Package evidence

@ag-bash/[email protected]

Install-time lifecycle script: postinstall="node scripts/setup-vendor.js"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 453
Versions published: 12
First published: Apr 2026
Publisher: sairamugge-0000

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@ag-bash/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@ag-bash/[email protected]"],"fail_on":"review"}'

Publishersairamugge-0000

Artifact bytes5,529,455

Previous version6.0.0

Published2026-05-31T11:04:00.753Z

SHA-25670415de8d9e335a04002bc432b023b5c330279799491b50b7f54bde7b56789ce

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="node scripts/setup-vendor.js"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

13d agoLast checked

reviewRisk

5Score

6.0.1Version

Status history (1 event)

new → available13d ago · risk review · score 5 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 6 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Install-time lifecycle script	package.json	postinstall="node scripts/setup-vendor.js"	5
low	Large Javascript Payload	package/dist/bundle/index.cjs	2376053 bytes	0
low	Obfuscation Density	package/dist/bin/ag-bash.js	high encoded/escaped-token density	0
low	Large Javascript Payload	package/dist/bundle/browser.js	2358648 bytes	0
low	Obfuscation Density	package/dist/bundle/index.js	high encoded/escaped-token density	0
low	Obfuscation Density	package/dist/bin/shell/shell.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts38

