PkgRadar

Package evidence

@codingfactory/[email protected]

Install-time lifecycle script: preinstall="npx only-allow pnpm"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@codingfactory/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@codingfactory/[email protected]"],"fail_on":"high"}'
Publishercodingfactory
Artifact bytes5,115,411
Previous version2.21.1
Published2026-05-25T06:10:28.331Z
SHA-256e1ee7b7133c6c214a5dde9486e11c576d68e98ff513cb002959bd07dd5532b7e

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="npx only-allow pnpm"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
52Score
2.22.0Version
Status history (1 event)
  1. newavailable · risk high · score 52 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall-time lifecycle scriptpackage.jsonpreinstall="npx only-allow pnpm"30
mediumLarge Javascript Payloadpackage/dist/render-page/assets/index-Blc3wE9X.js2526495 bytes10
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall-time lifecycle scriptpackage.jsonpreinstall="npx only-allow pnpm"30
mediumLarge Javascript Payloadpackage/dist/render-page/assets/index-Blc3wE9X.js2526495 bytes10
lowObfuscationpackage/dist/editor-v2-BbomlVLj.cjsmatched "atob("3
lowObfuscationpackage/dist/index-DuNZjRFj.cjsmatched "atob("3
lowObfuscationpackage/dist/editor-v2-CyL9UOh7.jsmatched "atob("3
lowObfuscationpackage/dist/index-SSF2KsX6.jsmatched "atob("3

Manifest

Package metadata

Scripts15
  • buildvite build --config vite.lib.config.ts && vue-tsc -p tsconfig.build.json --emitDeclarationOnly && pnpm build:vanilla-types && pnpm build:primitives-types && pnpm build:render
  • build:primitives-typestsc -p tsconfig.primitives-declarations.json && node scripts/build-primitives-declarations.mjs
  • build:rendervite build --config vite.render.config.ts
  • build:vanilla-typestsc -p tsconfig.vanilla-declarations.json && node scripts/build-vanilla-declarations.mjs
  • cleanrimraf dist
  • devvite build --config vite.lib.config.ts --watch
  • docs:buildredocly build-docs docs/openapi.yaml -o docs/openapi.html
  • docs:bundleredocly bundle docs/openapi.yaml -o docs/openapi.bundled.yaml
  • docs:previewredocly preview-docs docs/openapi.yaml
  • docs:validateredocly lint docs/openapi.yaml
  • preinstallnpx only-allow pnpm
  • testnode ./scripts/vitest.mjs
  • test:coveragevitest --coverage
  • test:uivitest --ui
  • type-checkvue-tsc --noEmit
Dependencies17
  • @capacitor/haptics^7.0.2
  • @capacitor/status-bar^7.0.2
  • @ionic/vue^8.0.0
  • @material/material-color-utilities^0.3.0
  • @tanstack/vue-virtual^3.10.8
  • @vueuse/core^12.0.0
  • @vueuse/integrations^12.0.0
  • axios^1.6.0
  • color-thief-browser^2.0.2
  • focus-trap^7.6.5
  • hls.js^1.6.11
  • ionicons^7.0.0
  • lodash-es^4.17.23
  • mp4-muxer^5.2.2
  • swiper^11.2.10
  • tiny-lru^11.4.5
  • vue-router^4.5.1