PkgRadar

Package evidence

@coveo/[email protected]

Install-time lifecycle script: preinstall="node scripts/npm/check-sfdx-project.js"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
3,631Mature · −50% score
First published
Jun 2022
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@coveo/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@coveo/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes1,366,198
Previous version3.39.1
Published2026-06-10T18:07:14.718Z
SHA-256a836120cec0fcd2a11778736c07bc345806b6ecaa1496c0f31480a18014eda67

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="node scripts/npm/check-sfdx-project.js"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
3.40.0Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpreinstall="node scripts/npm/check-sfdx-project.js"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/npm/setup-quantic.js"5

Manifest

Package metadata

Scripts32
  • babel:headlessbabel ./node_modules/@coveo/headless/dist/quantic --delete-dir-on-start --out-dir .tmp/quantic-compiled --extensions .js --minified
  • build:docjsdoc -c jsdoc-config.json
  • build:staticresourcesnode build-static-resources.js
  • create:lws-disabledts-node scripts/build/deploy-community.ts --scratch-org-def-path=./config/lws-disabled-scratch-def.json
  • create:lws-enabledts-node scripts/build/deploy-community.ts --scratch-org-def-path=./config/lws-enabled-scratch-def.json
  • deploy:allpnpm run deploy:lws-enabled && pnpm run deploy:lws-disabled
  • deploy:examplessf project deploy start --source-dir force-app/examples --source-dir force-app/solutionExamples --target-org
  • deploy:lws-disabledpnpm run deploy:main --target-org Quantic__LWS_disabled && pnpm run deploy:examples --target-org Quantic__LWS_disabled
  • deploy:lws-enabledpnpm run deploy:main --target-org Quantic__LWS_enabled && pnpm run deploy:examples --target-org Quantic__LWS_enabled
  • deploy:mainsf project deploy start --source-dir force-app/main --target-org
  • devnode ../../utils/ci/rm-rf.mjs .localdevserver && pnpm run build:staticresources && pnpm run dev:sfdx
  • dev:sfdxsf project deploy start --source-dir force-app/main && sfdx force:lightning:lwc:start --port 3334
  • e2e:playwrightnpx playwright test
  • e2e:playwright:lws-disablednpx playwright test --project=LWS-disabled
  • e2e:playwright:lws-enablednpx playwright test --project=LWS-enabled
  • lint:checkeslint force-app/main/default/lwc/ && eslint force-app/examples/main/lwc/ && prettier "force-app/{,**}/*.js" --check
  • lint:check:testseslint force-app/main/default/lwc/ --format junit -o reports/eslint.xml
  • lint:fixeslint --fix force-app/main/default/lwc/ && eslint --fix force-app/examples/main/lwc/ && prettier "force-app/{,**}/*.js" --write
  • lint:fix:apexprettier "force-app/{,**}/*.{cls,trigger}" --write
  • postinstallnode scripts/npm/setup-quantic.js
  • preinstallnode scripts/npm/check-sfdx-project.js
  • promote:sfdxpnpm run publish:sfdx -- --promote
  • promote:sfdx:cipnpm run publish:sfdx -- --promote --ci
  • publish:sfdxts-node scripts/build/create-package.ts --remove-translations
  • scratch:createsf org create scratch --set-default --definition-file config/lws-enabled-scratch-def.json --alias Quantic__LWS_enabled
  • setup:examplespnpm run create:lws-enabled && pnpm run create:lws-disabled
  • test:unitlwc-jest
  • test:unit:coveragelwc-jest --coverage
  • test:unit:debuglwc-jest --debug
  • test:unit:watchlwc-jest --watch
  • …and 2 more.
Dependencies5
  • @coveo/bueno1.1.9
  • @coveo/headless3.51.4
  • coveo.analytics2.30.56
  • dompurify3.4.5
  • marked12.0.2