registry  /  @powerlines/deepkit  /  0.9.93

@powerlines/deepkit@0.9.93

A package containing a Powerlines plugin to assist in developing other Powerlines plugins.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The explicit `deepkit-install` command modifies a locally resolved TypeScript compiler to register the package transformer; it is not install-time behavior and contains no observed exfiltration or remote execution.

Static reason
No blocking static signals were detected.
Trigger
User explicitly runs `deepkit-install`.
Impact
Changes local TypeScript compiler behavior only after user invocation.
Mechanism
Local TypeScript transformer registration by compiler-source patching.
Rationale
Direct inspection shows a user-invoked, package-aligned compiler patcher rather than concealed install-time or remote attack behavior. Static dynamic-require and eval signals do not establish a malicious chain.
Evidence
package.jsonbin/deepkit-install.cjsdist/index.mjsdist/transformer-9Qq95aUb.mjsdist/vendor/types-C3PrIcBl.mjs

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `bin/deepkit-install.cjs` can modify resolved TypeScript compiler files when explicitly run.
Evidence against
  • `package.json` defines no lifecycle scripts, so installation does not invoke the binary.
  • The binary is exposed as `deepkit-install`, requiring an explicit user command.
  • Installer only patches `tsc.js`, `_tsc.js`, or `typescript.js` to register this package's transformer.
  • No outbound network APIs, child-process execution, credential harvesting, or AI-agent config writes found in inspected code.
  • The dynamic `require` in the injected patch resolves this package's local type compiler with a local-path fallback.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 48 file(s), 2.73 MB of source, external domains: playgroundcdn.typescriptlang.org

Source & flagged code

2 flagged · loading source
dist/vendor/types-C3PrIcBl.mjsView file
1233if (baseName === name) baseName += "Base"; L1234: return new Function(baseName, `return class ${name} extends ${baseName} {}`)(base); L1235: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/vendor/types-C3PrIcBl.mjsView on unpkg · L1233
bin/deepkit-install.cjsView file
1#!/usr/bin/env node L2: let _storm_software_config_tools_logger = require("@storm-software/config-tools/logger"); L3: let node_fs = require("node:fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/deepkit-install.cjsView on unpkg · L1

Findings

3 Medium4 Low
MediumDynamic Requirebin/deepkit-install.cjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvaldist/vendor/types-C3PrIcBl.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings