registry  /  isotropic-timeout  /  0.15.0

isotropic-timeout@0.15.0

Limit the amount of time a callback function will wait to be called or a promise will wait to settle

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No malicious runtime behavior is established. A `prepare` lifecycle hook delegates to an unavailable development dependency to install Git hooks, creating a limited unresolved VCS-hook mutation risk.

Static reason
No blocking static signals were detected.
Trigger
`npm prepare` during source/development installation or package preparation.
Impact
Potential repository Git-hook mutation; no exfiltration, remote payload, or destructive action is evidenced.
Mechanism
Prepare-time delegated Git-hook installation.
Rationale
No concrete malicious chain exists in the shipped runtime source. The uninspectable prepare-time Git-hook installer warrants a warning under the lifecycle-hook policy.
Evidence
package.jsonlib/timeout.jsREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` has a `prepare` lifecycle command that invokes `install-git-hooks.js` from a dev dependency.
  • The hook-installer source is not included in this extracted package, so its mutation scope cannot be verified here.
Evidence against
  • `lib/timeout.js` is the sole runtime entrypoint and only wraps callbacks or promises with cancellation.
  • No runtime filesystem, environment, network, shell, dynamic-code, or agent-control operations appear in `lib/timeout.js`.
  • `package.json` ships only `lib`; no binaries or install/postinstall hooks are declared.
  • README network and filesystem references are usage examples, not package runtime code.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.60 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Suspicious Lifecycle Evidence

`package.json` has a `prepare` lifecycle command that invokes `install-git-hooks.js` from a dev dependency.

package.jsonView on unpkg

Findings

2 Medium2 Low
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present