registry  /  @taprootio/espalier  /  2.0.2

@taprootio/espalier@2.0.2

Espalier — a themeable, accessible, framework-agnostic, enterprise-grade design system built on web standards and love.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install hook prints a notice only, and runtime network behavior is user-configured UI/component functionality.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall notice; browser runtime when components are used
Impact
No credential theft, persistence, destructive behavior, or unauthorized control-surface mutation identified
Mechanism
license notice and web-component UI behavior
Rationale
Static inspection found a design-system package with a postinstall license notice and browser-only component behavior. Suspicious primitives are package-aligned or consumer-invoked, with no install-time mutation, exfiltration, persistence, or remote code execution.
Evidence
package.jsonnotice.cjsdist/index.jsdist/root/esp-root.jsdist/font-picker/esp-font-picker.jsdist/grid/esp-grid.jsdist/form/esp-form.jsdist/grid/esp-grid-column.js
Network endpoints3
fonts.googleapis.com/css2registry.npmjs.org/github.com/taprootio/espalier

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall only runs node ./notice.cjs
    • notice.cjs writes a license notice to stdout and catches errors; no fs/network/process mutation
    • dist/index.js only re-exports web components and helpers
    • Runtime fetch/link creation is UI-aligned: forms, grid dataUrl, font catalog/CSS, and Google Fonts links
    • No child_process, fs writes, native binaries, persistence, credential harvesting, or agent control-surface writes found
    • dist/grid/esp-grid-column.js uses Function/unsafeHTML for consumer-supplied templates, but it is a component feature not install/import-time attack behavior
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    HighEntropyStringsMinifiedTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 135 file(s), 604 KB of source, external domains: fonts.googleapis.com, www.w3.org

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    scripts.postinstall = node ./notice.cjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg

    Findings

    1 High1 Medium5 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumNetwork
    LowScripts Present
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License