PkgRadar

Package evidence

@dr.pogodin/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
779
Versions published
420Mature · −50% score
First published
Aug 2019
Publisher
CircleCI

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@dr.pogodin/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@dr.pogodin/[email protected]"],"fail_on":"review"}'
PublisherCircleCI
Artifact bytes336,383
Previous version1.52.11
Published2026-06-07T11:33:54.636Z
SHA-256452b8ad80d37a93fd79bda3771ca5e648ea3a0540ace32cc02b8c83a045b27fb

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
1.53.0Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/bin/release.shmatched "curl "12

Manifest

Package metadata

Scripts11
  • buildrimraf build && npm run build:scripts && npm run build:configs && node bin/build -t library
  • build:configstsc --project tsconfig.configs.json
  • build:scriptsbabel ./bin-ts-src --config-file ./babel.scripts.config.js --out-dir bin -x .ts
  • jestnpm run jest:types && npm run jest:logic
  • jest:logicNODE_CONFIG_ENV=test jest --no-cache -w 1 --config config/jest/default.js
  • jest:typeststyche
  • lintnpm run lint:code && npm run lint:scss
  • lint:codeeslint --cache --cache-strategy content
  • lint:scssstylelint -- **/*.{css,scss}
  • testnpm run lint && npm run typecheck && npm run jest
  • typechecktsc --noEmit
Dependencies34
  • @babel/runtime^7.29.7
  • @commander-js/extra-typings^15.0.0
  • @dr.pogodin/babel-plugin-react-css-modules^6.13.9
  • @dr.pogodin/csurf^1.17.1
  • @dr.pogodin/js-utils^0.1.8
  • @dr.pogodin/react-global-state^0.23.0
  • @dr.pogodin/react-helmet^3.2.2
  • @dr.pogodin/react-themes^1.10.4
  • @jest/environment^30.4.1
  • axios^1.17.0
  • commander^15.0.0
  • compression^1.8.1
  • config^4.4.1
  • cookie^1.1.0
  • cookie-parser^1.4.7
  • core-js^3.49.0
  • cross-env^10.1.0
  • dayjs^1.11.21
  • express^5.2.1
  • helmet^8.2.0
  • http-status-codes^2.3.0
  • lodash-es^4.18.1
  • morgan^1.11.0
  • qs^6.15.2
  • raf^3.4.1
  • react^19.2.7
  • react-dom^19.2.7
  • react-router^7.17.0
  • request-ip^3.3.0
  • rimraf^6.1.3
  • …and 4 more.