Package evidence
@devtron-labs/[email protected]
Install-time lifecycle script: postinstall="patch-package"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 2,071Mature · −50% score
- First published
- Dec 2022
- Publisher
- vivek-dt
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@devtron-labs/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@devtron-labs/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="patch-package"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 2 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="patch-package" | 5 |
| low | Large Javascript Payload | package/dist/@code-editor-BVZtUgT5.js | 4089753 bytes | 0 |
| low | Large Javascript Payload | package/dist/@vendor-C8nzu6lT.js | 3266597 bytes | 0 |
Manifest
Package metadata
Scripts13
buildNODE_OPTIONS=--max_old_space_size=3072 vite build --sourcemapbuild-libvite buildbuild-watchNODE_OPTIONS=--max_old_space_size=3072 vite build --sourcemap --watchdevNODE_OPTIONS=--max_old_space_size=3072 vitegenerate-iconnode ./scripts/generate-icon.cjsgenerate-illustrationnode ./scripts/generate-illustration.cjslinttsc --noEmit && NODE_OPTIONS=--max_old_space_size=3072 eslint 'src/**/*.{js,jsx,ts,tsx}' --max-warnings 0lint-fixeslint 'src/**/*.{js,jsx,ts,tsx}' --fixlint-stagedlint-stagedpostinstallpatch-packagepreparenode -e "try { require('husky').install() } catch (e) {}"previewvite previewtestexit 0
Dependencies42
@codemirror/autocomplete6.18.6@codemirror/lang-json6.0.1@codemirror/lang-yaml6.1.2@codemirror/language6.10.8@codemirror/legacy-modes6.4.2@codemirror/lint6.8.4@codemirror/merge^6.10.0@codemirror/search6.5.8@datasert/cronjs-parser^1.4.0@lezer/highlight1.2.1@replit/codemirror-indentation-markers6.5.3@replit/codemirror-vscode-keymap6.0.2@rjsf/core^6.2.4@rjsf/utils^6.2.4@rjsf/validator-ajv8^6.2.4@tanstack/react-query^5.90.21@tanstack/react-virtual^3.13.24@uiw/codemirror-extensions-hyper-link4.23.10@uiw/codemirror-theme-github4.23.7@uiw/react-codemirror4.23.7@uiw/react-md-editor^4.0.11@xyflow/react12.4.2ansi_up6.0.6chart.js4.5.0codemirror-json-schema0.8.0cronstrue^3.9.0dayjs^1.11.13fast-json-patch^3.1.1focus-trap-react^10.3.1framer-motion^11.18.2- …and 12 more.