AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a dependency installer CLI; network, filesystem mutation, git, and script execution are aligned with explicit dep CLI commands.
Static reason
No blocking static signals were detected.
Trigger
User runs dep/depjs CLI commands such as install, lock, or run
Impact
Installs requested dependencies into node_modules and may run declared package lifecycle scripts like npm; no unconsented install-time behavior by this package itself was found.
Mechanism
package-manager style dependency resolution, download, extraction, lifecycle/bin execution, and update notification
Rationale
Static source inspection shows dep@1.5.0 is a package-manager CLI with no npm lifecycle hooks and no import-time attack chain. Risky primitives are user-invoked and package-aligned: registry fetches, scoped auth headers, git clone for git dependencies, node_modules writes, and declared lifecycle script execution.
Evidence
package.jsonbin/dep.jslib/install.jslib/utils/fetch.jslib/utils/npmrc.jslib/utils/auth.jslib/utils/update-notifier.jslib/utils/lifecycle.jslib/utils/git.jsnode_modulesnode_modules/.binpackage-lock.json.npmrc~/.npmrc~/.config/dep/update-check.json
Network endpoints2
registry.yarnpkg.com/github.com/depjs/dep
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks
- bin/dep.js only user-invoked CLI dispatches install/lock/run and update check
- lib/install.js implements dependency installation, node_modules replacement, lockfile use, lifecycle execution for target project/deps
- lib/utils/fetch.js sends registry requests only to configured package URLs with scoped .npmrc auth
- lib/utils/update-notifier.js performs opt-out daily registry version check via detached child, not credential exfiltration
- No AI-agent control-surface writes, persistence, destructive broad paths, eval/vm, or hidden payloads found
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium4 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings