Package evidence
@across-protocol/[email protected]
Install-time lifecycle script: postinstall="node scripts/build-bigint-buffer.js"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 2,922Niche · −30% score
- Versions published
- 509Mature · −50% score
- First published
- May 2024
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@across-protocol/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@across-protocol/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Lifecycle Script Vs Previous: postinstall added in 4.4.0-alpha.1 vs 4.3.165: "node scripts/build-bigint-buffer.js"
1 candidate cluster(s) currently reference this release.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 45 · status changed
Related candidates
Linked campaigns and clusters
GitHub Actions
239 members · evidence strength 84GitHub Actions
239 members · max score 283Evidence
Static findings
1 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 4.4.0-alpha.1 vs 4.3.165: "node scripts/build-bigint-buffer.js" | 40 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 4.4.0-alpha.1 vs 4.3.165: "node scripts/build-bigint-buffer.js" | 40 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/build-bigint-buffer.js" | 5 |
Manifest
Package metadata
Scripts27
analyzesize-limit --whybuildyarn run clean && yarn typechain && yarn generate-svm-artifacts && yarn devbuild-bigint-buffernode scripts/build-bigint-buffer.jsbuild:cjstsc --project tsconfig.build.json --module commonjs --outDir ./dist/cjs --removeComments --verbatimModuleSyntax false && echo > ./dist/cjs/package.json '{"type":"commonjs"}' && yarn export-svm-idl:cjsbuild:esmtsc --project tsconfig.build.json --module es2015 --outDir ./dist/esm && echo > ./dist/esm/package.json '{"type":"module","sideEffects":false}' && yarn export-svm-idl:esmbuild:typestsc --project tsconfig.build.json --module esnext --declarationDir ./dist/types --emitDeclarationOnly --declaration --declarationMapbump-version:majoryarn version --major --no-git-tag-version --no-commit-hooks && git commit -m 'chore: bump version' ./package.json --no-verifybump-version:minoryarn version --minor --no-git-tag-version --no-commit-hooks && git commit -m 'chore: bump version' ./package.json --no-verifybump-version:patchyarn version --patch --no-git-tag-version --no-commit-hooks && git commit -m 'chore: bump version' ./package.json --no-verifycleanrm -rf ./distdevconcurrently --kill-others-on-fail --names 'cjs,esm,types' --prefix-colors 'blue,magenta,green' 'yarn run build:cjs' 'yarn run build:esm' 'yarn run build:types'export-svm-idl:cjscp src/svm/assets/idl/*.json dist/cjs/src/svm/assets/idl/export-svm-idl:esmcp src/svm/assets/idl/*.json dist/esm/src/svm/assets/idl/generate-svm-artifactsbash scripts/svm/generateSvmAssets.sh && yarn generate-svm-clientsgenerate-svm-clientsts-node scripts/svm/generateSvmClients.ts && ts-node scripts/svm/renameClientsImports.tslinteslint --fix src test e2e && yarn prettier --write "src/**/*.ts" "test/**/*.ts" "e2e/**/*.ts"lint-checkeslint src test e2e && yarn prettier --check "src/**/*.ts" "test/**/*.ts" "e2e/**/*.ts"postinstallnode scripts/build-bigint-buffer.jsprepareyarn build && husky installsizesize-limitstage-artifactsnode scripts/stage-typechain-artifacts.jsstartyarn typechain && nodemon -e ts,tsx,json,js,jsx --watch ./src --ignore ./dist --exec 'yarn dev'testhardhat testtest:run:arweavenpx -y arlocaltest:watchhardhat watch testtypechainyarn stage-artifacts && typechain --target ethers-v5 --out-dir src/utils/abi/typechain 'src/utils/abi/contracts/*.json'yalc:watchnodemon --watch src --ext ts,tsx,json,js,jsx --ignore src/utils/abi/ --exec 'yalc publish --push --changed'
Dependencies34
@across-protocol/constants^3.1.100@across-protocol/contracts5.0.4@coral-xyz/anchor^0.30.1@coral-xyz/borsh^0.30.1@eth-optimism/sdk^3.3.1@ethersproject/bignumber^5.7.0@nktkas/hyperliquid^0.25.9@pinata/sdk^2.1.0@solana-program/address-lookup-table^0.10.0@solana-program/compute-budget^0.11.0@solana-program/system^0.10.0@solana-program/token^0.9.0@solana-program/token-2022^0.6.1@solana/kit^5.4.0@solana/spl-token^0.4.14@solana/sysvars^5.4.0@solana/web3.js^1.98.2@uma/contracts-node^0.4.0arweave^1.14.4async^3.2.5axios^0.27.2borsh^2.0.0bs58^6.0.0buffer-layout^1.2.2decimal.js^10.3.1ethers^5.7.2lodash^4.17.23lodash.get^4.4.2node-gyp^11.0.0superstruct^0.15.4- …and 4 more.