Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,897Niche · −30% score
- Versions published
- 16
- First published
- May 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@cliftonc/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@cliftonc/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/server/pricing-backfill.js | matched "raw.githubusercontent.com" | 12 |
Manifest
Package metadata
Scripts18
buildtsc -p tsconfig.build.json && npm run copy:migrations && vite buildbuild-linknpm run build && npm install -g .clitsx src/cli/index.tscopy:migrationsnode -e "const fs=require('node:fs');for(const d of ['migrations','migrations-pg']){fs.rmSync('dist/server/db/'+d,{recursive:true,force:true});fs.cpSync('src/server/db/'+d,'dist/server/db/'+d,{recursive:true})}"db:generatedrizzle-kit generatedb:generate:pgdrizzle-kit generate --config drizzle.config.pg.tsdevconcurrently -k "npm:dev:server" "npm:dev:client"dev:clientvitedev:servertsx watch src/server/index.tslinteslint 'src/**/*.{ts,tsx}' 'tests/**/*.ts'lint:fixeslint 'src/**/*.{ts,tsx}' 'tests/**/*.ts' --fixpg:downdocker rm -f finius-pg >/dev/null 2>&1 || truepg:updocker run -d --rm --name finius-pg -e POSTGRES_PASSWORD=finius -e POSTGRES_DB=finius -p 55432:5432 postgres:16-alpine >/dev/null && for i in $(seq 1 60); do docker exec finius-pg pg_isready -U postgres >/dev/null 2>&1 && break || sleep 0.5; done && echo 'Postgres ready → postgres://postgres:finius@localhost:55432/finius (run: npm run test:pg)'prepublishOnlynpm run lint && npm run typecheck && npm run buildstartnode dist/server/index.jstestvitest runtest:pgFINIUS_TEST_DATABASE_URL=postgres://postgres:finius@localhost:55432/finius vitest runtypechecktsc -p tsconfig.json --noEmit
Dependencies21
@clack/prompts^1.5.0@heroui/react^2.8.5@hono/node-server^1.19.6@internationalized/date^3.12.0@opentelemetry/otlp-proto-exporter-base^0.51.1@tanstack/react-query^5.90.12ansi-to-html^0.7.2arctic^3.7.0chartgpu^0.3.2clsx^2.1.1dompurify^3.4.7drizzle-orm^1.0.0-rc.3framer-motion^12.23.25hono^4.10.7lucide-react^0.468.0marked^18.0.4picocolors^1.1.1prismjs^1.30.0react^18.3.1react-dom^18.3.1unique-names-generator^4.7.1