AI Security Review
scanned 2h ago · by lpm-firewall-ainpm postinstall downloads a platform-native archive from the configured GitHub release URL into node_modules/.bin_real and extracts it. Later, the vallum CLI executes that downloaded binary with user arguments. The JavaScript package does not verify archive checksums or signatures before extraction.
Decision evidence
public snapshot- package.json defines postinstall: node ./install.js.
- binary.js constructs platform artifact URLs from GitHub releases.
- binary-install.js downloads redirects and extracts archives without checksum verification.
- binary-install.js runs the downloaded vallum binary on CLI invocation.
- Installer is a small transparent platform-binary wrapper.
- Only declared runtime dependency is detect-libc.
- Env access is limited to standard HTTP(S) proxy configuration.
- README scanner-like terms document the package’s stated security features, not reviewer instructions.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage text addresses the security reviewer or scanner and tries to influence the review outcome.
README.mdView on unpkg