registry  /  @taprootio/espalier  /  2.0.1

@taprootio/espalier@2.0.1

Espalier — a themeable, accessible, framework-agnostic, enterprise-grade design system built on web standards and love.

AI Security Review

scanned 16d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser web-component design system with an install-time license notice and configurable runtime fetch/font-loading features.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs notice.cjs; runtime behavior occurs when applications import/use components
Impact
No credential theft, exfiltration, persistence, or destructive behavior identified
Mechanism
license notice plus configurable UI component fetches/font stylesheet injection
Rationale
Static inspection shows the postinstall script is notice-only, and the network/dynamic HTML primitives are package-aligned browser UI features rather than install/import-time compromise. No source evidence supports malicious behavior.
Evidence
package.jsonnotice.cjsdist/index.jsdist/form/esp-form.jsdist/grid/esp-grid.jsdist/grid/esp-grid-column.jsdist/root/esp-root.jsdist/font-picker/esp-font-picker.js
Network endpoints4
fonts.googleapis.com/css2?family=...github.com/taprootio/espalier.gitgithub.com/taprootio/espalier/issuesregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node ./notice.cjs
  • dist/grid/esp-grid-column.js uses Function() and unsafeHTML for user-authored grid templates
  • dist/form/esp-form.js and dist/grid/esp-grid.js perform browser fetches to configured action/dataUrl
  • dist/root/esp-root.js and dist/font-picker/esp-font-picker.js can load Google Fonts CSS at runtime
Evidence against
  • notice.cjs only writes a license notice to process.stdout and catches errors
  • No dependencies and no package code reads env vars, cookies, credentials, or local filesystem
  • No child_process, fs writes, native binaries, persistence, or install-time network behavior found
  • Runtime network behavior is UI-component aligned and activated by app configuration/user use
  • dist/index.js only exports web components and shared helpers
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 135 file(s), 604 KB of source, external domains: fonts.googleapis.com, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node ./notice.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License