registry  /  redmine-devrelay-client  /  0.2.2

redmine-devrelay-client@0.2.2

Redmine REST client for redmine-devrelay MCP — auth, pagination, issue read/write helpers

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. This is an inert-on-import Redmine REST client whose network activity is triggered by consumer method calls and targets the consumer-configured Redmine URL.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A consumer calls `RedmineClient.fromEnv()` then an explicit read or write method.
Impact
Can read or modify Redmine issues using the consumer-supplied API key, consistent with package purpose.
Mechanism
Authenticated HTTP requests to configured Redmine API paths
Rationale
Direct inspection finds a package-aligned Redmine client without install-time execution, exfiltration, persistence, destructive filesystem actions, shell execution, or remote payload loading. The metadata-host signal is protective validation, not access: `dist/config.js` rejects those hosts.
Evidence
package.jsondist/index.jsdist/config.jsdist/http.jsdist/client.jsdist/issues.jsdist/writes.jsREADME.mddist/mask.jsdist/errors.js

Decision evidence

public snapshot
AI called this Clean at 99.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no lifecycle hooks or executable bin.
    • `dist/index.js` only re-exports modules; importing is inert.
    • `dist/config.js` reads only named Redmine settings and rejects metadata/link-local hosts.
    • `dist/http.js` sends requests only to `REDMINE_URL` and masks the configured API key in errors.
    • `dist/http.js` only reads an optional user-configured CA certificate; no writes, shell, eval, or dynamic loading.
    • `dist/issues.js` and `dist/writes.js` implement explicit Redmine issue reads and writes.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 9 file(s), 21.1 KB of source, external domains: redmine.example.com

    Source & flagged code

    2 flagged · loading source
    dist/config.jsView file
    4const LOCAL_HTTP_HOSTS = new Set(["localhost", "127.0.0.1", "redmine"]); L5: function isPrivateIpv4(host) { L6: const m = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(host); ... L34: } L35: export function loadConfig(env = process.env) { L36: const urlRaw = env.REDMINE_URL?.trim(); ... L52: message: `Invalid REDMINE_URL: ${urlRaw}`, L53: check: ["Use an absolute URL like https://redmine.example.com"], L54: });
    High
    Cloud Metadata Access

    Source reaches cloud instance metadata or link-local credential endpoints.

    dist/config.jsView on unpkg · L4
    matchType = previous_version_dangerous_delta matchedPackage = redmine-devrelay-client@0.2.0 matchedIdentity = npm:cmVkbWluZS1kZXZyZWxheS1jbGllbnQ:0.2.0 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/config.jsView on unpkg

    Findings

    2 High2 Medium4 Low
    HighCloud Metadata Accessdist/config.js
    HighPrevious Version Dangerous Deltadist/config.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings