AI Security Review
scanned 13h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time behavior. The package is a user-invoked CLI that can generate deployment files, run configured CI commands, and update itself only through explicit subcommands.
Decision evidence
public snapshot- `package.json` has no preinstall/install/postinstall/prepare hook.
- `dist/rastack.js` dispatches only explicit CLI subcommands.
- `src/rastack-update.ts` self-updates only when `rastack update` is invoked.
- `src/rastack-init.ts` writes deployment files only for explicit `rastack init`.
- `src/rastack-ci.ts` executes developer-configured CI steps only for explicit `rastack ci`.
- `provider/wasm.ts` dynamically imports the package's own WASM module.
Source & flagged code
5 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
provider/wasm.tsView on unpkg · L12Package source references dynamic require/import behavior.
dist/rastack-compile.jsView on unpkg · L12Package source invokes a package manager install command at runtime.
src/rastack-update.tsView on unpkg · L14This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/rastack-init.jsView on unpkg