PkgRadar

Package evidence

@convex-dev/[email protected]

Install-time lifecycle script: postinstall="echo '\\nπŸ“¦ @convex-dev/static-hosting installed!\\n\\n πŸš€ Quick Setup (Interactive):\\n npx @convex-dev/static-hosting setup\\n\\n πŸ€– For LLMs: See INTEGRATION.md for complete integration instructions\\n πŸ“– Manual Setup: npx @convex-dev/static-hosting init\\n'"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these β€” the panel just explains what was applied.

Weekly downloads
2,633Niche Β· βˆ’30% score
Versions published
4
First published
Feb 2026
Publisher
sethconvex

Effective trust discount applied: βˆ’30% (max across signals β€” discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl Β· GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@convex-dev/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@convex-dev/[email protected]"],"fail_on":"review"}'
Publishersethconvex
Artifact bytes63,083
Previous version0.1.2
Published2026-03-12T15:09:04.640Z
SHA-2564a17837fabdef9b5da3f2f9d819825b1a90c0c23b0416e712fa15dd7f7e3161b

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="echo '\\nπŸ“¦ @convex-dev/static-hosting installed!\\n\\n πŸš€ Quick Setup (Interactive):\\n npx @convex-dev/static-hosting setup\\n\\n πŸ€– For LLMs: See INTEGRATION.md for complete integration instructions\\n πŸ“– Manual Setup: npx @convex-dev/static-hosting init\\n'"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
0.1.3Version
Status history (1 event)
  1. new β†’ available Β· risk review Β· score 3 Β· status changed

Evidence

Static findings

1 static Β· 0 from release diff Β· showing high-signal first.

No high-signal findings β€” see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="echo '\\nπŸ“¦ @convex-dev/static-hosting installed!\\n\\n πŸš€ Quick Setup (Interactive):\\n npx @convex-dev/static-hosting setup\\n\\n πŸ€– For LLMs: See INTEGRATION.md for complete integration instructions\\n πŸ“– Manual Setup: npx @convex-dev/static-hosting init\\n'"5

Manifest

Package metadata

Scripts23
  • allrun-p -r 'dev:*' 'test:watch'
  • alphanpm version prerelease --preid alpha && npm publish --tag alpha && git push --follow-tags
  • buildtsc --project ./tsconfig.build.json
  • build:cleanrm -rf dist *.tsbuildinfo && npm run build:codegen
  • build:codegennpx convex codegen --component-dir ./src/component && npm run build
  • build:examplecd example && vite build
  • deploy:staticnpm run build:example && npm run upload:static
  • devrun-p -r 'dev:*'
  • dev:backendconvex dev --typecheck-components
  • dev:buildchokidar 'tsconfig*.json' 'src/**/*.ts' -i '**/*.test.ts' -c 'npm run build:codegen' --initial
  • dev:frontendcd example && vite --clearScreen false
  • linteslint .
  • postinstallecho '\nπŸ“¦ @convex-dev/static-hosting installed!\n\n πŸš€ Quick Setup (Interactive):\n npx @convex-dev/static-hosting setup\n\n πŸ€– For LLMs: See INTEGRATION.md for complete integration instructions\n πŸ“– Manual Setup: npx @convex-dev/static-hosting init\n'
  • predevpath-exists .env.local dist || (npm run build && convex dev --once)
  • preversionnpm ci && npm run build:clean && run-p test lint typecheck
  • releasenpm version patch && npm publish && git push --follow-tags
  • testvitest run --typecheck
  • test:coveragevitest run --coverage --coverage.reporter=text
  • test:debugvitest --inspect-brk --no-file-parallelism
  • test:watchvitest --typecheck --clearScreen false
  • typechecktsc --noEmit && tsc -p example && tsc -p example/convex
  • upload:staticnode dist/cli/index.js upload --dist ./example/dist --component staticHosting
  • versionvim -c 'normal o' -c 'normal o## '$npm_package_version CHANGELOG.md && prettier -w CHANGELOG.md && git add CHANGELOG.md