registry  /  projen  /  0.101.11

projen@0.101.11

CDK for software projects

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No install-time or import-time attack surface was confirmed. The package is a project generator that can write project files and run configured tasks only after explicit CLI/API use.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the projen CLI, invokes a configured task, or calls project creation APIs.
Impact
Configured project code and task commands can affect the user's project, but no covert persistence, credential harvesting, or exfiltration path was found.
Mechanism
User-directed project synthesis and task command execution.
Rationale
Static inspection found legitimate, explicitly invoked project-generation and task-running capabilities, not malicious package behavior. Scanner findings are explained by bundled tooling and intentional user-controlled execution features.
Evidence
package.jsonbin/projenlib/cli/index.jslib/projects.jslib/util/exec.jslib/run-task.cjslib/project.js

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare hook.
    • bin/projen only loads lib/cli/index.js after explicit CLI execution.
    • lib/cli/index.js runs synthesis or tasks only from user CLI arguments.
    • lib/projects.js VM execution constructs a user-selected project template/module.
    • lib/util/exec.js executes declared project task commands without a shell by default.
    • lib/run-task.cjs network primitives are bundled task-runner dependency code; no package-owned endpoint or exfiltration flow found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 229 file(s), 5.08 MB of source, external domains: aws.amazon.com, biomejs.dev, bit.ly, docs.aws.amazon.com, github.com, maven.apache.org, nextjs.org, nodejs.org, parceljs.org, projen.io, python-poetry.org, reactjs.org, registry.npmjs.org, test.pypi.org, vercel.com, www.npmjs.com, www.w3.org

    Source & flagged code

    8 flagged · loading source
    lib/run-task.cjsView file
    5907patternName = aws_access_key severity = critical line = 5907 matchedText = var byte...=");
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    lib/run-task.cjsView on unpkg · L5907
    5907patternName = aws_access_key severity = critical line = 5907 matchedText = var byte...=");
    Critical
    Secret Pattern

    AWS access key ID in lib/run-task.cjs

    lib/run-task.cjsView on unpkg · L5907
    874Cross-file remote execution chain: lib/run-task.cjs spawns lib/tasks.js; helper contains network access plus dynamic code execution. L874: graph[models[i]] = { L875: // http://jsperf.com/1-vs-infinity L876: // micro-opt, but this is simple. ... L1202: } L1203: if (process.platform === "win32") { L1204: const osRelease = os2.release().split("."); ... L1247: supportsColor: getSupportLevel, L1248: stdout: translateLevel(supportsColor(true, tty2.isatty(1))), L1249: stderr: translateLevel(supportsColor(true, tty2.isatty(2))) ... L1316: if (u && !bracket && c.length === 5 || c[0] === "x" && c.length === 3) { L1317: return String.fromCharCode(parseInt(c.slice(1), 16)); L1318: }
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    lib/run-task.cjsView on unpkg · L874
    lib/util/exec.jsView file
    38exports.systemShell = systemShell; L39: const child_process = __importStar(require("child_process")); L40: const fs = __importStar(require("fs"));
    High
    Child Process

    Package source references child process execution.

    lib/util/exec.jsView on unpkg · L38
    lib/javascript/node-project.jsView file
    412if (release || shouldPackage) { L413: this.packageTask.execArgs([ L414: "mkdir",
    High
    Shell

    Package source references shell execution.

    lib/javascript/node-project.jsView on unpkg · L412
    lib/cdk/index.jsView file
    16Object.defineProperty(exports, "__esModule", { value: true }); L17: __exportStar(require("./construct-lib"), exports); L18: __exportStar(require("./jsii-docgen"), exports);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    lib/cdk/index.jsView on unpkg · L16
    lib/projects.jsView file
    74try { L75: return path.dirname(require.resolve(path.join(moduleName, "package.json"), { L76: paths: [process.cwd()], L77: })); ... L127: const postSynth = opts.post ?? true; L128: process.env.PROJEN_DISABLE_POST = (!postSynth).toString(); L129: process.env.PROJEN_CREATE_PROJECT = "true"; ... L131: } L132: //# sourceMappingURL=data:application/json;base64,[redacted]...
    Medium
    Unsafe Vm Context

    Package source executes code through a VM context API.

    lib/projects.jsView on unpkg · L74
    lib/project.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = projen@0.101.8 matchedIdentity = npm:cHJvamVu:0.101.8 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    lib/project.jsView on unpkg

    Findings

    3 Critical3 High5 Medium4 Low
    CriticalCritical Secretlib/run-task.cjs
    CriticalPrevious Version Dangerous Deltalib/project.js
    CriticalSecret Patternlib/run-task.cjs
    HighChild Processlib/util/exec.js
    HighShelllib/javascript/node-project.js
    HighCross File Remote Execution Contextlib/run-task.cjs
    MediumDynamic Requirelib/cdk/index.js
    MediumUnsafe Vm Contextlib/projects.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings