PkgRadar

Package evidence

@clerk/[email protected]

Large Javascript Payload: 2975610 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
342,507Ubiquitous · −70% score
Versions published
6,187Mature · −50% score
First published
Nov 2020
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@clerk/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@clerk/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes6,606,830
Previous version5.125.11
Published2026-05-27T07:16:27.153Z
SHA-256cbdab59963693b86c039b5f3e1285ecabc3e829727c5a833aeed8a9ca8ac2349

Why flagged

What the scanner saw

Large Javascript Payload: 2975610 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
12Score
5.125.12Version
Status history (1 event)
  1. newavailable · risk review · score 12 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/clerk.js2975610 bytes10
mediumLarge Javascript Payloadpackage/dist/clerk.no-rhc.js2356886 bytes10
mediumLarge Javascript Payloadpackage/dist/clerk.mjs2969673 bytes10
mediumLarge Javascript Payloadpackage/dist/clerk.no-rhc.mjs2352262 bytes10

Manifest

Package metadata

Scripts24
  • buildpnpm build:bundle && pnpm build:declarations
  • build:analyzerspack build --config rspack.config.js --env production --env variant="clerk.browser" --env analysis --analyze
  • build:bundlepnpm clean && rspack build --config rspack.config.js --env production
  • build:declarationstsc -p tsconfig.declarations.json
  • build:sandboxrspack build --config rspack.config.js --env production --env sandbox
  • build:statsrspack build --config rspack.config.js --env production --json=stats.json --env variant="clerk.browser"
  • bundlewatchFORCE_COLOR=1 bundlewatch --config bundlewatch.config.json
  • bundlewatch:fixnode bundlewatch-fix.mjs
  • cleanrimraf ./dist
  • devrspack serve --config rspack.config.js
  • dev:headlessrspack serve --config rspack.config.js --env variant="clerk.headless.browser"
  • dev:originrspack serve --config rspack.config.js --env devOrigin=http://localhost:${PORT:-4000}
  • dev:sandboxrspack serve --config rspack.config.js --env devOrigin=http://localhost:${PORT:-4000} --env sandbox=1
  • formatnode ../../scripts/format-package.mjs
  • format:checknode ../../scripts/format-package.mjs --check
  • linteslint src
  • lint:attwattw --pack . --profile node16 --ignore-rules named-exports
  • lint:publintpublint || true
  • postbuildnode ../../scripts/search-for-rhc.mjs file dist/clerk.no-rhc.mjs
  • testvitest --watch=false
  • test:sandbox:integrationplaywright test
  • test:sandbox:integration:uiplaywright test --ui
  • test:sandbox:integration:update-snapshotsplaywright test --update-snapshots
  • watchrspack build --config rspack.config.js --env production --watch
Dependencies27
  • @base-org/account2.0.1
  • @clerk/localizations^3.37.7
  • @clerk/shared^3.47.7
  • @coinbase/wallet-sdk4.3.0
  • @emotion/cache11.11.0
  • @emotion/react11.11.1
  • @floating-ui/react0.27.12
  • @floating-ui/react-dom^2.1.3
  • @formkit/auto-animate^0.8.2
  • @solana/wallet-adapter-base0.9.27
  • @solana/wallet-adapter-react0.15.39
  • @solana/wallet-standard1.1.4
  • @stripe/stripe-js5.6.0
  • @swc/helpers^0.5.17
  • @tanstack/query-core5.87.4
  • @wallet-standard/core1.1.1
  • @zxcvbn-ts/core3.0.4
  • @zxcvbn-ts/language-common3.0.4
  • alien-signals2.0.6
  • browser-tabs-lock1.3.0
  • copy-to-clipboard3.3.3
  • core-js3.41.0
  • crypto-js^4.2.0
  • dequal2.0.3
  • input-otp1.4.2
  • qrcode.react4.2.0
  • regenerator-runtime0.14.1