and release operations exist only in explicitly invoked CLI modes.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Git/local lifecycle preparation or explicit `inixiative-config sync`/`train` command
Impact
Can add project hook/config files and, when explicitly requested, run dependency, Git, and publish operations.
Mechanism
Prepare-time Git-hook setup; user-invoked project synchronization and release automation
Rationale
Source supports a package-aligned configuration and release CLI, not malware. Per policy, its prepare-only VCS hook installation warrants a warning rather than a block.
Evidence
package.jsondist/cli.jslefthook/base.ymlREADME.mdversions.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `lefthook install` via `prepare`, which can install Git hooks.
  • `dist/cli.js` `sync`/`train` explicitly write project configs and invoke Bun, Git, npm publish.
  • `lefthook/base.yml` installs pre-commit typecheck and Biome commands.
Evidence against
  • No `preinstall`, `install`, or `postinstall` lifecycle hook.
  • CLI execution requires explicit `check`, `sync`, `scan`, or `train` user command.
  • No credential/environment harvesting, obfuscated payload, eval, dynamic loading, or non-package network client found.
  • Git/npm/Bun operations are fixed command arguments for documented toolchain and release workflows.
  • Hook template performs only typecheck and lint commands.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 28.6 KB of source

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @inixiative/config@0.5.7 matchedIdentity = npm:QGluaXhpYXRpdmUvY29uZmln:0.5.7 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
3// src/cli.ts L4: import { spawnSync as spawnSync2 } from "child_process"; L5: import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
291level: "error", L292: message: "bun.lock missing \u2192 run bun install and commit the lockfile" L293: }); L294: } else { L295: const ignoreStatus = spawnSync("git", ["check-ignore", "-q", "bun.lock"], { L296: cwd: dir2
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L291

Findings

1 Critical3 High3 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem