Package evidence
@byomakase/[email protected]
Remote Dependency Spec: dependencies.smp-imsc="github:bbc/imscJS#v1.0.11-9"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 2,492Niche · −30% score
- Versions published
- 807Mature · −50% score
- First published
- Apr 2023
- Publisher
- byomakase
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@byomakase/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@byomakase/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.smp-imsc="github:bbc/imscJS#v1.0.11-9"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 29 · status changed
Evidence
Static findings
3 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | dependencies.smp-imsc="github:bbc/imscJS#v1.0.11-9" | 12 |
| medium | New Remote Dependency Vs Previous | package.json | dependencies.smp-imsc added in 1.0.0-RC3 vs 0.25.4: "github:bbc/imscJS#v1.0.11-9" | 12 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | dependencies.smp-imsc="github:bbc/imscJS#v1.0.11-9" | 12 |
| medium | New Remote Dependency Vs Previous | package.json | dependencies.smp-imsc added in 1.0.0-RC3 vs 0.25.4: "github:bbc/imscJS#v1.0.11-9" | 12 |
| low | Install-time lifecycle script | package.json | postinstall="patch-package" | 5 |
| low | Large Javascript Payload | package/dist/omakase-player-rework.es.js | 4576358 bytes | 0 |
Manifest
Package metadata
Scripts14
buildvite buildbuild:docnpx typedoc --entryPointStrategy resolve ./src/ --excludePrivate --excludeProtected --excludeInternal --cleanOutputDir false --customCss ./docs/static/style/style.cssbuild:prodrm -rf dist && tsc --noEmit && vite build --mode productionbuild:stylevite build --config vite.chroming-style.config.mjsbuild:workersvite build --config vite.workers.config.mjsdevviteformatprettier . --writepostinstallpatch-packagepublish:drynpm run build:prod && npm packpublish:latestnpm run build:prod && npm publish --access restricted --tag latestpublish:snapshotnpm run build:prod && npm publish --access restricted --tag snapshotstartnode dist/index.jstestvitest --uitypechecktsc --noEmit
Dependencies17
@byomakase/omakase-ttconv-ts1.0.0-RC3decimal.js^10.6.0hls.js^1.6.15konva^10.2.0m3u8-parser^7.2.0media-captions^1.0.4media-chrome^4.17.2mediabunny^1.16.1node-webvtt^1.9.4patch-package^8.0.1rxjs^7.8.2smp-imscgithub:bbc/imscJS#v1.0.11-9sortablejs^1.15.7stats.js^0.17.0subtitle-converter^3.0.12yoga-layout^3.2.1zod^4.1.9
Optional dependencies1
@rollup/rollup-linux-x64-gnu^4.28.1