registry  /  bosia  /  0.8.3

bosia@0.8.3

A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing No Node.js, no Vite, no adapters.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The risky primitives are framework-aligned developer tooling activated by explicit CLI/dev-server commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs bosia CLI commands such as create, dev, build, start, test, add, or feat.
Impact
Creates or updates project files and dependencies as requested; starts local dev/production servers; optional configured inspector can POST file/comment metadata to a user-provided endpoint.
Mechanism
Bun framework scaffolding, build/dev server, registry fetch/install, and optional dev inspector.
Rationale
Static inspection shows a Bun/Svelte framework package with explicit CLI commands for scaffolding, dev/build, registry installs, and optional dev inspector integration. Suspicious primitives are user-invoked and package-aligned, with no hidden install-time execution, secret harvesting, exfiltration, persistence, or unconsented AI-agent control mutation.
Evidence
package.jsonsrc/cli/index.tssrc/core/dev.tssrc/cli/registry.tssrc/cli/create.tssrc/cli/add.tssrc/cli/feat.tssrc/core/plugins/inspector/index.tssrc/core/plugin.tssrc/core/config.ts.bosia/devdistsrc/lib/components/<registry-path>src/lib/themes/<name>.csssrc/app.css.envbosia.jsonsrc/lib/utils.ts
Network endpoints4
raw.githubusercontent.com/bosapi/bosia/main/registrygithub.com/bosapi/bosia/releases/download/v${BOSIA_VERSION}/${template}.tar.gzlocalhost:${DEV_PORT}127.0.0.1:${APP_PORT}

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; bin only exposes src/cli/index.ts.
    • src/cli/index.ts dispatches explicit user commands and lazy-imports local CLI modules only.
    • src/core/dev.ts spawn/fetch/watch behavior is for user-invoked `bosia dev`: builds .bosia/dev, proxies localhost, and watches project src/.env files.
    • src/cli/registry.ts and src/cli/create.ts fetch from bosapi GitHub registry/releases and run bun/tar only during explicit create/add/feat commands.
    • src/core/plugins/inspector/index.ts AI endpoint is dev-only and requires user/configured BOSIA_INSPECTOR_AI_ENDPOINT or plugin option plus UI POST/comment action.
    • No credential harvesting, hidden exfiltration, persistence, destructive lifecycle behavior, or reviewer/prompt manipulation found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    WildcardDependency
    scanned 92 file(s), 432 KB of source, external domains: fonts.googleapis.com, github.com, raw.githubusercontent.com

    Source & flagged code

    4 flagged · loading source
    src/core/dev.tsView file
    matchType = previous_version_dangerous_delta matchedPackage = bosia@0.8.2 matchedIdentity = npm:Ym9zaWE:0.8.2 similarity = 0.954 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    src/core/dev.tsView on unpkg
    126console.log("🏗️ Building..."); L127: const proc = spawn(["bun", "run", BUILD_SCRIPT], { L128: stdout: "inherit",
    High
    Child Process

    Package source references child process execution.

    src/core/dev.tsView on unpkg · L126
    src/core/plugin.tsView file
    13name: "bosia-resolver", L14: setup(build: import("bun").PluginBuilder) { L15: // bosia:routes → .bosia/routes.client.ts (browser) or .bosia/routes.ts (server)
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/core/plugin.tsView on unpkg · L13
    src/cli/registry.tsView file
    184L185: /** Run `bun add` for deps and optionally `bun add --dev` for devDeps. */ L186: export async function bunAdd( ... L193: console.log(`\n📥 npm: ${packages.join(", ")}`); L194: const proc = spawn(["bun", "add", ...packages], { L195: stdout: "inherit",
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    src/cli/registry.tsView on unpkg · L184

    Findings

    1 Critical3 High5 Medium4 Low
    CriticalPrevious Version Dangerous Deltasrc/core/dev.ts
    HighChild Processsrc/core/dev.ts
    HighShell
    HighRuntime Package Installsrc/cli/registry.ts
    MediumDynamic Requiresrc/core/plugin.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumWildcard Dependency
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings