registry  /  fring-dev  /  0.2.0

fring-dev@0.2.0

Build scalable applications with a consistent architecture.

AI Security Review

scanned 2m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a project generator CLI; shell/package-manager use is user-invoked scaffolding behavior rather than install-time execution.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the fring CLI commands such as project creation or table generation.
Impact
Creates or modifies files under the user-selected project directory and may install declared optional frontend dependencies.
Mechanism
Interactive project scaffolding and optional dependency installation
Rationale
Static source inspection shows expected CLI scaffolding behavior with user prompts and no lifecycle hook, credential harvesting, persistence, or exfiltration path. Scanner hits on execa/package installs are explained by project generation and optional dependency setup.
Evidence
package.jsondist/index.jstemplates/auth/auth-store.txttemplates/constants/env.txttemplates/utils/api.txtREADME.md
Network endpoints3
github.com/heisenberg-xx/fringgit+https://github.com/heisenberg-xx/fring.gitlocalhost:3000/fring/table

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks; only bin fring -> dist/index.js.
    • dist/index.js is an interactive scaffold CLI that prompts before optional installs and writes into the requested project path.
    • execa calls run package-aligned commands: create-next-app, dependency installs, shadcn init/add, git --version/status.
    • Template token/secret references are generated app code, not harvesting or exfiltration by this package.
    • No fetch/http client calls or hardcoded exfiltration endpoints found in package runtime source.
    Behavioral surface
    Source
    FilesystemShell
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 28.1 KB of source

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    76// src/services/project-creator.ts L77: import { execa } from "execa"; L78:
    High
    Shell

    Package source references shell execution.

    dist/index.jsView on unpkg · L76
    471if (this.options.packageManager === "pnpm") { L472: await execa("pnpm", ["dlx", "shadcn@latest", "init"], { L473: cwd: this.options.projectName,
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/index.jsView on unpkg · L471

    Findings

    2 High2 Low
    HighShelldist/index.js
    HighRuntime Package Installdist/index.js
    LowScripts Present
    LowFilesystem