PkgRadar

Package evidence

@eclipse-che/[email protected]

Remote Dependency Spec: devDependencies.license-tool="https://github.com/che-incubator/dash-licenses.git#c09f697ea6336ce82d365654dfeb7ef6e9c84768"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
315Mature · −50% score
First published
Dec 2022
Publisher
mkuznets

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@eclipse-che/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@eclipse-che/[email protected]"],"fail_on":"review"}'
Publishermkuznets
Artifact bytes165,644
Previous version7.118.0-next-218def5
Published2026-05-21T10:45:14.557Z
SHA-25611a267c26fe66cc4fb135a2f18f0fc01ef93b2de7085ddb56fb0a44fe16982e8

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.license-tool="https://github.com/che-incubator/dash-licenses.git#c09f697ea6336ce82d365654dfeb7ef6e9c84768"

1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
4Score
7.118.0-next-abc4b0eVersion
Status history (1 event)
  1. newavailable · risk review · score 4 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.license-tool="https://github.com/che-incubator/dash-licenses.git#c09f697ea6336ce82d365654dfeb7ef6e9c84768"8

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
devDependencies.license-toolhttps://github.com/che-incubator/dash-licenses.git#c09f697ea6336ce82d365654dfeb7ef6e9c84768error0invalid gzip header

Manifest

Package metadata

Scripts13
  • buildyarn run format && yarn run compile && yarn run lint && yarn run test
  • cleanrimraf lib
  • compiletsc --declaration --project .
  • formatif-env SKIP_FORMAT=true && echo 'skip format check' || prettier --check '{src,tests}/**/*.ts' package.json
  • format:fixprettier --write '{src,tests}/**/*.ts' package.json
  • license:checklicense-tool --check
  • license:generatelicense-tool --harvest
  • lintif-env SKIP_LINT=true && echo 'skip lint check' || eslint --cache=true --no-error-on-unmatched-pattern=true '{src,tests}/(!model|**)/*.ts'
  • lint:fixeslint --fix --cache=true --no-error-on-unmatched-pattern=true '{src,tests}/(!model|**)/*.ts'
  • prepareyarn run clean && yarn run build
  • publish:nextyarn publish --registry=https://registry.npmjs.org/ --no-git-tag-version --new-version 0.0.1-'$(date +%s)'
  • testif-env SKIP_TEST=true && echo 'skip test' || jest --forceExit
  • watchtsc -w
Dependencies8
  • @devfile/api2.3.0-1757407014
  • fs-extra^11.2.0
  • inversify^7.1.0
  • js-yaml^4.0.0
  • jsonc-parser^3.0.0
  • jsonschema^1.4.1
  • lodash^4.17.21
  • reflect-metadata^0.2.2