registry  /  periderm-cli  /  0.1.33

periderm-cli@0.1.33

A pre-launch checklist for your codebase. Scan JS, TS, JSX, and TSX projects before you ship.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked SaaS scanner CLI that reads project source for static analysis, writes .periderm reports, and can upload scan metadata/findings to Periderm endpoints after authentication.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs periderm login, scan, review, watch, whoami, or logout.
Impact
Expected project findings/report data may be written locally or sent to service APIs; no install-time execution, credential harvesting, destructive behavior, or hidden code execution was found.
Mechanism
Static project scanner with authenticated dashboard upload, update check, and crash reporting.
Rationale
Static inspection shows scanner/file/network primitives are aligned with the documented CLI workflow and require explicit user commands, with no lifecycle execution or covert payload. Scanner hints about dynamic require/network/env are explained by benign local scanning, config, update, authenticated API, and crash-reporting code.
Evidence
package.jsondist/bin.jsdist/index.jsdist/api.jsdist/config.jsdist/error-report.jsdist/update-notifier.jsdist/review/deep.jsdist/scanner/index.jsdist/scanner/walk.jsdist/scanner/repo-checks.js~/.periderm/config.json.periderm/last-report.md.periderm/last-report.json.periderm/ai-instructions.md.periderm/.gitignore
Network endpoints3
periderm-cli.vercel.appregistry.npmjs.org/${name}/latestformspree.io/f/mqakppnn

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall hooks; executable is user-invoked bin ./dist/bin.js.
    • dist/bin.js only starts update check and imports ./index.js; no arbitrary dynamic require or shell execution.
    • dist/scanner/walk.js and dist/scanner/index.js read JS/TS project files for static scan findings, excluding node_modules/dist/build/.git paths.
    • dist/index.js writes reports only under the selected project's .periderm directory after periderm scan/review.
    • dist/api.js network calls are product-aligned token verification, scan upload, policies, and deep review APIs.
    • rg found no child_process, eval, Function, rm, unlink, or binary/native loading in package dist files.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 22 file(s), 159 KB of source, external domains: 127.0.0.1, formspree.io, periderm-cli.vercel.app, registry.npmjs.org, www.w3.org, your-domain.com

    Source & flagged code

    2 flagged · loading source
    dist/scanner/repo-checks.jsView file
    321why: "Without code-splitting, a visitor to your landing page also downloads the admin dashboard, the settings screens, and every modal. First paint gets slower with every feature y... L322: fix: "Wrap heavy or rarely-used routes in React.lazy(() => import('./Route')) + <Suspense>, or use your router's built-in lazy() API. Split third-party charts, editors and 3D scene... L323: aiPrompt: `This project has ${routeFiles.length} route files but no dynamic import()/React.lazy usage. Identify the largest / least-visited routes (admin, settings, editors, charts...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/scanner/repo-checks.jsView on unpkg · L321
    dist/scanner/checks.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = periderm-cli@0.1.31 matchedIdentity = npm:cGVyaWRlcm0tY2xp:0.1.31 similarity = 0.762 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/scanner/checks.jsView on unpkg

    Findings

    1 Critical3 Medium4 Low
    CriticalPrevious Version Dangerous Deltadist/scanner/checks.js
    MediumDynamic Requiredist/scanner/repo-checks.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings