PkgRadar

Package evidence

@cucumber/[email protected]

Remote Dependency Spec: devDependencies.@cucumber/biome-config="github:cucumber/biome-config#v0.2.0"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
78Mature · −50% score
First published
Sep 2020
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@cucumber/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@cucumber/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes299,735
Previous version12.9.0
Published2026-06-02T07:10:03.122Z
SHA-2566118c2102a6a157a61683851ad87de1c0ecfc9efa537a800d338149699f394d5

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.@cucumber/biome-config="github:cucumber/biome-config#v0.2.0"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
16Score
13.0.0Version
Status history (2 events)
  1. availableavailable · risk review · score 16 · status available -> available, risk high -> review, score 43 -> 16
  2. newavailable · risk high · score 43 · status changed

Evidence

Static findings

1 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.@cucumber/biome-config="github:cucumber/biome-config#v0.2.0"8
mediumNew Remote Dependency Vs Previouspackage.jsondevDependencies.@cucumber/biome-config added in 13.0.0 vs 12.9.0: "github:cucumber/biome-config#v0.2.0"8

Manifest

Package metadata

Scripts20
  • build-localgenversion --es6 src/version.ts && tsc --build tsconfig.build.json && shx cp src/wrapper.mjs lib/ && shx cp src/api/wrapper.mjs lib/api/
  • cck-testmocha "compatibility/**/*_spec.ts"
  • exports-generate-docstypedoc
  • exports-testapi-extractor run --config exports/api/api-extractor.json --verbose && api-extractor run --config exports/root/api-extractor.json --verbose
  • exports-updateapi-extractor run --config exports/api/api-extractor.json --verbose --local && api-extractor run --config exports/root/api-extractor.json --verbose --local
  • feature-testnode bin/cucumber.js
  • fixbiome check --fix --error-on-warnings
  • lintbiome check --error-on-warnings
  • precck-testnpm run build-local
  • preexports-generate-docsnpm run build-local
  • preexports-testnpm run build-local
  • preexports-updatenpm run build-local
  • prefeature-testnpm run build-local
  • prepublishOnlyrm -rf lib && npm run build-local
  • pretest-coveragenpm run build-local
  • pretypes-testnpm run build-local
  • testnpm run lint && npm run exports-test && npm run types-test && npm run unit-test && npm run cck-test && npm run feature-test
  • test-coveragenyc --silent mocha "src/**/*_spec.ts" "compatibility/**/*_spec.ts" && nyc --silent --no-clean node bin/cucumber.js --tags "not @source-mapping" && nyc report --reporter=lcov
  • types-testtsd
  • unit-testmocha "src/**/*_spec.ts"
Dependencies34
  • @cucumber/ci-environment13.0.0
  • @cucumber/cucumber-expressions19.0.1
  • @cucumber/gherkin39.1.0
  • @cucumber/gherkin-streams6.0.0
  • @cucumber/gherkin-utils11.0.0
  • @cucumber/html-formatter23.1.0
  • @cucumber/junit-xml-formatter0.13.3
  • @cucumber/message-streams4.1.1
  • @cucumber/messages32.3.1
  • @cucumber/pretty-formatter3.3.1
  • @cucumber/tag-expressions9.1.0
  • assertion-error-formatter^3.0.0
  • cli-table30.6.5
  • commander^15.0.0
  • debug^4.3.4
  • error-stack-parser^2.1.4
  • figures^6.0.0
  • has-ansi^6.0.0
  • indent-string^5.0.0
  • is-installed-globally^1.0.0
  • is-stream^4.0.0
  • knuth-shuffle-seeded^1.0.6
  • lodash.merge^4.6.2
  • lodash.mergewith^4.6.2
  • luxon3.7.2
  • mkdirp^3.0.0
  • read-package-up^12.0.0
  • semver7.8.1
  • string-argv0.3.2
  • supports-color^10.0.0
  • …and 4 more.