Package evidence

@flowfuse/[email protected]

Large Javascript Payload: 2443340 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 3,504Niche · −30% score
Versions published: 2,291Mature · −50% score
First published: Dec 2023
Publisher: flowfuse-user

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@flowfuse/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@flowfuse/[email protected]"],"fail_on":"review"}'

Publisherflowfuse-user

Artifact bytes8,891,127

Previous version2.30.2-935b669-202606020922.0

Published2026-06-04T11:36:03.288Z

SHA-256b1e9ebe21fd6e9ad870832e38c191c6a4e71640fa45334d08844a6515c551907

Why flagged

What the scanner saw

Large Javascript Payload: 2443340 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

12h agoLast checked

lowRisk

0Score

2.30.2-954b8ae-202606041134.0Version

Status history (1 event)

new → available12h ago · risk low · score 0 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail
low	Large Javascript Payload	package/frontend/dist/app/main.4b39a70a7bfa3ca94f27.js	2443340 bytes
low	Large Javascript Payload	package/frontend/dist/app/setup.fd9326e9ce9692e4b5b4.js	2362305 bytes
low	Large Javascript Payload	package/frontend/dist/app/vendors.21605b1ed943b5c8271d.js	2420097 bytes

Manifest

Package metadata

Scripts32

buildwebpack --mode=production -c ./config/webpack.config.js
build-watchwebpack --mode=development -c ./config/webpack.config.js --watch
covernpm-run-all --sequential cover:unit cover:system cover:report
cover:reportnyc report --reporter=html --reporter=json -t './coverage/reports'
cover:systemnyc --silent npm run test:system && nyc report --reporter=json --report-dir ./coverage/reports/system/ && mv ./coverage/reports/system/coverage-final.json ./coverage/reports/system-coverage.json
cover:unitnpm-run-all --sequential cover:unit:forge cover:unit:frontend
cover:unit:forgenyc --silent npm run test:unit:forge && nyc report --reporter=json --report-dir ./coverage/reports/forge/ && mv ./coverage/reports/forge/coverage-final.json ./coverage/reports/forge-coverage.json
cover:unit:frontendvitest --config ./config/vitest.config.ts run --coverage && mv ./coverage/reports/frontend/coverage-final.json ./coverage/reports/frontend-coverage.json
cy:open:eecypress open --config-file ./config/cypress-ee.config.js
cy:open:oscypress open --config-file ./config/cypress-os.config.js
cy:runnpm-run-all --parallel cy:run:os cy:run:ee
cy:run:eecypress run --config-file ./config/cypress-ee.config.js
cy:run:oscypress run --config-file ./config/cypress-os.config.js
cy:web-servernpm-run-all --parallel cy:web-server:os cy:web-server:ee
cy:web-server:eenode ./test/e2e/frontend/test_environment_ee
cy:web-server:osnode ./test/e2e/frontend/test_environment_os
generate:typesnode scripts/dump-openapi.js && openapi-typescript openapi.json -o frontend/src/types/generated.ts --root-types --root-types-no-schema-prefix
install-stacknode scripts/install-stack.js --
linteslint -c .eslintrc "forge/**/*.js" "frontend/**/*.js" "frontend/**/*.vue" "test/**/*.js" --ignore-pattern "frontend/dist/**"
lint:fixeslint -c .eslintrc "forge/**/*.js" "frontend/**/*.js" "frontend/**/*.vue" "test/**/*.js" --ignore-pattern "frontend/dist/**" --fix
replnode forge/app.js --repl
servenpm-run-all --parallel build-watch start-watch
serve-replnpm-run-all --parallel build-watch start-watch-repl
startnode forge/app.js
start-watchcross-env NODE_ENV=development nodemon -w forge -w ee/forge -i forge/containers/localfs_root forge/app.js
start-watch-replcross-env NODE_ENV=development nodemon -w forge -w ee/forge -i forge/containers/localfs_root forge/app.js --repl
testnpm-run-all --sequential lint test:unit test:system
test:docsnode test/e2e/docs/valid-links.js ./docs
test:systemmocha 'test/system/**/*_spec.js' --timeout 10000 --node-option=unhandled-rejections=strict
test:unitnpm-run-all --sequential test:unit:forge test:unit:frontend
…and 2 more.

Dependencies72

@aws-sdk/client-sesv2^3.916.0
@aws-sdk/credential-provider-node^3.352.0
@fastify/cookie^11.0.2
@fastify/csrf-protection^7.1.0
@fastify/formbody^8.0.2
@fastify/helmet^13.0.2
@fastify/multipart^9.3.0
@fastify/passport^3.0.2
@fastify/rate-limit^10.3.0
@fastify/routes^6.0.2
@fastify/static^9.1.2
@fastify/swagger^9.6.1
@fastify/swagger-ui^5.2.5
@fastify/websocket^11.2.0
@flowfuse/driver-localfs2.30.2-457c7ef-202606020921.0
@flowfuse/flow-renderer^0.5.1
@headlessui/vue1.7.19
@heroicons/vue2.1.5
@immobiliarelabs/fastify-sentry^9.0.1
@levminer/speakeasy^1.4.2
@node-red/util^4.0.2
@node-saml/passport-saml^5.0.0
@redis/client^5.11.0
@sentry/node^7.73.0
@sentry/profiling-node^1.2.1
@sentry/vue^7.91.0
@sentry/webpack-plugin^2.7.1
@vuepic/vue-datepicker^11.0.2
axios^1.4.0
bcrypt^6.0.0
…and 42 more.