Package evidence

@aurodesignsystem-dev/[email protected]

Large Javascript Payload: 4640015 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 3,648Niche · −30% score
Versions published: 1,050Mature · −50% score
First published: May 2025
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@aurodesignsystem-dev/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@aurodesignsystem-dev/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes10,349,078

Previous version0.0.0-pr1483.1

Published2026-05-27T18:58:42.340Z

SHA-25680107fa9fe074b45c96414ea4816b370e6a4b4b9ebfd4f7ffd4839c1bee1dc4e

Why flagged

What the scanner saw

Large Javascript Payload: 4640015 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

12Score

0.0.0-pr1483.2Version

Status history (1 event)

new → available16d ago · risk review · score 12 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/components/form/demo/customize.min.js	4640015 bytes	10
medium	Large Javascript Payload	package/components/form/demo/getting-started.min.js	4640015 bytes	10
medium	Large Javascript Payload	package/components/form/demo/index.min.js	4639953 bytes	10
medium	Large Javascript Payload	package/components/form/demo/registerDemoDeps.min.js	4618739 bytes	10

Show all 5 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/components/form/demo/customize.min.js	4640015 bytes	10
medium	Large Javascript Payload	package/components/form/demo/getting-started.min.js	4640015 bytes	10
medium	Large Javascript Payload	package/components/form/demo/index.min.js	4639953 bytes	10
medium	Large Javascript Payload	package/components/form/demo/registerDemoDeps.min.js	4618739 bytes	10
low	Credential file access	package/custom-elements.json	matched ".azure"	3

Manifest

Package metadata

Scripts39

analyzecustom-elements-manifest analyze --config ./packages/config/src/custom-elements-manifest.config.mjs
buildnpm run analyze && npm run build:docs:kit && turbo run build
build-storybooknpm run build && npm run analyze && storybook build
build:docsturbo run build:docs
build:docs:kitnode ./packages/build-tools/src/kitDocProcessor.mjs
build:forcenpm run analyze && turbo run build --force
build:formkit-versionturbo run build:formkit-version
build:versionturbo run build:version
cleanturbo run clean && rm -rf node_modules
deploy-demonpm run build && sh ./deploy-components.sh
devturbo run dev --parallel
dev:closedturbo run dev:closed --parallel
dev:reactconcurrently "npx turbo run build:watch --concurrency=20" "npm run dev:app:open --workspace=apps/react-framework"
dev:svelteconcurrently "npx turbo run build:watch --concurrency=20" "npm run dev:app:open --workspace=apps/svelte-framework"
formatprettier --write "**/*.{ts,tsx,md}"
lintturbo run lint
local-demosh ./local-demo.sh
local-demo:buildnpm run build && npm run local-demo
local-demo:zipnpm run local-demo:build -- --zip
preCommitnode ./node_modules/@aurodesignsystem/auro-library/scripts/build/pre-commit.mjs
preparehusky
sassturbo run sass
storybooknpm run analyze && storybook dev -p 6006
sweepfind ./components ./packages -type d -name 'dist' -exec rm -rf {} + && find ./ -type d -name '.turbo' -exec rm -rf {} + && find ./components ./packages -not -path '*/node_modules/*' -type f -name '*-css.js' -delete && find ./components -path '*/demo/*.md' -delete && find ./components -path '*/demo/*.min.js' -delete && find ./components -path '*/demo/*.min.css' -delete
testnpm run test:wtr && npm run test:frameworks
test:dashboardnode test/coverage/generate-dashboard.mjs
test:forceturbo run test --force --continue
test:framework:reactturbo run test:framework --filter=@aurodesignsystem/react-framework
test:framework:report:reactnpm run test:framework:report -w apps/react-framework
test:framework:report:sveltenpm run test:framework:report -w apps/svelte-framework
…and 9 more.

Dependencies5

@lit/context^1.1.6
@lit/reactive-element^2.1.2
lit^3.3.2
lit-element^4.1.1
lit-html^3.2.1

Optional dependencies2

@rolldown/binding-linux-x64-gnu*
@rollup/rollup-linux-x64-gnu*