registry  /  slintorm  /  1.2.4

slintorm@1.2.4

Minimal fully typed orm for typescript

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime filesystem and database writes are package-aligned ORM migration/generation/seed behavior gated by explicit API or CLI use.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
importing ORM APIs or running explicit slintorm CLI commands
Impact
expected project schema/migration files and database tables may be created, modified, or dropped by user-invoked commands
Mechanism
database ORM, migration, schema generation, and optional user-configured HTTP database execution
Rationale
Static inspection shows the flagged primitives are ORM/CLI functionality: dynamic imports load database drivers or user project config/seed files, network access is user-supplied DB HTTP/proxy execution, and destructive operations are explicit migration commands. No install-time payload, exfiltration, hidden shell execution, or unconsented control-surface mutation was found.
Evidence
package.jsondist/src/bin/cli.jsdist/src/index.jsdist/src/dbAdapter.jsdist/src/http-driver.jsdist/src/proxy.js<cwd>/<dir>/schema/migrations/*.json<cwd>/<dir>/schema/generated.json<cwd>/<dir>/schema/generated.js<cwd>/<dir>/schema/generated.ts
Network endpoints1
api.planetscale.com/v1/organizations/${config.organization}/databases/${config.database}/branches/${branch}/execute

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json prepare only runs local build script, not payload execution
    • dist/src/bin/cli.js imports user config/seed files only during explicit CLI commands
    • dist/src/bin/cli.js contains no child_process; npm install text is an error message for missing DB drivers
    • dist/src/dbAdapter.js comment says auto-install/spawnSync removed and code uses dynamic driver imports
    • dist/src/http-driver.js/proxy.js network calls are user-configured database HTTP/proxy helpers
    • No credential harvesting, persistence, reviewer manipulation, or exfiltration endpoints found
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 25 file(s), 668 KB of source, external domains: api.planetscale.com, flutterwave.com, grow.google, konga.com, learn.microsoft.com, learndigital.withgoogle.com, linkedin.com, meet.google.com, mode.com, overthewire.org, paystack.com, skillshop.google.com, sqlzoo.net, tryhackme.com, www.facebook.com, www.isc2.org, www.netacad.com, www.semrush.com

    Source & flagged code

    4 flagged · loading source
    dist/src/bin/cli.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = slintorm@1.1.7 matchedIdentity = npm:c2xpbnRvcm0:1.1.7 similarity = 0.696 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/src/bin/cli.jsView on unpkg
    413// creates a unique index on `name` in the migrations collection. L414: await exec(`CREATE TABLE "${MIGRATIONS_TABLE}"`); L415: return;
    High
    Child Process

    Package source references child process execution.

    dist/src/bin/cli.jsView on unpkg · L413
    895warn(`No schema snapshot found for batch ${targetBatch}; cannot rebuild previous tables automatically.`); L896: warn("Update your source files to match that point in history, then re-run `npx slintorm migrate`."); L897: } ... L907: await migrator.ensureTable(unit.tableName, modelDef.fields, modelDef.relations ?? []); L908: await exec(`INSERT INTO "${MIGRATIONS_TABLE}" (name, batch) VALUES (${isPg ? "$1,$2" : "?,?"})`, [unit.name, targetBatch]); L909: writeMigrationRecord(cfg.dir ?? "src", unit, targetBatch, modelDef);
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/src/bin/cli.jsView on unpkg · L895
    107try { L108: const mod = await import(pathToFileURL(cfgPath).href); L109: const cfg = mod.default ?? mod;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/src/bin/cli.jsView on unpkg · L107

    Findings

    1 Critical3 High3 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/src/bin/cli.js
    HighChild Processdist/src/bin/cli.js
    HighShell
    HighRuntime Package Installdist/src/bin/cli.js
    MediumDynamic Requiredist/src/bin/cli.js
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings