registry  /  yuow  /  1.0.0-alpha.56

yuow@1.0.0-alpha.56

Generic implementation of Unit of Work and Repository patterns to build isolated domain model

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The install lifecycle invokes Prisma generation, but inspected package code does not harvest data, exfiltrate, persist, or mutate AI-agent control surfaces.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall
Impact
Potential install-time build side effect only; no malicious behavior confirmed in package source
Mechanism
Prisma client generation lifecycle command
Rationale
Static inspection found an install-time Prisma generation command, but the shipped runtime is ordinary database transaction/repository support with no exfiltration, remote payload loading, shell execution, credential harvesting, destructive behavior, or AI-agent control-surface mutation. The lifecycle script is noisy and may be packaging-fragile, but source facts do not support a malicious verdict.
Evidence
package.jsonREADME.mddist/core/index.jsdist/knex/index.jsdist/prisma/index.jsdist/core/uow.jsdist/core/repository.jsdist/prisma/prisma-engine.jsdist/knex/knex-engine.jsdist/core/change-tracker/tracked-entity.jsdist/core/context-provider.jsdist/core/uow-context.js

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: npm run prisma:generate
  • prisma:generate runs prisma generate against tests/.config/prisma/schema.prisma
  • prepare runs husky install but only on source/VCS workflows
Evidence against
  • Exports only dist/core, dist/knex, and dist/prisma library entrypoints
  • Runtime JS implements Unit of Work/repository/transaction helpers
  • No package JS uses child_process, fetch/http clients, eval/vm, credential reads, or file writes
  • Only network URLs found are README badges, author URL, and npm publish registry metadata
  • No bin entrypoints or hidden native/binary payloads found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 40.9 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run prisma:generate
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run prisma:generate
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present