registry  /  isotropic  /  0.16.0

isotropic@0.16.0

A collection of utilities for large JavaScript projects with a consistent API

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious runtime surface exists in this package source. The only active lifecycle behavior is a prepare hook that delegates Git-hook setup to a development dependency.

Static reason
No blocking static signals were detected.
Trigger
npm prepare lifecycle, typically source/development installation.
Impact
May modify local VCS hook configuration; no exfiltration, remote execution, or destructive behavior is present in inspected package files.
Mechanism
delegated Git-hook installation via external development dependency
Rationale
Inspected source contains only dependency re-exports and no concrete malicious behavior. Per lifecycle policy, the prepare-only Git-hook setup remains a warn-level install-hook risk.
Evidence
package.jsonREADME.mdlib/backoff.jslib/request.jslib/cluster-primary.jslib/cluster-worker.js

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json: `prepare` executes `node_modules/isotropic-dev-dependencies/lib/install-git-hooks.js` during npm lifecycle.
  • README.md describes automated Git-hook setup, consistent with the prepare hook.
Evidence against
  • All 30 `lib/*.js` files are static one-line re-exports of declared isotropic dependencies.
  • No package source performs filesystem writes, network calls, shell execution, eval, credential access, or payload loading.
  • package.json has no `preinstall`, `install`, `postinstall`, `bin`, or package entrypoint that executes local code.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 1.55 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Suspicious Lifecycle Evidence

package.json: `prepare` executes `node_modules/isotropic-dev-dependencies/lib/install-git-hooks.js` during npm lifecycle.

package.jsonView on unpkg

Findings

2 Medium2 Low
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present