AI Security Review
scanned 2h ago · by lpm-firewall-aiAn explicit CLI command mutates nearby TypeScript compiler files. It injects a guarded transformer-loader block that persists until those files are replaced.
Decision evidence
public snapshot- `bin/deepkit-install.cjs` persistently rewrites TypeScript compiler files.
- The CLI injects code into `tsc.js`, `_tsc.js`, and `typescript.js` to load this package's transformer.
- The modification targets a separate installed dependency, not package-owned files.
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- The patcher is only exposed through the explicit `deepkit-install` bin command.
- Inspected installer has no credential collection, shell execution, or network request.
- Entrypoints export TypeScript/Deepkit transformer and reflection utilities.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/vendor/types-C3PrIcBl.mjsView on unpkg · L1233Package source references dynamic require/import behavior.
bin/deepkit-install.cjsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/transformer-CHOVkgMG.cjsView on unpkg