Rule Reference

SEC457lintai-ai-securitystablemarkdownwarn

AI markdown: js package strict-ssl false

AI-native markdown disables strict SSL verification for JavaScript package manager config

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown for JavaScript package-manager config commands that explicitly disable strict SSL verification.

Deterministic signal basis

MarkdownSignals exact `npm config set`, `pnpm config set`, or `yarn config set` token analysis with `strict-ssl false` or `strict-ssl=false` detection inside parsed markdown regions.

Malicious corpus

skill-js-package-strict-ssl-false

Benign corpus

skill-js-package-strict-ssl-true-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable

SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable

SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable

SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable

SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC457 / MD-JS-PACKAGE-STRICT-SSL-FALSE

SEC457 flags AI-native markdown when an npm config set, pnpm config set, or yarn config set command disables strict SSL verification with strict-ssl false or strict-ssl=false.

Why It Matters

Disabling strict SSL verification removes normal certificate checks for package-manager network traffic. In shared AI-native instructions, that turns a TLS-bypass into copy-pastable setup guidance.

What Triggers It

AI-native markdown surface
the same parsed markdown region contains:
- npm config set
- pnpm config set
- or yarn config set
the same region also contains:
- strict-ssl false
- or strict-ssl=false

The finding points to the strict-ssl false token.

What Does Not Trigger It

strict-ssl true
unrelated prose that mentions SSL without a matching package-manager config command

Example

Bad:

bash

npm config set strict-ssl false

Better:

bash

npm config set strict-ssl true

Remediation

Remove the strict-ssl disable and keep normal certificate verification enabled for package-manager config.

AI markdown: js package strict-ssl false

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC457 / MD-JS-PACKAGE-STRICT-SSL-FALSE ​

Why It Matters ​

What Triggers It ​

What Does Not Trigger It ​

Example ​