PkgRadar

Package evidence

@appsignal/[email protected]

Install-time lifecycle script: preinstall="node scripts/extension/prebuild.js"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
14,277Mainstream · −50% score
Versions published
147Mature · −50% score
First published
Jan 2020
Publisher
tombruijn

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@appsignal/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@appsignal/[email protected]"],"fail_on":"review"}'
Publishertombruijn
Artifact bytes179,656
Previous version3.7.1
Published2025-10-15T08:40:35.915Z
SHA-2565f4dafdf74fa9f6372af3bbf23fef70611ed65e240301dadf40b78ea8acd6d6d

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="node scripts/extension/prebuild.js"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
3.7.2Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpreinstall="node scripts/extension/prebuild.js"5
lowInstall-time lifecycle scriptpackage.jsoninstall="node scripts/extension/extension.js"5

Manifest

Package metadata

Scripts15
  • buildtsc -p tsconfig.json
  • build:watchtsc -p tsconfig.json -w --preserveWatchOutput
  • cleanrimraf dist coverage build
  • clean:extrimraf ext/appsignal-agent ext/._appsignal-agent ext/._appsignal.h ext/libappsignal.a ext/libappsignal.dylib ext/appsignal.* ext/*.tar.gz ext/*.report build/
  • installnode scripts/extension/extension.js
  • link:npmnpm link
  • link:yarnyarn link
  • linteslint --max-warnings 0 .
  • lint:writeeslint --fix .
  • postcleannpm run clean:ext
  • preinstallnode scripts/extension/prebuild.js
  • pretest:failurenpm run clean
  • testjest --filter=./test/filter.js
  • test:failure_TEST_APPSIGNAL_EXTENSION_FAILURE=true _APPSIGNAL_EXTENSION_INSTALL=true npm run install; _TEST_APPSIGNAL_EXTENSION_FAILURE=true jest --filter=./test/filter.js
  • test:watchjest --filter=./test/filter.js --watch
Dependencies31
  • @appsignal/opentelemetry-instrumentation-bullmq>= 0.7.0 < 0.8.0
  • @opentelemetry/api>= 1.9.0 < 1.10.0
  • @opentelemetry/core>= 1.25.0 < 1.31.0
  • @opentelemetry/exporter-metrics-otlp-proto>= 0.52.0 < 0.55.0
  • @opentelemetry/instrumentation-amqplib>= 0.38.0 < 0.43.0
  • @opentelemetry/instrumentation-express>= 0.40.1 < 0.53.0
  • @opentelemetry/instrumentation-fastify>= 0.41.0 < 0.43.0
  • @opentelemetry/instrumentation-graphql>= 0.41.0 < 0.46.0
  • @opentelemetry/instrumentation-http>= 0.52.0 < 0.204.0
  • @opentelemetry/instrumentation-ioredis>= 0.41.0 < 0.46.0
  • @opentelemetry/instrumentation-knex>= 0.37.0 < 0.42.0
  • @opentelemetry/instrumentation-koa>= 0.41.0 < 0.46.0
  • @opentelemetry/instrumentation-mongodb>= 0.45.0 < 0.50.0
  • @opentelemetry/instrumentation-mongoose>= 0.39.0 < 0.44.0
  • @opentelemetry/instrumentation-mysql>= 0.39.0 < 0.44.0
  • @opentelemetry/instrumentation-mysql2>= 0.45.0 < 0.50.0
  • @opentelemetry/instrumentation-nestjs-core>= 0.38.0 < 0.43.0
  • @opentelemetry/instrumentation-pg>= 0.51.0 < 0.56.0
  • @opentelemetry/instrumentation-redis>= 0.40.0 < 0.45.0
  • @opentelemetry/instrumentation-redis-4>= 0.40.0 < 0.45.0
  • @opentelemetry/instrumentation-restify>= 0.39.0 < 0.44.0
  • @opentelemetry/instrumentation-undici>= 0.3.0 < 0.7.0
  • @opentelemetry/sdk-metrics>= 1.25.0 < 1.31.0
  • @opentelemetry/sdk-node>= 0.52.0 < 0.57.0
  • @opentelemetry/sdk-trace-base>= 1.25.0 < 1.31.0
  • @prisma/instrumentation>= 6.3.0 < 6.5.0
  • node-addon-api^8.3.0
  • node-gyp^11.1.0
  • pino-abstract-transport^2.0.0
  • tslib^2.8.0
  • …and 1 more.