registry  /  @powerlines/deepkit  /  0.9.96

@powerlines/deepkit@0.9.96

A package containing a Powerlines plugin to assist in developing other Powerlines plugins.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

An explicit CLI command mutates nearby TypeScript compiler files. It injects a guarded transformer-loader block that persists until those files are replaced.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `deepkit-install` with an optional project path.
Impact
Subsequent TypeScript compiler runs in that installation load this package's transformer.
Mechanism
Filesystem patching of TypeScript compiler runtime files.
Rationale
The package is not malicious by source evidence, but its explicit installer provides a persistent, dependency-patching capability with material build-chain impact. Flag as warn rather than block because no lifecycle hook causes unconsented execution.
Evidence
package.jsonbin/deepkit-install.cjsdist/transformer-CHOVkgMG.cjsdist/transformer-DSI6FAaZ.mjsnode_modules/typescript/lib/tsc.jsnode_modules/typescript/lib/_tsc.jsnode_modules/typescript/lib/typescript.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/deepkit-install.cjs` persistently rewrites TypeScript compiler files.
  • The CLI injects code into `tsc.js`, `_tsc.js`, and `typescript.js` to load this package's transformer.
  • The modification targets a separate installed dependency, not package-owned files.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • The patcher is only exposed through the explicit `deepkit-install` bin command.
  • Inspected installer has no credential collection, shell execution, or network request.
  • Entrypoints export TypeScript/Deepkit transformer and reflection utilities.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 48 file(s), 2.73 MB of source, external domains: playgroundcdn.typescriptlang.org

Source & flagged code

3 flagged · loading source
dist/vendor/types-C3PrIcBl.mjsView file
1233if (baseName === name) baseName += "Base"; L1234: return new Function(baseName, `return class ${name} extends ${baseName} {}`)(base); L1235: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/vendor/types-C3PrIcBl.mjsView on unpkg · L1233
bin/deepkit-install.cjsView file
1#!/usr/bin/env node L2: let _storm_software_config_tools_logger = require("@storm-software/config-tools/logger"); L3: let node_fs = require("node:fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/deepkit-install.cjsView on unpkg · L1
dist/transformer-CHOVkgMG.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @powerlines/deepkit@0.9.93 matchedIdentity = npm:QHBvd2VybGluZXMvZGVlcGtpdA:0.9.93 similarity = 0.913 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/transformer-CHOVkgMG.cjsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltadist/transformer-CHOVkgMG.cjs
MediumDynamic Requirebin/deepkit-install.cjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvaldist/vendor/types-C3PrIcBl.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings