PkgRadar

Package evidence

@cutting/[email protected]

Remote Payload: matched "cUrl "

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@cutting/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@cutting/[email protected]"],"fail_on":"review"}'
Publishercutting
Artifact bytes18,015
Previous version4.70.0
Published2026-04-13T18:08:55.623Z
SHA-25636e68cffe40be53880c11577411519d90d872a2d11acabf30a3d2cb5844a193f

Why flagged

What the scanner saw

Remote Payload: matched "cUrl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
12Score
4.71.0Version
Status history (1 event)
  1. newavailable · risk review · score 12 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/tools/config/env.jsmatched "cUrl "12

Manifest

Package metadata

Scripts4
  • build-toolsNODE_ENV=production tsc --build && pnpm postbuild
  • linteslint 'src/**/*.{ts,tsx,js}' --fix
  • postbuildchmod -R 777 tools && git update-index --chmod=+x --add ./tools/bin/cutting.js
  • testecho test
Dependencies38
  • @cutting/rollup-plugin-md0.5.0
  • @rbnlffl/rollup-plugin-eslint6.0.0
  • @rollup/plugin-commonjs29.0.2
  • @rollup/plugin-json6.1.0
  • @rollup/plugin-node-resolve16.0.3
  • @rollup/plugin-terser1.0.0
  • @rollup/pluginutils5.3.0
  • @testing-library/dom10.4.1
  • @types/bluebird3.5.42
  • @vanilla-extract/esbuild-plugin2.3.22
  • assert-ts0.3.4
  • autoprefixer10.4.27
  • browserslist4.28.2
  • chalk5.6.2
  • commander14.0.3
  • copy0.3.2
  • core-js3.49.0
  • cross-env10.1.0
  • cross-fetch4.1.0
  • dotenv17.4.2
  • esbuild0.28.0
  • fs-extra11.3.4
  • inquirer13.4.1
  • papaparse5.5.3
  • postcss8.5.9
  • postcss-import16.1.1
  • postcss-url10.1.3
  • prettier3.8.2
  • raf3.4.1
  • rollup4.60.1
  • …and 8 more.