registry  /  djlint  /  1.40.1

djlint@1.40.1

HTML Template Linter and Formatter

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only executable behavior is an npm postinstall wrapper that installs the corresponding PyPI djlint version, which is disclosed in the README as the npm installation path.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install djlint
Impact
Installs Python djlint 1.40.1 into the active Python environment; no source evidence of malicious payload or exfiltration.
Mechanism
postinstall pip install wrapper
Rationale
Static inspection found a risky lifecycle hook, but it is package-aligned and documented as the npm wrapper for the Python djlint tool. With no payload files or evidence of harvesting, exfiltration, persistence, or destructive behavior, the scanner's lifecycle finding is insufficient to classify this as malicious.
Evidence
package.jsonREADME.md

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: python3 -m pip install --upgrade djlint==1.40.1
  • Install-time command delegates to Python/pip and may fetch from pip's configured index
Evidence against
  • Package contains only package.json, README.md, and LICENSE; no hidden JS payload files
  • README.md documents npm install as experimental and requiring python and pip
  • Postinstall installs the same package name and version, not an unrelated package
  • No credential/env harvesting, destructive commands, persistence, obfuscation, eval, or exfiltration code found
  • No npm bin/main/module entrypoint or import-time code is present
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
CopyleftLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = python3 -m pip install --upgrade djlint==1.40.1
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = python3 -m pip install --upgrade djlint==1.40.1
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
name = djlint; similarTo = eslint
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumTyposquat Namepackage.json
LowScripts Present
LowCopyleft License