registry  /  cachoujs  /  0.4.2

cachoujs@0.4.2

Ultra-fast fine-grained reactive JavaScript framework

AI Security Review

scanned 58m ago · by lpm-firewall-ai

No confirmed malicious attack surface. Installation conditionally builds the package's bundled compiler into its own `bin` directory.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install with Go available
Impact
writes `bin/cachou-compiler` within the installed package
Mechanism
local Go compilation of bundled source
Rationale
The lifecycle hook is a package-local compiler build, not a payload fetch, credential collection, or foreign control-surface mutation. Network-related runtime APIs target relative application endpoints only and are consistent with framework functionality.
Evidence
package.jsonscripts/ensure-compiler.mjscompiler.gobin/cachou-compiler.jsplugin/vite.jspackages/compiler/lib/compile.mjssrc/files.jssrc/reactivity.jsbin/cachou-compiler

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` defines a `postinstall` hook.
  • `scripts/ensure-compiler.mjs` invokes `go build` when Go is available.
  • The install hook creates `bin/cachou-compiler` inside the package.
Evidence against
  • Postinstall builds only bundled `compiler.go`; no download or network API is used.
  • No external network endpoints or credential/environment harvesting were found.
  • Compiler wrappers use argument-array `spawn`/`execFile`, not shell execution.
  • `plugin/vite.js` only compiles configured component paths and removes generated files on source deletion.
  • No native binaries, bytecode payloads, AI-agent config writes, persistence, or destructive broad-path logic are present.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 277 KB of source, external domains: github.com, local.invalid

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/ensure-compiler.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings