registry  /  parseman  /  0.24.0

parseman@0.24.0

Parser combinators that compile to optimized JavaScript — use as a library or as a build-time macro

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A prepare lifecycle hook alters the local Git hooks path. No exfiltration, remote payload, or runtime attack behavior was found.

Static reason
No blocking static signals were detected.
Trigger
Running the package's prepare lifecycle in a Git working tree.
Impact
Can redirect repository hook execution to a package-relative path.
Mechanism
prepare-time Git hook configuration mutation
Rationale
The prepare-only VCS hook mutation is a real persistence-adjacent risk and merits a warning under the stated policy, but source inspection does not establish malicious intent or a concrete payload chain.
Evidence
package.jsondist/index.jsdist/plugin/index.js

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` `prepare` runs `git config core.hooksPath scripts/git-hooks`.
  • The `prepare` hook can mutate the consuming repository's Git hook configuration.
  • `files` publishes only `dist` and `README.md`; `scripts/git-hooks` is absent.
Evidence against
  • No `preinstall`, `install`, or `postinstall` hook is declared.
  • No package source uses network, child-process, credential harvesting, or destructive filesystem APIs.
  • `dist/plugin/index.js` reads source files only for its explicit build-time macro transform.
  • `new Function` in `dist/index.js` and `dist/plugin/index.js` implements documented parser/macro code generation.
  • SHA-1 use in `dist/plugin/index.js` creates short generated-name namespaces, not security tokens.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 1.03 MB of source, external domains: creativecommons.org, github.com, twitter.com, www.w3.org, xanthir.com

Source & flagged code

2 flagged · loading source
dist/plugin/index.jsView file
5483].join("\n"); L5484: const fn = new Function("input", "_pos", "_rp", "_mf", "_build", "_ctx", [ L5485: ...emptyTlDecls,
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/plugin/index.jsView on unpkg · L5483
363for (let i = 0; i < a.length; i++) { L364: let ca = a.charCodeAt(i); L365: let cb = b.charCodeAt(i); ... L3874: return false; L3875: // node() captures into its own private buffers and rolls them back on L3876: // failure (emitNode restores _ctx.* and never pushes on the !ok path). ... L5483: ].join("\n"); L5484: const fn = new Function("input", "_pos", "_rp", "_mf", "_build", "_ctx", [ L5485: ...emptyTlDecls, ... L5975: if (e instanceof Unserializable) { L5976: if (process.env.PARSEMAN_IR_DEBUG) console.error(`[ir] fallback: ${e.message}`); L5977: return null;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/plugin/index.jsView on unpkg · L363

Findings

1 Medium7 Low
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/plugin/index.js
LowWeak Cryptodist/plugin/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings