PkgRadar

Package evidence

@donniean/[email protected]

New Account With Lifecycle Hook: package first published 0 day(s) ago, 1 total version(s), has lifecycle hook

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
donniean

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@donniean/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@donniean/[email protected]"],"fail_on":"high"}'
Publisherdonniean
Artifact bytes15,217
Previous versionnone
Published2026-06-08T10:22:55.425Z
SHA-25674f26ac435950915a3f2b236807da2fbab90b0112a7571b847cb34a1f717f9f2

Why flagged

What the scanner saw

New Account With Lifecycle Hook: package first published 0 day(s) ago, 1 total version(s), has lifecycle hook

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
5Score
0.0.1Version
Status history (1 event)
  1. newavailable · risk high · score 5 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Account With Lifecycle Hookpackage.jsonpackage first published 0 day(s) ago, 1 total version(s), has lifecycle hook25
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Account With Lifecycle Hookpackage.jsonpackage first published 0 day(s) ago, 1 total version(s), has lifecycle hook25
lowInstall-time lifecycle scriptpackage.jsonpreinstall="pnpm dlx only-allow@latest pnpm"5

Manifest

Package metadata

Scripts35
  • buildtsup
  • build:watchpnpm run build --watch
  • changeset:addchangeset add
  • changeset:publishchangeset publish
  • changeset:versionchangeset version
  • cleanrimraf dist/
  • devtsx src/cli
  • docstsx src/scripts
  • knipknip
  • knip:fixpnpm run knip --fix
  • linkpnpm run build && pnpm link
  • lintconcurrently --group --timings --prefix-colors=auto "pnpm:lint:*(!:fix)"
  • lint:fixconcurrently --max-processes=1 --group --timings --prefix-colors=auto "pnpm:lint:*:fix"
  • lint:formatprettier --check --ignore-unknown .
  • lint:format:fixprettier --write --ignore-unknown .
  • lint:jseslint
  • lint:js:fixpnpm run lint:js --fix
  • lint:mdmarkdownlint --dot "**/*.md"
  • lint:md:fixpnpm run lint:md --fix
  • lint:package-jsonpnpm run lint:package-json:fix --check
  • lint:package-json:fixsort-package-json "**/package.json" --ignore "**/node_modules/**/package.json" --ignore "**/dist/**/package.json"
  • lint:spellcspell lint --no-progress --no-must-find-files --dot --gitignore .
  • lint:textautocorrect --lint
  • lint:text:fixautocorrect --fix
  • lint:typestsc --noEmit
  • ncupnpm dlx npm-check-updates@latest --deep --format cooldown
  • ncu:upgradepnpm run ncu --upgrade
  • postdocsprettier --write configs.md
  • prebuildpnpm run clean
  • preinstallpnpm dlx only-allow@latest pnpm
  • …and 5 more.
Dependencies8
  • commander15.0.0
  • fs-extra11.3.5
  • json2md2.0.3
  • prettier3.8.3
  • remark15.0.1
  • remark-toc9.0.0
  • type-fest5.7.0
  • zod4.4.3