Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 509Mature · −50% score
- First published
- Apr 2024
- Publisher
- eglove
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@ethang/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@ethang/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 2 · status changed
Evidence
Static findings
12 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 12 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/chunk-w7hjdq81.js | matched ".npmrc" | 5 |
| low | Obfuscation Density | package/chunk-3z3zc17x.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/chunk-9dpdmh2a.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/chunk-b64zgmfj.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/chunk-jfqj74fa.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/chunk-nx3xw9bw.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/chunk-pmcgh56x.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/chunk-v77xqz3s.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/config.astro.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/config.react.js | 3308993 bytes | 0 |
| low | Large Javascript Payload | package/constants.js | 6895465 bytes | 0 |
| low | Large Javascript Payload | package/eslint.config.js | 12913225 bytes | 0 |
Manifest
Package metadata
Scripts1
buildbun build.ts && bun x prettier src -w
Dependencies33
@angular-eslint/eslint-plugin^19.3.0@angular-eslint/eslint-plugin-template^19.3.0@angular-eslint/template-parser^19.3.0@babel/preset-typescript^7.27.0@cspell/eslint-plugin^8.18.0@eslint-react/eslint-plugin^1.38.2@eslint/css^0.6.0@eslint/js^9.23.0@eslint/json^0.11.0@eslint/markdown^6.3.0@ethang/toolbelt^4.4.1@tanstack/eslint-plugin-query^5.68.0@tanstack/eslint-plugin-router^1.114.29angular-eslint^19.3.0eslint-config-prettier^10.1.1eslint-plugin-astro^1.3.1eslint-plugin-barrel-files^3.0.1eslint-plugin-compat^6.0.2eslint-plugin-depend^0.12.0eslint-plugin-jsx-a11y^6.10.2eslint-plugin-lodash^8.0.0eslint-plugin-n^17.17.0eslint-plugin-perfectionist^4.10.1eslint-plugin-prettier^5.2.5eslint-plugin-react-compiler^19.0.0-beta-aeaed83-20250323eslint-plugin-react-hooks^5.2.0eslint-plugin-solid^0.14.5eslint-plugin-sonarjs^3.0.2eslint-plugin-tailwindcss^3.18.0eslint-plugin-unicorn^58.0.0- …and 3 more.