registry  /  @retreejs/convex  /  0.4.14

@retreejs/convex@0.4.14

Sync Convex queries into Retree reactive nodes.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious runtime or install-time attack surface exists. A bundled `.env` credential is a passive secret-exposure risk, not code-driven exfiltration.

Static reason
One or more suspicious static signals were detected.
Trigger
Accessing the published package contents.
Impact
Potential unauthorized npm account access if the credential is valid.
Mechanism
Bundled npm credential assignment in `.env`.
Rationale
The bundled credential warrants a warning, but the inspected source contains no concrete malicious behavior or execution chain. The scanner's secret signal is real; its broader suspicion is unsupported by source.
Evidence
.envpackage.jsonbin/index.jssrcsrc/actions.tssrc/mutations.tssrc/BaseConvexNode.tssrc/ConvexQueryNode.tssrc/ConvexPaginatedQueryNode.tssrc/ConvexConnectionStateNode.ts

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Unknown with low false-positive risk.
Evidence for warning
  • `.env` contains an `NPM_TOKEN` assignment bundled in the package.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • `bin/index.js` only re-exports library modules.
  • `src` contains Convex client wrappers and reactive subscription nodes.
  • No source use of filesystem, shell, eval, environment reads, or AI-agent configuration.
  • No package-controlled network endpoint or exfiltration logic is present.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 175 KB of source

Source & flagged code

1 flagged · loading source
1patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L1: NPM_TOKEN=<redacted:40 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L1

Findings

1 Critical2 Low
CriticalCritical Secret.env
LowScripts Present
LowHigh Entropy Strings