# chai@4.5.0 — Threat Briefing

Low risk — threat briefing for npm package chai@4.5.0. Capabilities, risk paths, and what to check.

- **Ecosystem:** npm
- **Latest version:** 6.2.2
- **License:** MIT

## Risk

- **Level:** low
- **Summary:** No risky changes detected

## Capability Summary

| Capability | Level |
|---|---|
| install scripts | none |
| network access | none |
| filesystem | none |
| shell execution | none |

## Capabilities

### Other

- No dependency lockfile (unpinned installs) [common]
- Credential-shaped environment variable read [common]
- package.json uses conditional exports (runtime entry point varies) [common]
- Manifest version disagrees with bundled artifact [common]

### Environment

- Environment variable access [common]

## Key Signals

- ****

## Trust Signals

### Code Safety

- No obfuscated or encoded payloads
- No dynamic code execution
- No network activity during install

## Maintainer