registry  /  @tricoteuses/assemblee  /  3.2.12

@tricoteuses/assemblee@3.2.12

Retrieve, clean up & handle French Assemblée nationale's open data

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network and file operations are package-aligned open-data retrieval/cache helpers that require caller invocation.

Static reason
One or more suspicious static signals were detected.
Trigger
user imports and explicitly calls loader/parser/git helper APIs
Impact
Caller-requested reads/writes/network/git operations in caller-provided paths/repos
Mechanism
French Assembly data parsing, loading, retrieval, and optional git helper commands
Rationale
Direct source inspection shows suspicious primitives are either build metadata or explicit package-aligned utilities for French Assembly open data. There is no install/import-time execution, credential collection, or unconsented exfiltration path.
Evidence
package.jsonlib/index.jslib/loaders.jslib/loaders-IUehTy2k.jslib/parsers.jslib/git.js
Network endpoints3
data.assemblee-nationale.frwww.assemblee-nationale.frwww2.assemblee-nationale.fr

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare script, but it only runs local build/prettier and no install hook is shipped in lib.
  • lib/git.js exposes git execFileSync helpers using process.env, including reset/push, but only as explicit exported utilities.
Evidence against
  • package.json exports only lib entrypoints; no bin, preinstall, install, or postinstall scripts.
  • lib/index.js is schema/data helper exports with no import-time network or process execution.
  • lib/loaders-IUehTy2k.js contains Assembly open-data URLs and local dataset reads/path creation aligned with package purpose.
  • lib/parsers.js fetches assemblee-nationale.fr amendment pages only inside exported async iterators and writes cache files under caller-provided directory.
  • lib/parsers.js scanner secret hit is bundled parser/entity text, not credential material.
  • No credential harvesting, persistence, destructive install-time behavior, or unexplained exfiltration found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 9 file(s), 613 KB of source, external domains: data.assemblee-nationale.fr, forum.en-root.org, fr.wikipedia.org, github.com, schemas.assemblee-nationale.fr, www.assemblee-nationale.fr, www.ibm.com, www.legifrance.gouv.fr, www.performance-publique.budget.gouv.fr, www.senat.fr, www.w3.org, www2.assemblee-nationale.fr

Source & flagged code

1 flagged · loading source
lib/parsers.jsView file
2408patternName = generic_password severity = medium line = 2408 matchedText = password...d]",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/parsers.jsView on unpkg · L2408

Findings

3 Medium6 Low
MediumSecret Patternlib/parsers.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License