benchvitest bench --run --config vitest.bench.config.ts
bench:checkpnpm bench:ci && node scripts/bench-check.js
bench:civitest bench --run --config vitest.bench.config.ts --outputJson bench-results.json
bench:updatepnpm bench:ci && node scripts/bench-check.js --update
buildecho 'Build started' && rm -rf dist && tsc && mkdir -p dist/parser/vendor && cp src/parser/vendor/* dist/parser/vendor/ && mkdir -p dist/commands/ag-convert && cp src/commands/ag-convert/*.py dist/commands/ag-convert/ && pnpm build:lib && pnpm build:lib:cjs && pnpm build:browser && pnpm build:browser-core && pnpm build:cli && pnpm build:shell && pnpm build:worker && mkdir -p dist/bundle/chunks && cp src/parser/vendor/*.wasm dist/bundle/ && cp src/parser/vendor/*.wasm dist/bundle/chunks/ && pnpm build:clean && cp dist/index.d.ts dist/index.d.cts && sed '1,/^-->/d' AGENTS.npm.md > dist/AGENTS.md && chmod +x dist/bin/ag-bash.js dist/bin/shell/shell.js
build:browseresbuild dist/browser.js --bundle --platform=browser --format=esm --minify --outfile=dist/bundle/browser.js --external:diff --external:minimatch --external:sprintf-js --external:turndown --define:__BROWSER__=true --alias:node:dns=./src/shims/browser-dns.ts --alias:node:events=./src/shims/events.cjs --alias:events=./src/shims/events.cjs --alias:node:zlib=./src/shims/null.cjs --alias:zlib=./src/shims/null.cjs --alias:node:fs=./src/shims/null.cjs --alias:node:path=./src/shims/null.cjs --alias:node:os=./src/shims/null.cjs --alias:node:crypto=./src/shims/null.cjs --alias:node:url=./src/shims/null.cjs --alias:node:worker_threads=./src/shims/null.cjs --alias:node:async_hooks=./src/shims/null.cjs --alias:node:child_process=./src/shims/null.cjs --alias:node:readline=./src/shims/null.cjs --alias:node:stream=./src/shims/null.cjs --alias:node:util=./src/shims/null.cjs --alias:fs=./src/shims/null.cjs --alias:fs/promises=./src/shims/null.cjs --alias:node:fs/promises=./src/shims/null.cjs --alias:path=./src/shims/null.cjs --alias:os=./src/shims/null.cjs --alias:crypto=./src/shims/null.cjs --alias:url=./src/shims/null.cjs --alias:worker_threads=./src/shims/null.cjs --alias:async_hooks=./src/shims/null.cjs --alias:child_process=./src/shims/null.cjs --alias:readline=./src/shims/null.cjs --alias:stream=./src/shims/null.cjs --alias:util=./src/shims/null.cjs --alias:module=./src/shims/null.cjs --alias:node:module=./src/shims/null.cjs --alias:node-liblzma=./src/shims/null.cjs --alias:@mongodb-js/zstd=./src/shims/null.cjs --alias:seek-bzip=./src/shims/null.cjs --log-override:direct-eval=silent
build:browser-coreesbuild dist/browser-core.js --bundle --platform=browser --format=esm --minify --outfile=dist/bundle/browser-core.js --external:isomorphic-git --external:fast-xml-parser --external:modern-tar --external:papaparse --external:@aspect/tar --external:yaml --external:diff --external:minimatch --external:sprintf-js --external:turndown --define:__BROWSER__=true --alias:node:dns=./src/shims/browser-dns.ts --alias:node:events=./src/shims/events.cjs --alias:events=./src/shims/events.cjs --alias:node:zlib=./src/shims/null.cjs --alias:zlib=./src/shims/null.cjs --alias:node:fs=./src/shims/null.cjs --alias:node:path=./src/shims/null.cjs --alias:node:os=./src/shims/null.cjs --alias:node:crypto=./src/shims/null.cjs --alias:node:url=./src/shims/null.cjs --alias:node:worker_threads=./src/shims/null.cjs --alias:node:async_hooks=./src/shims/null.cjs --alias:node:child_process=./src/shims/null.cjs --alias:node:readline=./src/shims/null.cjs --alias:node:stream=./src/shims/null.cjs --alias:node:util=./src/shims/null.cjs --alias:fs=./src/shims/null.cjs --alias:fs/promises=./src/shims/null.cjs --alias:node:fs/promises=./src/shims/null.cjs --alias:path=./src/shims/null.cjs --alias:os=./src/shims/null.cjs --alias:crypto=./src/shims/null.cjs --alias:url=./src/shims/null.cjs --alias:worker_threads=./src/shims/null.cjs --alias:async_hooks=./src/shims/null.cjs --alias:child_process=./src/shims/null.cjs --alias:readline=./src/shims/null.cjs --alias:stream=./src/shims/null.cjs --alias:util=./src/shims/null.cjs --alias:module=./src/shims/null.cjs --alias:node:module=./src/shims/null.cjs --alias:node-liblzma=./src/shims/null.cjs --alias:@mongodb-js/zstd=./src/shims/null.cjs --alias:seek-bzip=./src/shims/null.cjs --log-override:direct-eval=silent
build:cleanfind dist -name '*.test.js' -delete && find dist -name '*.test.d.ts' -delete
build:cliesbuild dist/cli/ag-bash.js --bundle --splitting --platform=node --format=esm --minify --outdir=dist/bin --entry-names=[name] --chunk-names=chunks/[name]-[hash] --banner:js='#!/usr/bin/env node' --external:sql.js --external:quickjs-emscripten --external:@mongodb-js/zstd --external:node-liblzma --external:seek-bzip --log-override:direct-eval=silent
build:libesbuild dist/index.js --bundle --splitting --platform=node --format=esm --minify --outdir=dist/bundle --chunk-names=chunks/[name]-[hash] --external:diff --external:minimatch --external:sprintf-js --external:turndown --external:sql.js --external:quickjs-emscripten --external:@mongodb-js/zstd --external:node-liblzma --external:seek-bzip --log-override:direct-eval=silent
build:lib:cjsesbuild dist/index.js --bundle --platform=node --format=cjs --minify --outfile=dist/bundle/index.cjs --define:import.meta.url='""' --external:diff --external:minimatch --external:sprintf-js --external:turndown --external:sql.js --external:quickjs-emscripten --external:@mongodb-js/zstd --external:node-liblzma --external:seek-bzip --log-override:empty-import-meta=silent
build:shellesbuild dist/cli/shell.js --bundle --splitting --platform=node --format=esm --minify --outdir=dist/bin/shell --entry-names=[name] --chunk-names=chunks/[name]-[hash] --banner:js='#!/usr/bin/env node' --external:sql.js --external:quickjs-emscripten --external:@mongodb-js/zstd --external:node-liblzma --external:seek-bzip --log-override:direct-eval=silent
build:workeresbuild src/commands/python3/worker.ts --bundle --platform=node --format=esm --outfile=dist/commands/python3/worker.js --external:../../../vendor/cpython-emscripten/* && mkdir -p dist/bin/chunks && cp dist/commands/python3/worker.js dist/bin/chunks/python-worker.js && mkdir -p dist/bundle/chunks && cp dist/commands/python3/worker.js dist/bundle/chunks/python-worker.js && esbuild src/commands/js-exec/worker.ts --bundle --platform=node --format=esm --outfile=dist/commands/js-exec/worker.js --external:quickjs-emscripten && cp dist/commands/js-exec/worker.js dist/bin/chunks/js-worker.js && cp dist/commands/js-exec/worker.js dist/bundle/chunks/js-worker.js && esbuild src/commands/sqlite3/worker.ts --bundle --platform=node --format=esm --outfile=dist/commands/sqlite3/worker.js --external:sql.js && cp dist/commands/sqlite3/worker.js dist/bin/chunks/sqlite-worker.js && cp dist/commands/sqlite3/worker.js dist/bundle/chunks/sqlite-worker.js
check:worker-syncnode ../../scripts/check-worker-sync.js
dev:execnpx tsx src/cli/exec.ts
knipknip --config ../../knip.json
lintbiome check . && pnpm lint:banned
lint:bannednode ../../scripts/check-banned-patterns.js
lint:fixbiome check --write .
postinstallnode scripts/setup-vendor.js
shellnpx tsx src/cli/shell.ts
testvitest
test:comparisonvitest run --config ../../vitest.comparison.config.ts
test:comparison:recordRECORD_FIXTURES=1 vitest run --config ../../vitest.comparison.config.ts
test:coveragevitest run --coverage
test:coverage:unitvitest run --config ../../vitest.unit.config.ts --coverage
test:distvitest run --testTimeout=120000 src/cli/ag-bash.bundle.test.ts src/commands/tar/tar.bundle.test.ts
test:e2evitest run --testTimeout=600000 --hookTimeout=600000 src/cli/ag-bash.v-next.e2e.test.ts src/cli/ag-bash.test.ts
test:examplescd ../../examples/cjs-consumer && pnpm install --no-frozen-lockfile && npx tsc --noEmit
test:fuzzvitest run src/security/fuzzing/
…and 8 more.

Dependencies19

diff^8.0.2
fast-xml-parser^5.3.3
file-type^21.2.0
ini^6.0.0
isomorphic-git^1.25.10
minimatch^10.1.1
modern-tar^0.7.3
papaparse^5.5.3
quickjs-emscripten^0.32.0
re2js^1.2.1
seek-bzip^2.0.0
smol-toml^1.6.0
sprintf-js^1.1.3
sql.js^1.13.0
tree-sitter-bash^0.25.1
turndown^7.2.2
web-tree-sitter^0.26.8
yaml^2.8.2
zod^4.3.6

Optional dependencies2

@mongodb-js/zstd^7.0.0
node-liblzma^2.0.3