registry  /  dep  /  1.5.0

dep@1.5.0

A little Node.js dependency installer for module end-users

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a dependency installer CLI; network, filesystem mutation, git, and script execution are aligned with explicit dep CLI commands.

Static reason
No blocking static signals were detected.
Trigger
User runs dep/depjs CLI commands such as install, lock, or run
Impact
Installs requested dependencies into node_modules and may run declared package lifecycle scripts like npm; no unconsented install-time behavior by this package itself was found.
Mechanism
package-manager style dependency resolution, download, extraction, lifecycle/bin execution, and update notification
Rationale
Static source inspection shows dep@1.5.0 is a package-manager CLI with no npm lifecycle hooks and no import-time attack chain. Risky primitives are user-invoked and package-aligned: registry fetches, scoped auth headers, git clone for git dependencies, node_modules writes, and declared lifecycle script execution.
Evidence
package.jsonbin/dep.jslib/install.jslib/utils/fetch.jslib/utils/npmrc.jslib/utils/auth.jslib/utils/update-notifier.jslib/utils/lifecycle.jslib/utils/git.jsnode_modulesnode_modules/.binpackage-lock.json.npmrc~/.npmrc~/.config/dep/update-check.json
Network endpoints2
registry.yarnpkg.com/github.com/depjs/dep

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks
    • bin/dep.js only user-invoked CLI dispatches install/lock/run and update check
    • lib/install.js implements dependency installation, node_modules replacement, lockfile use, lifecycle execution for target project/deps
    • lib/utils/fetch.js sends registry requests only to configured package URLs with scoped .npmrc auth
    • lib/utils/update-notifier.js performs opt-out daily registry version check via detached child, not credential exfiltration
    • No AI-agent control-surface writes, persistence, destructive broad paths, eval/vm, or hidden payloads found
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 55 file(s), 108 KB of source, external domains: github.com, registry.yarnpkg.com

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    2 Medium4 Low
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings