registry  /  @threadplane/render  /  0.0.56

@threadplane/render@0.0.56

`@json-render/core`-backed Angular render engine — maps JSON specs to Angular components via a registry, used internally by `@threadplane/chat` for generative-UI rendering.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is present in this package's own source. The only install-time surface is a postinstall command delegated to @threadplane/telemetry via a wildcard dependency.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall
Impact
Unresolved dependency-provided install-time telemetry command; no source evidence here of exfiltration, persistence, destructive behavior, or AI-agent control mutation.
Mechanism
delegated telemetry postinstall plus Angular runtime rendering library
Rationale
Static inspection shows a normal Angular rendering library and no local malicious code, but the postinstall hook delegates to a wildcard telemetry dependency outside this package. That unresolved install-time behavior warrants a warning rather than a publish block for @threadplane/render@0.0.56 itself.
Evidence
package.jsonfesm2022/threadplane-render.mjstypes/threadplane-render.d.tsREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json declares postinstall: threadplane-telemetry-postinstall || true.
  • package.json depends on @threadplane/telemetry: *, so install-time behavior is delegated to a dependency not present in this package.
Evidence against
  • package.json has no bin field and package files contain no local postinstall executable.
  • fesm2022/threadplane-render.mjs imports only Angular, Angular common, and @json-render/core.
  • fesm2022/threadplane-render.mjs implements Angular render components/providers, registry helpers, state store, and event handling.
  • rg found no child_process, fs access, eval/Function, dynamic require/import, fetch/XMLHttpRequest/WebSocket, credential harvesting, or network endpoints in source.
  • README.md describes normal Angular render-engine usage and install instructions.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
WildcardDependency
scanned 1 file(s), 43.1 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = threadplane-telemetry-postinstall || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = threadplane-telemetry-postinstall || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumWildcard Dependency
LowScripts Present