PkgRadar

Package evidence

@formio/[email protected]

Large Javascript Payload: 4550508 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
29,126Mainstream · −50% score
Versions published
688Mature · −50% score
First published
Jun 2023
Publisher
lane-formio

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@formio/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@formio/[email protected]"],"fail_on":"review"}'
Publisherlane-formio
Artifact bytes4,661,937
Previous version5.3.4
Published2026-05-11T16:53:42.978Z
SHA-25664de67f6cc867cfc903622f19dba1be6f314acd2e517f5094f99f4d51b3bdd88

Why flagged

What the scanner saw

Large Javascript Payload: 4550508 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
27Score
5.3.5Version
Status history (1 event)
  1. newavailable · risk review · score 27 · status changed

Evidence

Static findings

7 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/formio.form.js4550508 bytes10
mediumLarge Javascript Payloadpackage/dist/formio.full.js5138601 bytes10
mediumLarge Javascript Payloadpackage/dist/formio.js2148375 bytes10
mediumLarge Javascript Payloadpackage/dist/formio.utils.js2122379 bytes10
Show all 7 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/formio.form.js4550508 bytes10
mediumLarge Javascript Payloadpackage/dist/formio.full.js5138601 bytes10
mediumLarge Javascript Payloadpackage/dist/formio.js2148375 bytes10
mediumLarge Javascript Payloadpackage/dist/formio.utils.js2122379 bytes10
lowCredential file accesspackage/lib/cjs/components/file/editForm/File.edit.file.jsmatched ".aws"5
lowCredential file accesspackage/lib/mjs/components/file/editForm/File.edit.file.jsmatched ".aws"5
lowCredential file accesspackage/dist/formio.form.min.jsmatched ".Azure"5

Manifest

Package metadata

Scripts21
  • buildnpm run doc && npm run lib && npm run dist
  • build-appnpm run build-app:create-app && npm run build-app:jekyll && npm run build-app:remove-app
  • build-app:create-appnode -e 'var fs=require(`fs`);fs.writeFileSync(`./_config.app.yml`, `baseurl: /` + require(`./package.json`).version + `/`);'
  • build-app:jekylljekyll build --config _config.yml,_config.app.yml
  • build-app:remove-apprm ./_config.app.yml
  • deploy-s3$(node -e 'process.stdout.write(`aws s3 cp _site s3://formiojs.test-form.io/` + require(`./package.json`).version + `/ --recursive`)')
  • distgulp clean:dist && webpack --config webpack.config.js && webpack --config webpack.prod.js && gulp build
  • doctypedoc
  • dopublishnpm run build && npm run tag && npm publish
  • gh-pagesrm -rf _site && npm run build && jekyll build --config _config.yml && cd _site && git init && git remote add origin [email protected]:formio/formio.js.git && git checkout -b gh-pages && git add . && git commit -m "Deploy to GitHub Pages" && git push origin gh-pages --force && cd ..
  • invalidateVERSION=$(npm run version);aws cloudfront create-invalidation --distribution-id E1MXNA5A4ZKRMZ --paths "/$VERSION/*"
  • libgulp clean:lib && tsc --project tsconfig.cjs.json && tsc --project tsconfig.mjs.json && npm run lib:package && gulp version
  • lib:packagenode ./libpackage.js
  • linteslint . --fix
  • releasenpm run build-app && npm run deploy-s3
  • servejekyll serve --config _config.yml,_config.dev.yml
  • show-coverageopen coverage/lcov-report/index.html
  • tagVERSION=$(npm run version);git add -A; git commit -m "Build $Version";git push origin master;git tag v$VERSION;git push origin --tags;
  • testmocha --config .mocharc.json test/unit/*.unit.js
  • test:updateRendersnpm run lib && cross-env TZ=UTC node --require jsdom-global/register test/updateRenders.js
  • versionnode -e 'console.log(require(`./package.json`).version)'
Dependencies35
  • @formio/bootstrap^3.2.2
  • @formio/core^2.6.5
  • @formio/text-mask-addons^3.8.0-formio.4
  • @formio/vanilla-text-mask^5.1.1-formio.1
  • abortcontroller-polyfill^1.7.5
  • autocompleter^8.0.4
  • bootstrap^5.3.3
  • browser-cookies^1.2.0
  • browser-md5-file^1.1.1
  • choices.js^11.0.6
  • compare-versions^6.1.1
  • core-js^3.37.1
  • dialog-polyfill^0.5.6
  • dom-autoscroller^2.3.4
  • dompurify^3.3.3
  • downloadjs^1.4.7
  • dragula^3.7.3
  • eventemitter3^5.0.1
  • fast-deep-equal^3.1.3
  • fast-json-patch^3.1.1
  • idb^7.1.1
  • inputmask^5.0.8
  • ismobilejs^1.1.1
  • json-logic-js^2.0.2
  • jstimezonedetect^1.0.7
  • jwt-decode^3.1.2
  • lodash^4.17.21
  • moment^2.29.4
  • moment-timezone^0.5.44
  • quill^2.0.2
  • …and 5 more.