Package evidence

@0x/[email protected]

Remote Dependency Spec: devDependencies.gitpkg="https://github.com/0xProject/gitpkg.git"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 113Mature · −50% score
First published: Oct 2018
Publisher: dorothy-zbornak

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@0x/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@0x/[email protected]"],"fail_on":"review"}'

Publisherdorothy-zbornak

Artifact bytes27,967

Previous version8.1.16

Published2022-03-31T15:09:38.016Z

SHA-25608989ae60fbcb63ed3e9ba97f54d83ea196d5d009b05fff1dd8cc4435cdb62be

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.gitpkg="https://github.com/0xProject/gitpkg.git"

1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

9h agoLast checked

reviewRisk

2Score

8.1.17Version

Status history (1 event)

new → available9h ago · risk review · score 2 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	devDependencies.gitpkg="https://github.com/0xProject/gitpkg.git"	8

Remote payloads

Followed remote artifacts

Source	URL	Risk	Score	Summary
devDependencies.gitpkg	https://github.com/0xProject/gitpkg.git	error	0	invalid gzip header

Manifest

Package metadata

Scripts23

buildtsc -b
build:ciyarn build
build:snapshotrm -rf ${npm_package_config_snapshot_name} && yarn migrate:v2:snapshot && zip -r "${npm_package_config_snapshot_name}-${npm_package_version}.zip" ${npm_package_config_snapshot_name}
build:snapshot:dockerdocker build --tag ${npm_package_config_docker_snapshot_name}:${npm_package_version} --tag ${npm_package_config_docker_snapshot_name}:latest .
cleanshx rm -rf lib ${npm_package_config_snapshot_name} ${npm_package_config_snapshot_name}-*.zip
diff_docsgit diff --exit-code ./docs
docs:jsontypedoc --excludePrivate --excludeExternals --excludeProtected --ignoreCompilerErrors --target ES5 --tsconfig typedoc-tsconfig.json --json $JSON_FILE_PATH $PROJECT_FILES
docs:mdts-doc-gen --sourceDir='$PROJECT_FILES' --output=$MD_FILE_DIR --fileExtension=mdx --tsconfig=./typedoc-tsconfig.json
fixtslint --fix --format stylish --project .
linttslint --format stylish --project . && yarn prettier
migrate:v2run-s build script:migrate:v2
migrate:v2:snapshotrun-s build script:migrate:v2:snapshot
prettierprettier --check 'src/**/*.{ts,tsx,json}' --config ../../.prettierrc
publish:privateyarn build && gitpkg publish
publish:snapshotaws s3 cp ${npm_package_config_snapshot_name}-${npm_package_version}.zip ${npm_package_config_s3_snapshot_bucket} && aws s3 cp ${npm_package_config_s3_snapshot_bucket}/${npm_package_config_snapshot_name}-${npm_package_version}.zip ${npm_package_config_s3_snapshot_bucket}/${npm_package_config_snapshot_name}-latest.zip
publish:snapshot:dockerdocker push ${npm_package_config_docker_snapshot_name}:latest && docker push ${npm_package_config_docker_snapshot_name}:${npm_package_version}
run_mochamocha --require source-map-support/register --require make-promises-safe lib/test/**/*_test.js --bail --timeout 30000 --exit
s3:sync_md_docsaws s3 sync ./docs s3://docs-markdown/${npm_package_name}/v${npm_package_version} --profile 0xproject --region us-east-1 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
script:migrate:v2node ./lib/src/migrate.js
script:migrate:v2:snapshotnode ./lib/src/migrate_snapshot.js
testyarn run_mocha
test:circleciyarn test
test_contract_configsnode ./lib/test_contract_configs.js

Dependencies26

@0x/base-contract^6.5.0
@0x/contract-addresses^6.12.1
@0x/contracts-asset-proxy^3.7.19
@0x/contracts-coordinator^3.1.38
@0x/contracts-dev-utils^1.3.36
@0x/contracts-erc1155^2.1.37
@0x/contracts-erc20^3.3.28
@0x/contracts-erc721^3.1.37
@0x/contracts-exchange^3.2.38
@0x/contracts-exchange-forwarder^4.2.38
@0x/contracts-extensions^6.2.32
@0x/contracts-multisig^4.1.38
@0x/contracts-staking^2.0.45
@0x/contracts-utils^4.8.9
@0x/contracts-zero-ex^0.31.2
@0x/sol-compiler^4.8.1
@0x/subproviders^6.6.5
@0x/typescript-typings^5.3.1
@0x/utils^6.5.3
@0x/web3-wrapper^7.6.5
@ledgerhq/hw-app-eth^4.3.0
@types/web3-provider-engine^14.0.0
ethereum-types^3.7.0
ethereumjs-util^7.1.0
ethers~4.0.4
lodash^4.17.11

Optional dependencies1

@ledgerhq/hw-transport-node-hid^4.3.0