PkgRadar

Package evidence

@ai-of-mine/[email protected]

Install Lifecycle Suppresses Failure: preinstall="npm run build:grammars || true"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
3,252Niche · −30% score
Versions published
24Established · −30% score
First published
Oct 2025
Publisher
user-ai-of-mine

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@ai-of-mine/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@ai-of-mine/[email protected]"],"fail_on":"high"}'
Publisheruser-ai-of-mine
Artifact bytes339,740
Previous version1.2.3
Published2026-05-27T04:14:58.713Z
SHA-2566018f91602d0ecec646c7f1490aa28df4627f571581bbf85b90542f0753c86db

Why flagged

What the scanner saw

Install Lifecycle Suppresses Failure: preinstall="npm run build:grammars || true"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
35Score
1.3.0-beta.1Version
Status history (2 events)
  1. availableavailable · risk high · score 35 · status available -> available, risk high -> high, score 74 -> 35
  2. newavailable · risk high · score 74 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpreinstall="npm run build:grammars || true"20
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="npm run build || true"20
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpreinstall="npm run build:grammars || true"20
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="npm run build || true"20
lowInstall-time lifecycle scriptpackage.jsonpreinstall="npm run build:grammars || true"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="npm run build || true"5
lowObfuscation Densitypackage/src/generated/jison/classDiagram.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/src/generated/jison/flow.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts52
  • auditnpm audit
  • audit:ciaudit-ci --config audit-ci.json
  • audit:fixnpm audit fix
  • buildnpm run build:grammars
  • build:antlrnode scripts/compile-grammars.js --antlr-only
  • build:grammarsnode scripts/compile-grammars.js --jison-only
  • build:jisonnode scripts/compile-grammars.js --jison-only
  • build:langiumnode scripts/compile-grammars.js --langium-only
  • build:mcptsc -p tsconfig.mcp.json
  • build:typesnode scripts/compile-grammars.js --types-only
  • cleannpm run clean:generated && npm run clean:dist && npm run clean:mcp
  • clean:distrm -rf dist build
  • clean:generatedrm -rf src/generated
  • clean:mcprm -rf dist/mcp
  • deps:checknpm-check-updates
  • deps:updatenpm-check-updates -u
  • devnodemon src/server.js
  • dev:mcpnpm run build:mcp && nodemon dist/mcp/server.js
  • dev:mcp-httpnpm run build:mcp && nodemon dist/mcp/server-http.js
  • dev:mcp-securenpm run build:mcp && nodemon dist/mcp/server-secure.js
  • docker:builddocker build -t mermaid-validator-mcp .
  • docker:build:autonpm run version:patch && make docker-build-manual
  • docker:rundocker run -p 8000:8000 mermaid-validator-mcp
  • docsswagger-jsdoc -d docs/swagger.js src/routes/*.js -o docs/swagger.json
  • license:checklicense-checker
  • linteslint src/
  • lint:fixeslint src/ --fix
  • postinstallnpm run build || true
  • prebuildnpm run build:mcp
  • preinstallnpm run build:grammars || true
  • …and 22 more.
Dependencies20
  • @modelcontextprotocol/sdk^1.29.0
  • chevrotain^12.0.0
  • compression^1.8.1
  • cors^2.8.6
  • express^5.2.1
  • express-rate-limit^8.5.2
  • express-validator^7.3.2
  • helmet^8.2.0
  • jison^0.4.18
  • joi^18.2.1
  • langium^4.2.4
  • mime-types^3.0.2
  • morgan^1.10.1
  • multer^2.1.1
  • swagger-jsdoc^6.3.0
  • swagger-ui-express^5.0.1
  • uuid^14.0.0
  • winston^3.19.0
  • yauzl^3.3.1
  • zod^4.4.3