PkgRadar

Package evidence

@cubejs-backend/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,842Niche · −30% score
Versions published
708Mature · −50% score
First published
Mar 2021
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@cubejs-backend/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@cubejs-backend/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes64,622
Previous version1.6.49
Published2026-05-22T20:31:08.486Z
SHA-256812dc8769e47df93431ba21d87dd21fce425672adb948150500b3d2c70524c18

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
1.6.50Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/birdbox-fixtures/questdb/scripts/questdb-load-events.shmatched "curl "12
mediumRemote Payloadpackage/birdbox-fixtures/materialize.ymlmatched "curl "12
mediumRemote Payloadpackage/birdbox-fixtures/questdb.ymlmatched "curl "12

Manifest

Package metadata

Scripts80
  • birdboxjest --runInBand --verbose dist/test
  • birdbox:cli:postgresqljest --verbose -i dist/test/cli-postgresql.test.js
  • birdbox:cli:postgresql:snapshotjest --verbose --updateSnapshot -i dist/test/cli-postgresql.test.js
  • birdbox:local:postgresqlUSE_LOCAL_CUBEJS_BINARY=true jest --verbose -i dist/test/cli-postgresql.test.js
  • birdbox:local:postgresql-pre-aggregationsUSE_LOCAL_CUBEJS_BINARY=true jest --verbose -i dist/test/cli-postgresql-pre-aggregations.test.js
  • birdbox:local:postgresql-pre-aggregations:snapshotUSE_LOCAL_CUBEJS_BINARY=true jest --verbose --updateSnapshot -i dist/test/cli-postgresql-pre-aggregations.test.js
  • birdbox:local:postgresql:snapshotUSE_LOCAL_CUBEJS_BINARY=true jest --verbose --updateSnapshot -i dist/test/cli-postgresql.test.js
  • birdbox:postgresqljest --verbose -i dist/test/birdbox-postgresql.test.js
  • birdbox:postgresql-cubestorejest --verbose -i dist/test/birdbox-postgresql-cubestore.test.js
  • birdbox:postgresql-cubestore:snapshotjest --verbose --updateSnapshot -i dist/test/birdbox-postgresql-cubestore.test.js
  • birdbox:postgresql-pre-aggregationsjest --verbose -i dist/test/birdbox-postgresql-pre-aggregations.test.js
  • birdbox:postgresql-pre-aggregations:snapshotjest --verbose --updateSnapshot -i dist/test/birdbox-postgresql-pre-aggregations.test.js
  • birdbox:postgresql:snapshotjest --verbose --updateSnapshot -i dist/test/birdbox-postgresql.test.js
  • birdbox:snapshotjest --runInBand --updateSnapshot --verbose dist/test
  • birdbox:startnode dist/test/bin/start-birdbox.js
  • buildrm -rf dist && npm run tsc
  • cypress:birdboxnode dist/test/bin/cypress-birdbox.js
  • cypress:installcypress install
  • cypress:openkill-port 4000 && TEST_PLAYGROUND_PORT=3080 yarn cypress:birdbox
  • dataset:minimalnode dist/test/bin/download-dataset.js
  • driver:athenajest --verbose -i dist/test/driver-athena.test.js
  • driver:athena:snapjest --verbose --updateSnapshot -i dist/test/driver-athena.test.js
  • driver:bigqueryjest --verbose -i dist/test/driver-bigquery.test.js
  • driver:bigquery:snapjest --verbose --updateSnapshot -i dist/test/driver-bigquery.test.js
  • driver:databricksjest --verbose -i dist/test/driver-databricks.test.js
  • driver:databricks:snapjest --verbose --updateSnapshot -i dist/test/driver-databricks.test.js
  • driver:fireboltjest --verbose -i dist/test/driver-firebolt.test.js
  • driver:firebolt:snapjest --verbose --updateSnapshot dist/test/driver-firebolt.test.js
  • driver:postgresjest --verbose -i dist/test/driver-postgres.test.js
  • driver:postgres:snapjest --verbose --updateSnapshot -i dist/test/driver-postgres.test.js
  • …and 50 more.
Dependencies16
  • @cubejs-backend/cubestore-driver1.6.50
  • @cubejs-backend/dotenv^9.0.2
  • @cubejs-backend/ksql-driver1.6.50
  • @cubejs-backend/postgres-driver1.6.50
  • @cubejs-backend/query-orchestrator1.6.50
  • @cubejs-backend/schema-compiler1.6.50
  • @cubejs-backend/shared1.6.50
  • @cubejs-backend/testing-shared1.6.50
  • @cubejs-client/ws-transport1.6.50
  • dedent^0.7.0
  • fs-extra^8.1.0
  • http-proxy^1.18.1
  • node-fetch^2.6.1
  • ramda^0.27.2
  • testcontainers^10.28.0
  • yargs^17.3.1