registry  /  @metasession.co/devaudit-plugin-prisma  /  0.3.11

@metasession.co/devaudit-plugin-prisma@0.3.11

Prisma migration deploy hooks + status commands for DevAudit-onboarded node consumers.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only execution is a package-aligned, explicit Prisma status command; hooks are read-only checks.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `devaudit prisma migrate-status`.
Impact
May execute Prisma through npx in the consumer project; no package-originated exfiltration, persistence, or destructive action is present.
Mechanism
Runs fixed `npx prisma migrate status` in `ctx.projectPath`.
Rationale
The scanner signal is attributable to a documented, explicit Prisma status helper using fixed arguments. Source inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsondist/plugin.jsREADME.mdprisma/schema.prismaprisma/migrations/

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/plugin.js` invokes `npx prisma migrate status` through `execa`.
  • The command runs in caller-supplied `ctx.projectPath`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hooks.
  • The subprocess is only registered as explicit `migrate-status` command.
  • `dist/plugin.js` uses fixed arguments; no shell, eval, or dynamic loading.
  • Only `prisma/schema.prisma` and `prisma/migrations/` are read.
  • No credential, environment harvesting, file writes, or network client code found.
  • Hooks only inspect Prisma layout and log guidance.
Behavioral surface
Source
FilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.63 KB of source

Source & flagged code

2 flagged · loading source
dist/plugin.jsView file
1import { execa } from 'execa'; L2: import { promises } from 'fs';
High
Shell

Package source references shell execution.

dist/plugin.jsView on unpkg · L1
30ctx.logger.info(`Running \`npx prisma migrate status\` in ${ctx.projectPath}...`); L31: const res = await execa("npx", ["prisma", "migrate", "status"], { L32: cwd: ctx.projectPath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/plugin.jsView on unpkg · L30

Findings

2 High2 Low
HighShelldist/plugin.js
HighRuntime Package Installdist/plugin.js
LowScripts Present
LowFilesystem