registry  /  djlint  /  1.39.6

djlint@1.39.6

HTML Template Linter and Formatter

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is present in the package source. The only executable behavior is a documented npm-to-pip installation shim for the same djlint version.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install
Impact
Installs or upgrades the Python djlint package; no source evidence of malware behavior in this npm package.
Mechanism
postinstall invokes python3 -m pip install --upgrade djlint==1.39.6
Rationale
Static inspection confirms the scanner hit is a lifecycle install shim, but it is package-aligned and documented by the README. With no bundled payload or malicious source behavior, this should not be blocked.
Evidence
package.jsonREADME.md

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with high false-positive risk.
Evidence for block
  • package.json defines install-time postinstall script: python3 -m pip install --upgrade djlint==1.39.6.
  • The lifecycle hook runs an external package manager during npm install.
Evidence against
  • Only package files are package.json, README.md, and LICENSE; no JS entrypoints, binaries, hidden payloads, or bundled code found.
  • postinstall installs the same-name, same-version Python djlint package, matching README's documented experimental npm install path.
  • README describes djlint as a Python/PyPI HTML template linter and formatter and documents npm requiring python and pip.
  • No credential/env harvesting, persistence, destructive actions, obfuscation, AI-agent control writes, or exfiltration endpoints found in source.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
CopyleftLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = python3 -m pip install --upgrade djlint==1.39.6
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = python3 -m pip install --upgrade djlint==1.39.6
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
name = djlint; similarTo = eslint
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumTyposquat Namepackage.json
LowScripts Present
LowCopyleft License