PkgRadar

Package evidence

@0x/[email protected]

Install Lifecycle Remote Or Exec: postinstall="node -e \"try{ fs.unlinkSync(path.resolve(path.dirname(require.resolve('ganache-core')), './typings/index.d.ts')) } catch (err) {}\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
3,792Niche · −30% score
Versions published
79Mature · −50% score
First published
Oct 2018
Publisher
dorothy-zbornak

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@0x/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@0x/[email protected]"],"fail_on":"high"}'
Publisherdorothy-zbornak
Artifact bytes47,741
Previous version6.6.4
Published2022-03-16T07:23:52.697Z
SHA-2567d80dd966c86e30e7bccdba522f229b2aaaeff21d9921bf59f5e29296059282f

Why flagged

What the scanner saw

Install Lifecycle Remote Or Exec: postinstall="node -e \"try{ fs.unlinkSync(path.resolve(path.dirname(require.resolve('ganache-core')), './typings/index.d.ts')) } catch (err) {}\""

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
17Score
6.6.5Version
Status history (1 event)
  1. newavailable · risk high · score 17 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"try{ fs.unlinkSync(path.resolve(path.dirname(require.resolve('ganache-core')), './typings/index.d.ts')) } catch (err) {}\""30
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"try{ fs.unlinkSync(path.resolve(path.dirname(require.resolve('ganache-core')), './typings/index.d.ts')) } catch (err) {}\""30
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node -e \"try{ fs.unlinkSync(path.resolve(path.dirname(require.resolve('ganache-core')), './typings/index.d.ts')) } catch (err) {}\""5

Manifest

Package metadata

Scripts19
  • buildtsc -b
  • build:ciyarn build
  • cleanshx rm -rf lib generated_docs
  • coverage:report:lcovnyc report --reporter=text-lcov > coverage/lcov.info
  • diff_docsgit diff --exit-code ./docs
  • docs:jsontypedoc --excludePrivate --excludeExternals --excludeProtected --ignoreCompilerErrors --target ES5 --tsconfig typedoc-tsconfig.json --json $JSON_FILE_PATH $PROJECT_FILES
  • docs:mdts-doc-gen --sourceDir='$PROJECT_FILES' --output=$MD_FILE_DIR --fileExtension=mdx --tsconfig=./typedoc-tsconfig.json
  • fixtslint --fix --format stylish --project .
  • linttslint --format stylish --project .
  • postinstallnode -e "try{ fs.unlinkSync(path.resolve(path.dirname(require.resolve('ganache-core')), './typings/index.d.ts')) } catch (err) {}"
  • run_mocha_integrationmocha --require source-map-support/register --require make-promises-safe lib/test/integration/**/*_test.js --timeout 10000 --bail --exit
  • run_mocha_unitmocha --require source-map-support/register --require make-promises-safe lib/test/unit/**/*_test.js --timeout 10000 --bail --exit
  • s3:sync_md_docsaws s3 sync ./docs s3://docs-markdown/${npm_package_name}/v${npm_package_version} --profile 0xproject --region us-east-1 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
  • testnpm run test:unit
  • test:allrun-s test:unit test:integration
  • test:circlecinpm run test:unit:coverage
  • test:integrationrun-s clean build run_mocha_integration
  • test:unitrun-s clean build run_mocha_unit
  • test:unit:coveragenyc npm run test:unit --all && yarn coverage:report:lcov
Dependencies22
  • @0x/assert^3.0.34
  • @0x/types^3.3.6
  • @0x/typescript-typings^5.3.1
  • @0x/utils^6.5.3
  • @0x/web3-wrapper^7.6.5
  • @ethereumjs/common^2.4.0
  • @ethereumjs/tx^3.3.0
  • @ledgerhq/hw-app-eth^4.3.0
  • @ledgerhq/hw-transport-u2f4.24.0
  • @types/hdkey^0.7.0
  • @types/node12.12.54
  • @types/web3-provider-engine^14.0.0
  • bip39^2.5.0
  • bn.js^4.11.8
  • ethereum-types^3.7.0
  • ethereumjs-util^7.1.0
  • ganache-core^2.13.2
  • hdkey^0.7.1
  • json-rpc-error2.0.0
  • lodash^4.17.11
  • semaphore-async-await^1.5.1
  • web3-provider-engine14.0.6
Optional dependencies1
  • @ledgerhq/hw-transport-node-hid^4.3.0