registry  /  elm-test-rs  /  3.2.0-0

elm-test-rs@3.2.0-0

Fast and portable executable to run your Elm tests.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Installation links a declared platform binary into this package's own CLI path; runtime forwards explicit user arguments to that binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install; later explicit `elm-test-rs` CLI invocation
Impact
No foreign files, credentials, network endpoints, or agent control surfaces are accessed by the inspected JavaScript.
Mechanism
local platform-binary resolution, self-package hard-link optimization, and CLI process forwarding
Rationale
The lifecycle script performs a package-aligned local binary-link optimization, not a remote payload fetch or foreign-system mutation. Scanner signals are explained by the intended native CLI wrapper behavior.
Evidence
package.jsoninstall.jsbinary.jselm-test-rs.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` defines an install hook.
  • `binary.js` writes a hard link into its own package bin path.
Evidence against
  • `install.js` only invokes local `binary.js`.
  • `binary.js` resolves a declared platform optional dependency; no download or network API exists.
  • The install write atomically replaces only `elm-test-rs.js` within this package.
  • `elm-test-rs.js` only spawns the resolved binary with user CLI arguments.
  • No credential harvesting, shell execution, dynamic code loading, exfiltration, persistence, or AI-agent config access found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.98 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.install = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.install = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings