Package evidence
@feedmepos/[email protected]
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 43 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 351Mature · −50% score
- First published
- Sep 2024
- Publisher
- lokingwei
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@feedmepos/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@feedmepos/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 43 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 7 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Manifest Codeless Dependency Stub | package.json | package ships no JS/TS source but declares 43 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape | 15 |
Manifest
Package metadata
Scripts15
buildvue-tsc && vite buildbuild-only:devpnpm build:mf:devbuild-only:prodpnpm build:mf:prodbuild-typesvue-tsc --declaration --emitDeclarationOnly -p tsconfig.json --outDir dist --composite falsebuild:devcross-env NODE_OPTIONS=--max-old-space-size=4096 vite build --mode developmentbuild:dtsvue-tsc --declaration --noEmit false --emitDeclarationOnly -p tsconfig.json --outDir ./dist && mv ./dist/src/* distbuild:mf:devvite build --mode fmmfbuild:mf:prodvite build --mode fmmf:prodbuild:prodcross-env NODE_OPTIONS=--max-old-space-size=4096 vite build --mode productiondeploy:devpnpm run build-only:dev && pnpm publish --no-git-checks .deploy:prodpnpm run build-only:prod && pnpm publish --no-git-checks .devvitepreviewvite previewtestvitest runtest:watchvitest
Dependencies43
@ckeditor/ckeditor5-build-classic^44.3.0@ckeditor/ckeditor5-vue^7.3.0@feedmepos/core2.15.21@feedmepos/custom-attributes0.0.1-rc.4@feedmepos/hrm-permission1.0.6@feedmepos/menu1.0.34@feedmepos/mf-common1.29.23@feedmepos/mf-core-ui1.0.25@feedmepos/mf-remy-panel0.5.1@feedmepos/remy-vue-client0.2.0-beta.14@feedmepos/ui-library1.10.4@tailwindcss/typography^0.5.16@types/qrcode^1.5.5@vueuse/core^14.1.0axios^1.7.2bson-objectid^2.0.4change-case^5.4.4ckeditor5^44.3.0cross-env^7.0.3dayjs^1.11.12dotenv^16.4.5email-addresses^5.0.0fabric^5.5.1file-saver^2.0.5firebase^10.12.4i18next24.2.1lodash^4.17.21moment^2.30.1moment-timezone^0.6.0pinia^2.1.7- …and 13 more.