Package evidence
@0x/[email protected]
Remote Dependency Spec: dependencies.publish-release="https://github.com/0xProject/publish-release.git#3f8be1105a356527f4b362ff456d94bf9a82f2ed"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 29Mature · −50% score
- First published
- Oct 2020
- Publisher
- dorothy-zbornak
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@0x/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@0x/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.publish-release="https://github.com/0xProject/publish-release.git#3f8be1105a356527f4b362ff456d94bf9a82f2ed"
1 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 16 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.publish-release="https://github.com/0xProject/publish-release.git#3f8be1105a356527f4b362ff456d94bf9a82f2ed" | 12 |
| medium | Credential file access | package/lib/test_installation.js | matched ".npmrc" | 10 |
| medium | Credential file access | package/src/test_installation.ts | matched ".npmrc" | 10 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| dependencies.publish-release | https://github.com/0xProject/publish-release.git#3f8be1105a356527f4b362ff456d94bf9a82f2ed | error | 0 | invalid gzip header |
Manifest
Package metadata
Scripts13
buildtsc -bbuild:ciyarn buildcleanshx rm -rf libfind_unused_depsrun-s build script:find_unused_depsfixtslint --fix --format stylish --project .linttslint --format stylish --project .script:deps_versionsnode ./lib/deps_versions.jsscript:doc_generatenode ./lib/doc_generate.jsscript:find_unused_depsnode ./lib/find_unused_dependencies.jsscript:prepublish_checksnode ./lib/prepublish_checks.jsscript:publishIS_DRY_RUN=true node ./lib/publish.jsscript:publish_release_notesnode ./lib/publish_release_notes.jstest:publishrun-s build script:publish
Dependencies22
@0x/types^3.3.6@0x/utils^6.5.3@lerna/batch-packages^3.0.0-beta.18@types/depcheck^0.6.0@types/node12.12.54async-child-process^1.1.1chalk^2.3.0es6-promisify^5.0.0glob^7.1.2isomorphic-fetch2.2.1lodash^4.17.11mkdirp^0.5.1moment2.21.0promisify-child-process^1.0.5prompt^1.0.0publish-releasehttps://github.com/0xProject/publish-release.git#3f8be1105a356527f4b362ff456d94bf9a82f2edrimraf^2.6.2semver5.5.0semver-diff^2.1.0semver-sort0.0.4typedoc~0.16.11yargs^10.0.3