Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 11
- Versions published
- 191Mature · −50% score
- First published
- Dec 2017
- Publisher
- hamstu
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@bufferapp/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@bufferapp/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 9 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/.travis.yml | matched "curl " | 12 |
| medium | Large Javascript Payload | package/composer-web-iframe-bundle.ddf5e66cf47902d3928db8bc3a68815a.gz.js | 3041210 bytes | 10 |
| medium | Large Javascript Payload | package/dist/composer-web-iframe-bundle.js | 6628406 bytes | 10 |
Manifest
Package metadata
Scripts11
compilerimraf dist/* && webpack --output-path=dist --config webpack.prod.config.jscompile-devrimraf dist/* && webpack --output-path=distlintecho "disabled command: eslint . --ignore-pattern coverage node_modules"prepublishOnlynpm run compilestartstart-storybook -p 9001 -c ./composer/.storybooktestyarn run lint && jesttest-updatejest -utest-watchjest --watchtest-without-coverageyarn run lint && jest --coverage=false --collectCoverage=falseupdate-buffer-webnpm run compile && cp ./dist/* ../buffer-web/node_modules/@bufferapp/composer/dist && cd ../buffer-web && gulp webpack --app contentControllerupdate-buffer-web-devnpm run compile-dev && cp ./dist/* ../buffer-web/node_modules/@bufferapp/composer/dist && cd ../buffer-web && gulp webpack --app contentController
Dependencies43
@bufferapp/buffer-js-api0.3.0@bufferapp/buffer-js-metrics0.2.0@bufferapp/buffer-js-request0.2.0@bufferapp/components3.0.2@bufferapp/draft-js0.10.1-fork.5@bufferapp/draft-js-emoji-plugin^2.0.2@bufferapp/draft-js-mention-plugin2.0.0-rc8.3@bufferapp/draft-js-plugins-editor2.0.0-rc8.3@bufferapp/dragme0.2.2@bufferapp/react-images-loaded^1.1.0-fork.0@bufferapp/react-simple-dropdown3.2.5babel-cli^6.26.0babel-core^6.26.0decorate-component-with-props1.0.2event-pubsub4.3.0events1.1.1fetch-jsonp1.0.3flux2.1.1immutable3.7.6keymirror0.1.1lodash.clonedeep4.3.2lodash.debounce4.0.8lodash.escaperegexp4.1.2lodash.findlastindex4.6.0lodash.partition4.6.0lodash.throttle4.1.1lodash.uniqby4.7.0lru-cache4.0.2moment^2.22.1moment-timezone^0.5.25- …and 13 more.