Package evidence

@ebay/[email protected]

Large Javascript Payload: 7260541 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 228Mature · −50% score
First published: Jul 2022
Publisher: GitHub ActionsTrusted automation · −70% score
External confirmation: MAL-2024-1006OSV match · pinned to high regardless of other signals

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@ebay/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@ebay/[email protected]"],"fail_on":"high"}'

PublisherGitHub Actions

Artifact bytes2,658,393

Previous version9.6.4

Published2026-05-29T18:35:00.235Z

SHA-256c505ef532ff80fa222097e4cac48e2721bf74d39df1a4f8dcde71760e4836f5c

Why flagged

What the scanner saw

Large Javascript Payload: 7260541 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

3h agoLast checked

highRisk

0Score

9.6.5Version

Status history (1 event)

new → available14d ago · risk high · score 0 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Large Javascript Payload	package/ebay-svg/index.js	7260541 bytes	0

Manifest

Package metadata

Scripts21

buildnpm run clean && npm run type:check && vitest run && vite build && npm run copy && npm run smoke-test
build:storybookstorybook build
cleannode scripts/clean
copycopyfiles package.json README.md dist && npm run copy:rest
copy:restcopyfiles 'src/**/*.md' dist -u 1
coveragenpm run clean && npm run test -- --coverage --ci
deployNODE_OPTIONS=--max-old-space-size=8192 storybook build -o ./_site/$(git branch --show-current)
formateslint . --fix 'src/**/*.{ts,tsx}' && prettier . --write --log-level=warn
generate-locale-infonode scripts/generate-locale-info.js
linteslint . --ext .ts,.tsx && prettier . --check --log-level=warn
releasevite build && npm run copy
smoke-testconcurrently --kill-others-on-fail "npm run smoke-test:react-16" "npm run smoke-test:react-18" "npm run smoke-test:react-19"
smoke-test:react-16cd ./smoke-tests/react-16 && npm ci && npm run test
smoke-test:react-18cd ./smoke-tests/react-18 && npm ci && npm run test
smoke-test:react-19cd ./smoke-tests/react-19 && npm ci && npm run test
startnpm run storybook
storybookstorybook dev -p 9001 -c .storybook
testvitest run
type:checktsc --noEmit
update-iconsnode ./scripts/update-icons
versionnpm run update-icons && git add -A src

Dependencies12

@floating-ui/react^0.27.17
classnames^2.5.1
makeup-active-descendant^0.7.11
makeup-expander^0.11.10
makeup-floating-label^0.4.9
makeup-focusables^0.4.6
makeup-keyboard-trap^0.5.8
makeup-prevent-scroll-keys^0.3.5
makeup-roving-tabindex^0.7.8
makeup-screenreader-trap^0.5.7
makeup-typeahead^0.3.5
react-remove-scroll^2.7.2

Optional dependencies3

@highcharts/react^4.0.0
highcharts^12.0.0
shaka-player^5.0.2