Package evidence
@aleph-alpha/[email protected]
Remote Dependency Spec: devDependencies.vue-tsc="https://pkg.pr.new/vuejs/language-tools/vue-tsc@3fb59af"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 687
- Versions published
- 535Mature · −50% score
- First published
- Mar 2025
- Publisher
- uyiaa
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@aleph-alpha/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@aleph-alpha/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: devDependencies.vue-tsc="https://pkg.pr.new/vuejs/language-tools/vue-tsc@3fb59af"
2 candidate cluster(s) currently reference this release. 1 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Related candidates
Linked campaigns and clusters
https://pkg.pr.new/vuejs/language-tools/vue-tsc@3fb59af
2 members · evidence strength 597c1633377a9d57b62aec4156c607ac2dfcb6284625badf342fb62ae40c4aa268
2 members · evidence strength 64https://pkg.pr.new/vuejs/language-tools/vue-tsc@3fb59af
2 members · max score 127c1633377a9d57b62aec4156c607ac2dfcb6284625badf342fb62ae40c4aa268
2 members · max score 12Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | devDependencies.vue-tsc="https://pkg.pr.new/vuejs/language-tools/vue-tsc@3fb59af" | 8 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| devDependencies.vue-tsc | https://pkg.pr.new/vuejs/language-tools/vue-tsc@3fb59af | high | 12 | remote_dependency_spec: dependencies.@vue/language-core="https://pkg.pr.new/vuejs/language-tools/@vue/language-core@3fb59af7539c54b0552926a4801d60d307c1bd79" |
Manifest
Package metadata
Scripts9
buildnode scripts/prepare-build.cjs && vite buildcipnpm install --immutable --immutable-cache --check-cachedevvite build --watchlinteslint 'src/**/*.{js,vue,ts}' --cachepublish:localyalc publish && yalc push --sigtestvitest --runtest:e2eplaywright testtest:storybookcd ../.. && nx run ds-components-vue:build-storybook && cd packages/ds-components-vue && pnpm concurrently -k --ks SIGKILL -s command-test -n "storybook,test" "pnpm http-server ../../dist/storybook/ds-components-vue --port 4400 --silent" "wait-on tcp:4400 && test-storybook --url http://127.0.0.1:4400"test:storybook:updatecd ../.. && nx run ds-components-vue:build-storybook && cd packages/ds-components-vue && pnpm concurrently -k --ks SIGKILL -s command-test -n "storybook,test" "pnpm http-server ../../dist/storybook/ds-components-vue --port 4400 --silent" "wait-on tcp:4400 && test-storybook --url http://127.0.0.1:4400 --updateSnapshot" && pwd && ./.storybook/update_storybook_tests.sh && yes | pnpm install
Dependencies2
@floating-ui/vue1.1.9date-fns4.1.0