PkgRadar

Package evidence

@beyondwork/[email protected]

Large Javascript Payload: 3435552 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,594Niche · −30% score
Versions published
198
First published
Apr 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@beyondwork/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@beyondwork/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes28,446,686
Previous version1.0.199
Published2026-05-27T00:24:33.521Z
SHA-256ee16baa3c44b16020d6c9e5e70f7ec10da6c851fbd23215ff2570b63017618eb

Why flagged

What the scanner saw

Large Javascript Payload: 3435552 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
18Score
1.0.200Version
Status history (1 event)
  1. newavailable · risk review · score 18 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/runtime/document-runtime.cjs3435552 bytes10
mediumLarge Javascript Payloadpackage/dist/index.cjs7648613 bytes10
mediumLarge Javascript Payloadpackage/dist/prerender-worker.cjs2247185 bytes10
mediumLarge Javascript Payloadpackage/dist/tailwind.cjs2349848 bytes10
mediumLarge Javascript Payloadpackage/dist/ui-tailwind.cjs2349851 bytes10
mediumLarge Javascript Payloadpackage/dist/api/v3.cjs3667582 bytes10

Manifest

Package metadata

Scripts111
  • audit:compositor-overlaysnode scripts/ci-check-compositor-overlays.mjs
  • benchmark:compositor-closeoutbash scripts/run-tool-workspace-command.sh node scripts/run-real-world-browser-benchmark.mjs --target-ids table-last-cell-end --target-limit 1 --max-mutations-mean 5 --max-paragraph-content-mutations 0 --max-layout-full-total 0 --max-decoration-full-rebuilds 0
  • benchmark:compositor-typingbash scripts/run-tool-workspace-command.sh node scripts/run-compositor-typing-perf.mjs
  • benchmark:real-worldbash scripts/run-tool-workspace-command.sh node scripts/run-real-world-browser-benchmark.mjs
  • buildNODE_OPTIONS=--max-old-space-size=8192 tsup && node scripts/build-prerender-worker-inline.mjs && node scripts/build-editor-aux-worker.mjs
  • check:token-referencenode scripts/generate-token-reference.mjs --check
  • ci-check:api-v3-metadatanode scripts/ci-check-api-v3-metadata.mjs
  • ci-check:api-v3-no-ref-reexportnode scripts/ci-check-api-v3-no-ref-reexport.mjs
  • ci-check:chrome-compositionnode scripts/ci-check-chrome-composition.mjs
  • ci-check:chrome-smoke-isolationnode scripts/ci-check-chrome-smoke-isolation.mjs
  • ci-check:headless-example-importsnode scripts/ci-check-headless-example-imports.mjs
  • ci-check:layer-11-boundarynode scripts/ci-check-layer-11-boundary.mjs
  • ci-check:layer-11-boundary:updatenode scripts/ci-check-layer-11-boundary.mjs --update
  • ci-check:no-fixture-literalsnode scripts/ci-check-no-fixture-literals.mjs
  • ci-check:no-fixture-literals:strictnode scripts/ci-check-no-fixture-literals.mjs --strict
  • ci-check:no-legacy-presentationnode scripts/ci-check-no-legacy-presentation.mjs
  • ci-check:no-session-internals-leaknode scripts/ci-check-no-session-internals-leak.mjs
  • ci-check:session-layer-puritynode scripts/ci-check-session-layer-purity.mjs
  • ci-check:snapshot-direct-readsnode scripts/ci-check-snapshot-direct-reads.mjs
  • context7:api-checkbash scripts/context7-export-env.sh run bash scripts/context7-api-check.sh
  • corpus-render:assetsbash scripts/run-corpus-render-assets.sh
  • corpus-render:assets:localnode scripts/generate-corpus-render-assets.mjs
  • corpus-render:layoutnode scripts/organize-corpus-renders.mjs
  • docx:prewarm-laycachenode --import tsx scripts/prewarm-docx-laycache.ts
  • generate:token-referencenode scripts/generate-token-reference.mjs
  • graph-oraclebash scripts/run-tool-workspace-command.sh node --import tsx services/truth-baseline/backends/word-graph-pdf/graph-oracle.ts
  • graph-oracle:build-staticbash scripts/run-tool-workspace-command.sh node --import tsx services/truth-baseline/backends/word-graph-pdf/graph-oracle.ts build-static
  • graph-oracle:build-static:localnode --import tsx services/truth-baseline/backends/word-graph-pdf/graph-oracle.ts build-static
  • graph-oracle:localnode --import tsx services/truth-baseline/backends/word-graph-pdf/graph-oracle.ts
  • harness:devpnpm --filter @docx-react-component/react-word-editor-harness dev
  • …and 81 more.
Dependencies11
  • @radix-ui/react-popover^1.1.15
  • @radix-ui/react-scroll-area^1.2.10
  • @radix-ui/react-select^2.2.6
  • @radix-ui/react-tabs^1.1.13
  • @radix-ui/react-toggle^1.1.10
  • @radix-ui/react-toggle-group^1.1.11
  • @radix-ui/react-tooltip^1.2.8
  • comlink^4.4.2
  • fast-xml-parser^5.5.8
  • fflate^0.8.2
  • lucide-react^1.7.0