registry  /  fantom-vue3-components  /  0.38.0

fantom-vue3-components@0.38.0

Library of various Vue 3 components with focus on accessibility

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A prepare lifecycle hook invokes Husky during local or Git-based installation contexts. This can configure a consumer project's Git-hook directory, but no hook payload, network activity, or credential access is included.

Static reason
One or more suspicious static signals were detected.
Trigger
npm lifecycle execution of prepare in a context where npm runs it
Impact
Potential mutation of consumer Git hook configuration
Mechanism
Husky VCS-hook setup
Rationale
This is a prepare-only VCS hook setup, which warrants a warning under the install-control-surface policy. No concrete malicious payload or follow-on attack chain was found.
Evidence
package.jsonsrc/index.jssrc/plugins/jazzicon/jazzicon-bundle.jssrc/utils/StoreUtils/StoreUtils.js.husky

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines prepare: "husky install".
  • No .husky hook files were present to inspect, so the lifecycle command can mutate consumer VCS hook setup without package-owned hook contents.
Evidence against
  • package.json has no preinstall, install, or postinstall hook.
  • src/index.js only re-exports component-library modules.
  • Runtime-source scan found no network, credential harvesting, filesystem, shell, eval, or dynamic-loading behavior.
  • src/plugins/jazzicon/jazzicon-bundle.js is a bundled local rendering utility; no endpoint or payload execution was found.
Behavioral surface
Source
ChildProcess
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependency
scanned 254 file(s), 1.01 MB of source, external domains: ftmscan.com, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

package.json defines prepare: "husky install".

package.jsonView on unpkg

Findings

3 Medium4 Low
MediumGit Dependency
MediumAi Review Evidencepackage.json
MediumSuspicious Lifecycle Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings