registry  /  ts-medium-editor  /  0.1.4

ts-medium-editor@0.1.4

A modern, minimal & performant Medium-like rich text editor.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only install-time behavior invokes a Git-hook setup utility configured for this package's development workflow.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install triggers postinstall; importing `./stx` mounts the browser editor only when called.
Impact
Potential local VCS-hook setup; no package-owned exfiltration, remote payload execution, destructive action, or AI-agent control-surface mutation found.
Mechanism
Git-hook setup plus browser DOM/editor interactions.
Rationale
The lifecycle hook is a development-oriented Git-hook setup signal, but inspected shipped code is browser-only and contains no concrete malicious chain. Scanner suspicion is attributable to the postinstall declaration rather than source-backed attack behavior.
Evidence
package.jsondist/index.jsdist/medium-editor.umd.jsdist/stx/index.jsdist/stx/index.d.ts

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json:56 defines postinstall `bunx git-hooks`.
  • package.json:76-82 configures pre-commit and commit-msg Git hooks.
Evidence against
  • dist/index.js and dist/medium-editor.umd.js only expose browser editor APIs.
  • dist/stx/index.js has no network, shell, filesystem, eval, dynamic import, or credential access.
  • FileReader use inserts user-dropped images into the editor DOM only.
  • localStorage persistence is optional, keyed by caller-provided storageKey.
Behavioral surface
Source
ChildProcess
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 199 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bunx git-hooks
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bunx git-hooks
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings