PkgRadar

Package evidence

@codeagora/[email protected]

Install-time lifecycle script: postinstall="node scripts/postinstall.cjs"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
39
Versions published
11
First published
Apr 2026
Publisher
justn-hyeok

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@codeagora/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@codeagora/[email protected]"],"fail_on":"review"}'
Publisherjustn-hyeok
Artifact bytes1,838,386
Previous version0.1.0-rc.3
Published2026-06-01T00:51:57.888Z
SHA-2567c7917a07fc0addb2b18ca27e732822fd09b15f7c93323a898bf5b82f72da6f8

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="node scripts/postinstall.cjs"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
0.1.0-rc.4Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.cjs"5
lowLarge Javascript Payloadpackage/packages/cli/dist/index.js10656662 bytes0

Manifest

Package metadata

Scripts25
  • bench:cipnpm bench:fn -- --validate-only && pnpm bench:reference -- --validate-only
  • bench:fntsx scripts/bench-fn.ts
  • bench:fn:comparetsx scripts/bench-fn-compare.ts
  • bench:fn:runtsx scripts/bench-fn-run.ts
  • bench:rate-limittsx scripts/bench-rate-limit-sim.ts
  • bench:referencetsx scripts/bench-reference-check.ts
  • buildpnpm -r build
  • build:actionnode scripts/build-action.mjs
  • desktop:app-e2epnpm --filter @codeagora/desktop app:e2e
  • desktop:bundlepnpm --filter @codeagora/desktop tauri:build
  • desktop:bundle-smokepnpm --filter @codeagora/desktop bundle:smoke
  • desktop:evidencepnpm --filter @codeagora/desktop evidence
  • desktop:macos-webdriver-e2epnpm --filter @codeagora/desktop macos:webdriver-e2e
  • desktop:smokepnpm --filter @codeagora/desktop smoke
  • devpnpm --filter @codeagora/cli dev
  • evidence:manifestnode scripts/evidence-manifest.mjs
  • linteslint "packages/*/src/**/*.ts" "packages/*/scripts/**/*.{js,mjs,ts}" "src/tests/**/*.ts" "scripts/**/*.{js,mjs,ts}" "vitest.config.ts" "eslint.config.js" --quiet
  • postinstallnode scripts/postinstall.cjs
  • rc:desktop-gatepnpm --filter @codeagora/desktop typecheck && pnpm --filter @codeagora/desktop smoke && pnpm --filter @codeagora/desktop tauri:check && pnpm --filter @codeagora/desktop app:e2e && pnpm --filter @codeagora/desktop macos:webdriver-e2e && pnpm --filter @codeagora/desktop evidence && pnpm --filter @codeagora/desktop bundle:smoke
  • release:beta-smokenode scripts/beta-smoke.mjs
  • testvitest run
  • test:allvitest run
  • test:coveragevitest run --coverage
  • test:securityvitest run src/tests/redaction-boundaries.test.ts src/tests/config-path-security.test.ts src/tests/github-action-diff-path-security.test.ts src/tests/github-action-sarif-path.test.ts src/tests/large-diff-security-priority.test.ts src/tests/utils-path-validation.test.ts src/tests/desktop-webdriver-security.test.ts packages/core/src/tests/prompt-injection-boundaries.test.ts packages/mcp/src/tests/critical-errors.test.ts packages/github/src/tests/critical-github-errors.test.ts
  • typechecktsc --noEmit
Dependencies22
  • @ai-sdk/anthropic^3.0.58
  • @ai-sdk/baseten^1.0.38
  • @ai-sdk/cohere^3.0.25
  • @ai-sdk/deepinfra^2.0.39
  • @ai-sdk/fireworks^2.0.40
  • @ai-sdk/google^3.0.43
  • @ai-sdk/groq^3.0.27
  • @ai-sdk/huggingface^1.0.37
  • @ai-sdk/moonshotai^2.0.10
  • @ai-sdk/openai^3.0.41
  • @ai-sdk/openai-compatible^2.0.33
  • @ai-sdk/perplexity^3.0.23
  • @clack/prompts^1.1.0
  • @octokit/auth-app^8.2.0
  • @octokit/rest^22.0.1
  • @openrouter/ai-sdk-provider^2.2.3
  • ai^6.0.111
  • commander^14.0.3
  • ora^9.3.0
  • picocolors^1.1.1
  • yaml^2.8.2
  • zod^3.22.4