registry  /  @platform-modules/civil-aviation-authority  /  2.3.280

@platform-modules/civil-aviation-authority@2.3.280

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. The main risk is an accidentally published .env with database configuration and user-invoked PostgreSQL sync utilities.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing package exports models; running npm run sync:sla-sql or dev initializes database-related code.
Impact
Potential credential exposure from packaged .env and possible database schema/object changes only when user runs provided sync scripts.
Mechanism
TypeORM model package with explicit database sync helper and packaged .env credentials
Rationale
Static inspection supports a warning for secret exposure and database-capable user-invoked scripts, but not a publish block because there is no concrete malicious lifecycle, exfiltration, or remote payload behavior. Scanner environment-variable findings are package-aligned for TypeORM configuration, while the included .env is the substantive unresolved risk.
Evidence
package.json.envsrc/index.tsdist/index.jssrc/data-source.tsdist/data-source.jsscripts/sync-sla-reports-sql.jssrc/scripts.tsdist/scripts.jssql/sla-reports-sync.manifest.jsonsql/*.sql

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • Package includes a .env file with DB_HOST, DB_PORT, DB_USER, DB_PASS, and DB_NAME keys.
  • scripts/sync-sla-reports-sql.js loads .env files and connects to PostgreSQL when explicitly run via sync:sla-sql.
  • src/data-source.ts and dist/data-source.js import dotenv/config and construct a TypeORM PostgreSQL DataSource from DB_* env vars.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks or bin entry.
  • dist/index.js and src/index.ts are model export barrels with no network, shell, or file mutation behavior on import.
  • No child_process, eval/vm/Function, native binary, wasm, or broad persistence indicators found.
  • Database sync script is user-invoked and applies local sql/ files, not a remote payload.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 634 file(s), 2.18 MB of source

Source & flagged code

1 flagged · loading source
4patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L4: DB_PASS=<redacted:40 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L4

Findings

1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License