registry  /  @stephencollinstech/hotspots  /  1.30.0

@stephencollinstech/hotspots@1.30.0

Static analysis CLI for TypeScript that computes Local Risk Score (LRS)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 6 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.29 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/hotspots.js --version > /dev/null 2>&1 || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/hotspots.js --version > /dev/null 2>&1 || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/hotspots.jsView file
3L4: const { execFileSync } = require("child_process"); L5: const path = require("path");
High
Child Process

Package source references child process execution.

bin/hotspots.jsView on unpkg · L3
37`hotspots: could not find binary package ${pkgName}\n` + L38: `Try reinstalling: npm install hotspots` L39: ); ... L46: try { L47: execFileSync(bin, process.argv.slice(2), { stdio: "inherit" }); L48: } catch (err) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/hotspots.jsView on unpkg · L37

Findings

3 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/hotspots.js
HighRuntime Package Installbin/hotspots.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present