registry  /  djlint  /  1.40.0

djlint@1.40.0

HTML Template Linter and Formatter

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only active behavior is a package-aligned npm postinstall wrapper that installs the matching PyPI djlint version.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install djlint
Impact
Installs djlint Python package into the user's pip environment; no source evidence of malicious payload in this npm package.
Mechanism
postinstall pip install of matching Python package
Rationale
Static inspection confirms an install-time pip invocation, but it is documented in README.md and targets the same package/version rather than a suspicious endpoint or payload. No concrete malicious behavior, exfiltration, persistence, or hidden code is present in the npm package.
Evidence
package.jsonREADME.md
Network endpoints1
pypi.org/project/djlint/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: python3 -m pip install --upgrade djlint==1.40.0
  • Install hook invokes pip and may fetch/install Python package code during npm install
Evidence against
  • Package contains only package.json, README.md, and LICENSE; no hidden JS payload or binaries found
  • README.md documents npm install as experimental and says it requires python and pip
  • The pip target is the same package name and exact version: djlint==1.40.0
  • No credential harvesting, destructive commands, persistence, or exfiltration code found in package files
  • No obfuscated strings, eval, child_process JS, dynamic require/import, or native loading found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
CopyleftLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = python3 -m pip install --upgrade djlint==1.40.0
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = python3 -m pip install --upgrade djlint==1.40.0
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
name = djlint; similarTo = eslint
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumTyposquat Namepackage.json
LowScripts Present
LowCopyleft License