AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed attack surface is established from the package contents. The artifact is a metadata-only dev dependency bundle with no executable entrypoint or lifecycle hook.
Static reason
One or more suspicious static signals were detected.
Trigger
Package installation only installs declared dependencies; no package-owned code runs.
Impact
No malicious behavior confirmed by static source inspection.
Mechanism
metadata-only dependency aggregator
Rationale
The scanner hint is explained by repository/local dependency metadata, but the package has no executable code, lifecycle hooks, or import surface to carry out an attack. Static inspection found no concrete malicious behavior or suspicious payload beyond non-executing manifest metadata.
Evidence
package.jsonCHANGELOG.mdLICENSE
Network endpoints2
github.com/aversini/dev-dependencies/tree/main/packages/servergit@github.com:aversini/dev-dependencies.git
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json declares a local workspace-style dependency "@versini/dev-dependencies-common": "../common", which may be non-registry metadata but is not executable by itself.
Evidence against
- package.json has no lifecycle scripts, bin, main, module, browser, or exports entrypoints.
- Extracted package contains only package.json, CHANGELOG.md, and LICENSE; no JavaScript source or payload files are present.
- No install-time or import-time code path exists in the package contents.
- No credential/env/file harvesting, child_process/eval/vm usage, native/binary loading, persistence, or destructive behavior found.
- Only URL present is the declared homepage/repository metadata for github.com/aversini/dev-dependencies.
Behavioral surface
GitDependency
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Low
Suspicious Dependency Evidence
package.json declares a local workspace-style dependency "@versini/dev-dependencies-common": "../common", which may be non-registry metadata but is not executable by itself.
package.jsonView on unpkgFindings
1 Medium1 Low
MediumGit Dependency
LowSuspicious Dependency Evidencepackage.json