registry  /  djlint  /  1.39.7

djlint@1.39.7

HTML Template Linter and Formatter

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only active behavior is an npm postinstall shim that installs the same-version Python djlint package via pip, matching the README's documented npm distribution path.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install djlint@1.39.7
Impact
Installs djlint==1.39.7 from Python packaging infrastructure when npm lifecycle scripts are enabled
Mechanism
package-aligned pip install shim
Rationale
Static source inspection found a lifecycle script, but it is a transparent npm-to-PyPI installer for the same package/version and is documented in README.md. With no additional payload or suspicious data access, the scanner's lifecycle finding is noisy rather than proof of malicious intent.
Evidence
package.jsonREADME.mdLICENSE
Network endpoints1
pypi.org/project/djlint/

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: python3 -m pip install --upgrade djlint==1.39.7
  • Install runs pip during npm install, causing package-aligned network/package-manager activity
Evidence against
  • Only package files are package.json, README.md, and LICENSE; no JS payload, bin, main, or hidden files present
  • README.md explicitly documents npm install as experimental and requiring python/pip
  • Postinstall pins the same djlint version and targets the known PyPI project name
  • No credential/env harvesting, shell obfuscation, destructive commands, persistence, or exfiltration code found
  • No AI-agent control-surface writes or reviewer prompt manipulation found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
CopyleftLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = python3 -m pip install --upgrade djlint==1.39.7
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = python3 -m pip install --upgrade djlint==1.39.7
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
name = djlint; similarTo = eslint
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumTyposquat Namepackage.json
LowScripts Present
LowCopyleft License