registry  /  forgr  /  0.5.2

forgr@0.5.2

Convert Markdown files into polished PDFs

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package installs a Chromium renderer for its stated Markdown-to-PDF function only after an explicit script or conversion path requires it.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `npm run install-chromium` or invokes `forgr convert` without a cached browser.
Impact
Creates/removes the package-owned `~/.forgr/browsers` cache and writes the user-selected PDF output; no exfiltration or foreign control-surface mutation found.
Mechanism
Playwright Chromium download and local PDF rendering.
Rationale
Static hints flag package-manager and child-process use, but direct inspection shows those operations are package-aligned Chromium provisioning for PDF rendering and occur only through explicit user actions. No concrete malicious behavior was found.
Evidence
package.jsonbin/forgrscripts/postinstall.jssrc/browsers-path.jssrc/cli.jssrc/pdf.jssrc/pipeline.jssrc/markdown.js~/.forgr/browsersuser-selected PDF output path

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no npm preinstall/install/postinstall hook; `install-chromium` is an explicit script.
    • `bin/forgr` only imports `src/cli.js`, which requires an explicit convert or uninstall command.
    • `src/pdf.js` downloads Playwright Chromium only during user-invoked PDF generation when absent.
    • Browser files are confined to `~/.forgr/browsers`; removal targets only ffmpeg entries there.
    • No source reads credentials, scans sensitive files, contacts a package-controlled endpoint, or mutates AI-agent settings.
    • `preuninstall` references a missing script and is not included in the published file list, so it cannot perform the hinted uninstall action.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 8 file(s), 25.7 KB of source

    Source & flagged code

    4 flagged · loading source
    scripts/postinstall.jsView file
    2import { rm } from 'fs/promises'; L3: import { execSync } from 'child_process'; L4: import { homedir } from 'os';
    High
    Child Process

    Package source references child process execution.

    scripts/postinstall.jsView on unpkg · L2
    52try { L53: execSync('npx playwright-core install chromium-headless-shell', { L54: stdio: 'inherit',
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    scripts/postinstall.jsView on unpkg · L52
    src/assets/fonts/IBMPlexMono-600.woff2View file
    path = src/assets/fonts/IBMPlexMono-600.woff2 kind = high_entropy_blob sizeBytes = 50600 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    src/assets/fonts/IBMPlexMono-600.woff2View on unpkg
    src/pdf.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = forgr@0.5.0 matchedIdentity = npm:Zm9yZ3I:0.5.0 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    src/pdf.jsView on unpkg

    Findings

    1 Critical4 High2 Medium4 Low
    CriticalPrevious Version Dangerous Deltasrc/pdf.js
    HighChild Processscripts/postinstall.js
    HighShell
    HighRuntime Package Installscripts/postinstall.js
    HighShips High Entropy Blobsrc/assets/fonts/IBMPlexMono-600.woff2
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings