registry  /  isotropic-initializable  /  0.13.0

isotropic-initializable@0.13.0

An observable initialization lifecycle

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious runtime behavior is present in the shipped library. A `prepare` script delegates VCS-hook setup to an external dev dependency when that lifecycle runs.

Static reason
No blocking static signals were detected.
Trigger
Execution of the npm `prepare` lifecycle.
Impact
Potential VCS hook mutation outside the shipped library; exact behavior is not present in this package source.
Mechanism
prepare-time delegated git-hook installer
Rationale
No concrete malware, exfiltration, remote payload, destructive behavior, or hidden execution exists in the inspected package files. Policy treats prepare-only VCS hook setup as a warning-worthy lifecycle risk rather than a block.
Evidence
package.jsonlib/initializable.jsnode_modules/isotropic-dev-dependencies/lib/install-git-hooks.js

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` has a `prepare` lifecycle command invoking `install-git-hooks.js` from a dev dependency.
  • The declared hook-installer target is not bundled here, so its side effects cannot be verified from this package source.
Evidence against
  • `lib/initializable.js` only implements object initialization and pubsub lifecycle events.
  • No package source uses network clients, filesystem APIs, shell/child-process APIs, dynamic evaluation, or credential/environment access.
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook; the only install-adjacent hook is `prepare`.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.17 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Suspicious Lifecycle Evidence

`package.json` has a `prepare` lifecycle command invoking `install-git-hooks.js` from a dev dependency.

package.jsonView on unpkg

Findings

2 Medium2 Low
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present