Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 837
- Versions published
- 18
- First published
- Apr 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@cardstack/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@cardstack/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
5 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/bundled-test-harness/assets/marked-sync-D-ecdBRU.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/bundled-test-harness/assets/editor.api-ClwRlWfO.js | 4105060 bytes | 10 |
| medium | Large Javascript Payload | package/dist/index.js | 2437088 bytes | 10 |
| medium | Large Javascript Payload | package/bundled-test-harness/assets/runtime-common-BYg4_BEs.js | 4911937 bytes | 10 |
| medium | Large Javascript Payload | package/bundled-test-harness/assets/ts.worker-CVZyD3Mk.js | 10381785 bytes | 10 |
Manifest
Package metadata
Scripts23
buildpnpm clean && pnpm build:types && pnpm build:test-harness && pnpm build:realms && NODE_NO_WARNINGS=1 ts-node --transpileOnly scripts/build.tsbuild:pluginNODE_NO_WARNINGS=1 ts-node --transpileOnly scripts/build-plugin.tsbuild:realmsNODE_NO_WARNINGS=1 ts-node --transpileOnly scripts/build-realms.tsbuild:skillsNODE_NO_WARNINGS=1 ts-node --transpileOnly scripts/build-skills.tsbuild:test-harnessNODE_NO_WARNINGS=1 ts-node --transpileOnly scripts/build-test-harness.tsbuild:typesNODE_NO_WARNINGS=1 ts-node --transpileOnly scripts/build-types.tscleanrm -rf dist/* bundled-types bundled-test-harness bundled-realmslintconcurrently "pnpm:lint:*(!fix)" --names "lint:"lint:fixconcurrently "pnpm:lint:*:fix" --names "fix:"lint:jseslint . --report-unused-disable-directives --cachelint:js:fixeslint . --report-unused-disable-directives --fixlint:typestsc --noEmitpublish:drypnpm publish --dry-run --no-git-checkspublish:npmpnpm publish --no-git-checksstartNODE_NO_WARNINGS=1 ts-node --transpileOnly src/index.tstestvitest runtest:integration./tests/scripts/run-integration-with-test-pg.shtest:unitvitest run --exclude 'tests/integration/**'test:unit-exclude-smokevitest run --exclude 'tests/integration/**' --exclude 'tests/smoke.test.ts'test:watchvitestversion:majornpm version majorversion:minornpm version minorversion:patchnpm version patch
Dependencies14
@aws-crypto/sha256-js^5.2.0@glint/ember-tsc^1.5.0@playwright/test^1.54.0@types/qunit^2.19.12@universal-ember/test-support^0.5.1commander^13.1.0content-tag^4.0.0dotenv^16.4.7ignore^5.2.0jsonwebtoken9.0.3p-limit^7.3.0qunit^2.24.1qunit-dom^3.5.0typescript~5.9.3