registry  /  @taprootio/espalier  /  2.1.0

@taprootio/espalier@2.1.0

Espalier — a themeable, accessible, framework-agnostic, enterprise-grade design system built on web standards and love.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install hook only prints a proprietary-license notice; browser network features are component behavior driven by application configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` for the notice; application use/configuration for form, grid, and font requests.
Impact
No package-driven persistence, exfiltration, destructive action, remote payload execution, or AI-agent mutation identified.
Mechanism
stdout-only postinstall notice and user-configured browser UI fetches
Rationale
Direct inspection shows the flagged postinstall is a non-failing stdout license notice, not system mutation. Network calls are browser-component features using caller/configured URLs or Google Fonts, with no concrete malicious chain.
Evidence
package.jsonnotice.cjsdist/index.jsdist/form/esp-form.jsdist/grid/esp-grid.jsdist/font-picker/esp-font-picker.jsdist/root/esp-root.jsdist/grid/esp-grid-column.js
Network endpoints1
fonts.googleapis.com/css2

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `notice.cjs` postinstall only writes a license notice to stdout inside a catch-all.
    • No Node filesystem, process spawning, shell, or credential-harvesting APIs found in package JS.
    • `dist/index.js` is a static UI-component export barrel; no import-time network or install action.
    • Runtime `fetch` calls use host-configured form action, grid data URL, or bundled font assets.
    • Google Fonts links are injected only by browser UI font-loading features.
    • No binaries or AI-agent configuration/control-surface references found.
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    HighEntropyStringsMinifiedTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 135 file(s), 608 KB of source, external domains: fonts.googleapis.com, www.w3.org

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    scripts.postinstall = node ./notice.cjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg

    Findings

    1 High1 Medium5 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumNetwork
    LowScripts Present
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License