Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 8,154Niche · −30% score
- Versions published
- 305Mature · −50% score
- First published
- Jan 2023
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@atproto/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@atproto/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/mailer/templates/confirm-email.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/mailer/templates/plc-operation.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/mailer/templates/reset-password.js | high encoded/escaped-token density | 12 |
Manifest
Package metadata
Scripts12
buildtsc --build tsconfig.build.jsoncodegenlex build --clear --indexFile --lexicons ../../lexiconsdevnode ./build.templates.cjs --watchmigration:createts-node ./bin/migration-create.tspostbuildnode ./build.templates.cjsprebuildpnpm run codegenpretestpuppeteer browsers install chrometestNODE_OPTIONS=--experimental-vm-modules ../dev-infra/with-test-redis-and-db.sh jesttest:logtail -50 test.log | pino-prettytest:sqliteNODE_OPTIONS=--experimental-vm-modules jesttest:sqlite-onlyNODE_OPTIONS=--experimental-vm-modules jest --testPathIgnorePatterns /tests/proxied/*test:updateSnapshotNODE_OPTIONS=--experimental-vm-modules ../dev-infra/with-test-redis-and-db.sh jest --updateSnapshot
Dependencies44
@atproto-labs/fetch-node^0.3.0@atproto-labs/simple-store^0.4.0@atproto-labs/simple-store-memory^0.2.0@atproto-labs/simple-store-redis^0.1.0@atproto-labs/xrpc-utils^0.1.0@atproto/aws^0.3.0@atproto/common^0.6.1@atproto/crypto^0.5.0@atproto/identity^0.5.0@atproto/lex^0.1.2@atproto/lex-cbor^0.1.0@atproto/lex-data^0.1.1@atproto/lex-json^0.1.0@atproto/oauth-provider^0.18.0@atproto/oauth-scopes^0.4.0@atproto/repo^0.10.0@atproto/syntax^0.6.1@atproto/xrpc^0.8.0@atproto/xrpc-server^0.11.1@did-plc/lib^0.0.4@hapi/address^5.1.1better-sqlite3^12.0.0compression^1.7.4cors^2.8.5disposable-email-domains-js^1.5.0express^4.17.2express-async-errors^3.1.1file-type^16.5.4glob^10.3.10handlebars^4.7.7- …and 14 more.