registry  /  @versini/dev-dependencies-server  /  9.0.6

@versini/dev-dependencies-server@9.0.6

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed attack surface is established from the package contents. The artifact is a metadata-only dev dependency bundle with no executable entrypoint or lifecycle hook.

Static reason
One or more suspicious static signals were detected.
Trigger
Package installation only installs declared dependencies; no package-owned code runs.
Impact
No malicious behavior confirmed by static source inspection.
Mechanism
metadata-only dependency aggregator
Rationale
The scanner hint is explained by repository/local dependency metadata, but the package has no executable code, lifecycle hooks, or import surface to carry out an attack. Static inspection found no concrete malicious behavior or suspicious payload beyond non-executing manifest metadata.
Evidence
package.jsonCHANGELOG.mdLICENSE
Network endpoints2
github.com/aversini/dev-dependencies/tree/main/packages/servergit@github.com:aversini/dev-dependencies.git

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares a local workspace-style dependency "@versini/dev-dependencies-common": "../common", which may be non-registry metadata but is not executable by itself.
Evidence against
  • package.json has no lifecycle scripts, bin, main, module, browser, or exports entrypoints.
  • Extracted package contains only package.json, CHANGELOG.md, and LICENSE; no JavaScript source or payload files are present.
  • No install-time or import-time code path exists in the package contents.
  • No credential/env/file harvesting, child_process/eval/vm usage, native/binary loading, persistence, or destructive behavior found.
  • Only URL present is the declared homepage/repository metadata for github.com/aversini/dev-dependencies.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
GitDependency
scanned 0 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Dependency Evidence

package.json declares a local workspace-style dependency "@versini/dev-dependencies-common": "../common", which may be non-registry metadata but is not executable by itself.

package.jsonView on unpkg

Findings

1 Medium1 Low
MediumGit Dependency
LowSuspicious Dependency Evidencepackage.json