registry  /  projen  /  0.101.8

projen@0.101.8

CDK for software projects

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a project generator/task runner whose dangerous primitives are activated by explicit CLI/task usage and project configuration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs projen CLI or generated projen tasks.
Impact
Runs user/project-declared commands and writes generated project files as expected for projen; no covert install-time action found.
Mechanism
Project scaffolding and configured task execution.
Rationale
Static inspection shows no install-time execution and no covert network, credential, persistence, destructive, or agent-control behavior. The flagged child process, shell, VM, dynamic require, and environment-variable primitives are aligned with projen's documented role as a project scaffolder and task runner and require explicit user/project invocation.
Evidence
package.jsonbin/projenlib/cli/index.jslib/cli/cmds/synth.jslib/cli/cmds/run-task.jslib/run-task.cjslib/util/exec.jslib/projects.jslib/run-projenrc-json.task.js
Network endpoints3
github.com/projen/projen.gitaws.amazon.comregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Source has legitimate task execution primitives: lib/run-task.cjs and lib/util/exec.js run user/project task commands via child_process/dax.
  • lib/projects.js uses require.resolve and vm.runInContext for user-selected project templates during explicit project creation.
  • lib/run-projenrc-json.task.js reads PROJENRC_FILE/.projenrc.json and synthesizes a project when invoked as a task.
Evidence against
  • package.json defines no preinstall/install/postinstall/prepare lifecycle hook.
  • bin/projen only loads lib/cli/index.js; CLI actions depend on user commands or existing .projen/tasks.json.
  • lib/cli/index.js registers yargs commands and only synthesizes when explicitly run with no subcommand in a projen project.
  • Network strings found are documentation, registry configuration, repository metadata, or generated project settings; no exfiltration endpoint or HTTP client flow was confirmed.
  • lib/run-task.cjs bundles dax/chalk/yargs-style dependencies and task runner code; child_process/process.env use is for executing configured tasks, not harvesting secrets.
  • No source evidence of credential collection, persistence, destructive install behavior, or AI-agent control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 229 file(s), 5.04 MB of source, external domains: aws.amazon.com, biomejs.dev, bit.ly, docs.aws.amazon.com, github.com, maven.apache.org, nextjs.org, nodejs.org, parceljs.org, projen.io, python-poetry.org, reactjs.org, registry.npmjs.org, test.pypi.org, vercel.com, www.npmjs.com, www.w3.org

Source & flagged code

8 flagged · loading source
lib/run-task.cjsView file
5745patternName = aws_access_key severity = critical line = 5745 matchedText = var byte...=");
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/run-task.cjsView on unpkg · L5745
5745patternName = aws_access_key severity = critical line = 5745 matchedText = var byte...=");
Critical
Secret Pattern

AWS access key ID in lib/run-task.cjs

lib/run-task.cjsView on unpkg · L5745
874Cross-file remote execution chain: lib/run-task.cjs spawns lib/tasks.js; helper contains network access plus dynamic code execution. L874: graph[models[i]] = { L875: // http://jsperf.com/1-vs-infinity L876: // micro-opt, but this is simple. ... L1202: } L1203: if (process.platform === "win32") { L1204: const osRelease = os.release().split("."); ... L1247: supportsColor: getSupportLevel, L1248: stdout: translateLevel(supportsColor(true, tty2.isatty(1))), L1249: stderr: translateLevel(supportsColor(true, tty2.isatty(2))) ... L1316: if (u && !bracket && c.length === 5 || c[0] === "x" && c.length === 3) { L1317: return String.fromCharCode(parseInt(c.slice(1), 16)); L1318: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/run-task.cjsView on unpkg · L874
lib/util/exec.jsView file
38exports.systemShell = systemShell; L39: const child_process = __importStar(require("child_process")); L40: const dax_1 = require("dax");
High
Child Process

Package source references child process execution.

lib/util/exec.jsView on unpkg · L38
lib/javascript/node-project.jsView file
412if (release || shouldPackage) { L413: this.packageTask.execArgs([ L414: "mkdir",
High
Shell

Package source references shell execution.

lib/javascript/node-project.jsView on unpkg · L412
lib/cdk/index.jsView file
16Object.defineProperty(exports, "__esModule", { value: true }); L17: __exportStar(require("./construct-lib"), exports); L18: __exportStar(require("./jsii-docgen"), exports);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/cdk/index.jsView on unpkg · L16
lib/projects.jsView file
74try { L75: return path.dirname(require.resolve(path.join(moduleName, "package.json"), { L76: paths: [process.cwd()], L77: })); ... L125: const postSynth = opts.post ?? true; L126: process.env.PROJEN_DISABLE_POST = (!postSynth).toString(); L127: process.env.PROJEN_CREATE_PROJECT = "true"; ... L129: } L130: //# sourceMappingURL=data:application/json;base64,[redacted]...
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

lib/projects.jsView on unpkg · L74
lib/javascript/node-package.jsView file
matchType = previous_version_dangerous_delta matchedPackage = projen@0.101.4 matchedIdentity = npm:cHJvamVu:0.101.4 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/javascript/node-package.jsView on unpkg

Findings

3 Critical3 High5 Medium4 Low
CriticalCritical Secretlib/run-task.cjs
CriticalPrevious Version Dangerous Deltalib/javascript/node-package.js
CriticalSecret Patternlib/run-task.cjs
HighChild Processlib/util/exec.js
HighShelllib/javascript/node-project.js
HighCross File Remote Execution Contextlib/run-task.cjs
MediumDynamic Requirelib/cdk/index.js
MediumUnsafe Vm Contextlib/projects.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings