PkgRadar

Package evidence

@capgo/[email protected]

Large Javascript Payload: 2956214 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1,089Mature · −50% score
First published
Apr 2022
Publisher
riderx

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@capgo/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@capgo/[email protected]"],"fail_on":"review"}'
Publisherriderx
Artifact bytes1,507,464
Previous version8.7.0
Published2026-06-16T13:23:07.404Z
SHA-256e83c467a30468248e92b3b0a3a31dd350347396cce6b423e55bb7a62a2605f1d

Why flagged

What the scanner saw

Large Javascript Payload: 2956214 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
8.7.1Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowLarge Javascript Payloadpackage/dist/index.js2956214 bytes0

Manifest

Package metadata

Scripts112
  • buildtsc && bun build.mjs
  • check-posix-pathsnode test/check-posix-paths.js
  • devNODE_ENV=development ncc build
  • dev-buildSUPA_DB=development ncc build
  • generate-docsnode dist/index.js generate-docs README.md
  • lintbun run lint:ox
  • lint:fixoxlint --config ../.oxlintrc.json --fix src
  • lint:oxoxlint --config ../.oxlintrc.json src
  • no-debugnode dist/index.js
  • packpkg
  • testbun run build && bun run test:helper-dce && bun run test:version-detection:setup && bun run test:bundle && bun run test:functional && bun run test:semver && bun run test:version-edge-cases && bun run test:regex && bun run test:upload && bun run test:fail-on-incompatible && bun run test:credentials && bun run test:credentials-validation && bun run test:android-service-account-validation && bun run test:build-zip-filter && bun run test:checksum && bun run test:build-needed && bun run test:ci-prompts && bun run test:ci-secrets && bun run test:android-onboarding-progress && bun run test:onboarding-telemetry && bun run test:v2-event-migration && bun run test:analytics && bun run test:analytics-error-category && bun run test:analytics-org-resolver && bun run test:supabase-perf && bun run test:preview-qr && bun run test:mcp-analytics && bun run test:app-created-source && bun run test:doctor-analytics && bun run test:posthog-exception && bun run test:build-platform-selection && bun run test:onboarding-recovery && bun run test:onboarding-progress && bun run test:onboarding-run-targets && bun run test:run-device-command && bun run test:init-app-conflict && bun run test:init-guardrails && bun run test:prompt-preferences && bun run test:esm-sdk && bun run test:mcp && bun run test:version-detection && bun run test:platform-paths && bun run test:payload-split && bun run test:manifest-path-encoding && bun run test:macos-signing && bun run test:asc-key-protocol && bun run test:apple-api-import-helpers && bun run test:bundle-id-detector && bun run test:apple-api-app-list && bun run test:app-verification && bun run test:pbxproj-parser && bun run test:ai-log-capture && bun run test:ai-analyze-flow && bun run test:ai-sse-parser && bun run test:ai-render-markdown && bun run test:ai-stream-markdown && bun run test:ai-onboarding-mode && bun run test:ai-fit && bun run test:platform-layout && bun run test:frame-fit && bun run test:onboarding-min-size && bun run test:min-size-gate && bun run test:shell-size-gate && bun run test:build-log-sanitize && bun run test:build-output-viewport && bun run test:diff-viewer-viewport && bun run test:build-complete-exit && bun run test:ai-analyze-stream && bun run test:support-mailto && bun run test:support-redact && bun run test:support-internal-log && bun run test:support-help-menu && bun run test:support-contact && bun run test:support-bundle-files && bun run test:self-update && bun run test:update-prompt && bun run test:apple-api-cert-create && bun run test:android-tail-engine && bun run test:android-tail-render && bun run test:android-tail-routing && bun run test:dev-gate-stripped && bun run test:frame-fit-ios-shared && bun run test:ios-confirm-app-id && bun run test:ios-create-new && bun run test:ios-e2e && bun run test:ios-flow-contract && bun run test:ios-import-discovery && bun run test:ios-import-export && bun run test:ios-import-pickers && bun run test:ios-import-recovery && bun run test:ios-recovery && bun run test:ios-resume && bun run test:ios-tail-handoff && bun run test:ios-tui-render && bun run test:p8-error && bun run test:ios-tui-routing && bun run test:ios-updater-sync-validation && bun run test:ios-verify-app && bun run test:platform-flow-contract && bun run test:tail-engine-shared
  • test:ai-analyze-flowbun test/test-ai-analyze-flow.mjs
  • test:ai-analyze-streambun test/test-ai-analyze-stream.mjs
  • test:ai-fitbun test/test-ai-fit.mjs
  • test:ai-log-capturebun test/test-ai-log-capture.mjs
  • test:ai-onboarding-modebun test/test-ai-onboarding-mode.mjs
  • test:ai-render-markdownbun test/test-ai-render-markdown.mjs
  • test:ai-sse-parserbun test/test-ai-sse-parser.mjs
  • test:ai-stream-markdownbun test/test-ai-stream-markdown.mjs
  • test:analyticsbun test/test-analytics.mjs
  • test:analytics-error-categorybun test/test-analytics-error-category.mjs
  • test:analytics-org-resolverbun test/test-analytics-org-resolver.mjs
  • test:android-onboarding-progressbun test/test-android-onboarding-progress.mjs
  • test:android-service-account-validationbun test/test-android-service-account-validation.mjs
  • test:android-tail-enginebun test/test-android-tail-engine.mjs
  • test:android-tail-renderbun test/test-android-tail-render.mjs
  • test:android-tail-routingbun test/test-android-tail-routing.mjs
  • test:app-created-sourcebun test/test-app-created-source.mjs
  • test:app-verificationbun test/test-app-verification.mjs
  • test:apple-api-app-listbun test/test-apple-api-app-list.mjs
  • …and 82 more.
Dependencies8
  • @inkjs/ui^2.0.0
  • ink^7.0.4
  • ink-spinner^5.0.0
  • jsonwebtoken^9.0.3
  • node-forge^1.4.0
  • qrcode^1.5.4
  • react^19.2.6
  • string-width^8.2.1
Optional dependencies2
  • @capgo/cli-helper-darwin-arm64^1.1.1
  • @capgo/cli-helper-darwin-x64^1.1.1