Package evidence

@db-ux/[email protected]

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 1 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 147Mature · −50% score
First published: Feb 2025
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@db-ux/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@db-ux/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes390,817

Previous version4.10.1

Published2026-06-08T09:11:39.353Z

SHA-256b421de6aa54510dc3eec652bc2e13b4d56850c40e7403b13b6564e1492763109

Why flagged

What the scanner saw

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 1 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

8d agoLast checked

reviewRisk

4Score

4.10.2Version

Status history (1 event)

new → available8d ago · risk review · score 4 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Manifest Codeless Dependency Stub	package.json	package ships no JS/TS source but declares 1 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape	15

Manifest

Package metadata

Scripts33

buildrun-s build-components build-assets && pnpm run build-style:01_sass && pnpm run build-style:02_postcss
build-assetscpr src build --overwrite --filter "(.ts|.tsx|.md|.html)$"
build-componentspnpm run build:mitosis && pnpm run build-components:post && pnpm run build-components:docs
build-components:docspnpm --filter @db-ux/wc-core-components run build:cem
build-components:posttsx scripts/post-build/index.ts
build-style:01_sasssass src:build --no-source-map --load-path=node_modules
build-style:02_postcsspostcss build/**/*.css --replace
build:mitosismitosis build --config configs/mitosis.config.cjs
compile:angularmitosis build --config configs/angular/mitosis.config.cjs && tsx scripts/exec/angular.ts && cpr ../../output/tmp/angular/src ../../output/angular/src --overwrite
compile:reactmitosis build --config configs/react/mitosis.config.cjs && tsx scripts/exec/react.ts && cpr ../../output/tmp/react/src ../../output/react/src --overwrite
compile:stencilmitosis build --config configs/stencil/mitosis.config.cjs && tsx scripts/exec/stencil.ts && cpr ../../output/tmp/stencil/src ../../output/stencil/src --overwrite
compile:vuemitosis build --config configs/vue/mitosis.config.cjs && tsx scripts/exec/vue.ts && cpr ../../output/tmp/vue/src ../../output/vue/src --overwrite
copy-assetscpr ../foundations/assets build/assets -o
copy-outputrun-p copy:*
copy:agentcpr agent ../../build-outputs/components/agent --overwrite
copy:changelogcpr CHANGELOG.md ../../build-outputs/components/CHANGELOG.md --overwrite
copy:outputscpr build ../../build-outputs/components/build --overwrite
copy:package.jsoncpr package.json ../../build-outputs/components/package.json --overwrite
copy:readmecpr README.md ../../build-outputs/components/README.md --overwrite
dev:angularnodemon --watch src --watch scripts --watch configs --ext tsx,ts,cjs --exec "npm run compile:angular"
dev:htmlpnpm run copy-assets && pnpm run build-assets && pnpm run build-style:01_sass && vite --open
dev:reactnodemon --watch src --watch scripts --watch configs --ext tsx,ts,cjs --exec "pnpm run compile:react"
dev:scsssass src:build --load-path=node_modules --watch --source-map
dev:stencilnodemon --watch src --watch scripts --watch configs --ext tsx,ts,cjs --exec "pnpm run compile:stencil"
dev:vuenodemon --watch src --watch scripts --watch configs --ext tsx,ts,cjs --exec "pnpm run compile:vue"
generate:agentmitosis build --config=configs/mitosis.agent.config.cjs
generate:componenthygen mitosis new
generate:docshygen update-docs new
generate:figmamitosis build --config=configs/mitosis.figma.config.cjs
generate:showcasemitosis build --config=configs/mitosis.showcase.config.cjs
…and 3 more.

Dependencies1

@db-ux/core-foundations4.10.2