Package evidence
@archer-edu/[email protected]
Install-time lifecycle script: postinstall="hugo-installer --version otherDependencies.hugo"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 19Established · −30% score
- First published
- Dec 2021
- Publisher
- jasonwicker
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@archer-edu/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@archer-edu/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="hugo-installer --version otherDependencies.hugo"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="hugo-installer --version otherDependencies.hugo" | 5 |
Manifest
Package metadata
Scripts20
buildrun-s build:blog build:tw format build:hugo format:allbuild:blogts-node --esm .build/contentbuild:cirun-s build:tw build:hugo:cibuild:hugobin/hugo/hugo -s ./src --ignoreCache --cleanDestinationDir --forceSyncStatic --environment develop --debugbuild:hugo:cibin/hugo/hugo -s ./src --ignoreCache --cleanDestinationDir --environment ${NAMESPACE}build:imagests-node --esm .build/imagesbuild:twtailwind -c tailwind.config.json --input ./src/assets/css/main.css --output ./src/assets/css/output.cssdocker:builddocker build -t web-{{name}} . --build-arg redirect_status=$REDIRECT_STATUS_CODEdocker:startdocker run -p 3002:80 -d --name web-{{name}} --rm web-{{name}}docker:stopdocker stop web-{{name}}formathtml-validate --ext html --formatter stylish srcformat:allhtml-validate --ext html --formatter stylish .linthtml-validate --ext html srcpostinstallhugo-installer --version otherDependencies.hugoprebuildrm -fR wwwservenpx -y serve -s -C -n --no-port-switching -p 3002 wwwserve:hugobin/hugo/hugo server -s ./srcstartrun-p start:hugo start:twstart:hugobin/hugo/hugo server -s ./src -v --templateMetrics --gc --ignoreCache --cleanDestinationDir --forceSyncStaticstart:twtailwindcss -c tailwind.config.json -i ./src/assets/css/main.css -o ./src/assets/css/output.css --watch
Dependencies1
ejs2.7