First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
2
Score
92/100
Findings (2)
Detects patterns that check for tool existence and install if missing
If not installed: `npm installReplace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.
Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).
Detects global installation of packages which affects the host system
npm install -g fReplace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.
Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.