Package evidence
@gbasin/[email protected]
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 27 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 222
- Versions published
- 61
- First published
- Feb 2026
- Publisher
- gbasin
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@gbasin/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@gbasin/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 27 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Manifest Codeless Dependency Stub | package.json | package ships no JS/TS source but declares 27 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape | 15 |
Manifest
Package metadata
Scripts19
buildvite buildcoverage:allbun scripts/coverage-all.tsdeps:riskbun scripts/dependency-risk.tsdeps:risk:cibun scripts/dependency-risk.ts --threshold criticaldeps:risk:jsonbun scripts/dependency-risk.ts --jsondevconcurrently -k "bun run dev:server" "bun run dev:client"dev:clientvite --hostdev:serverbun scripts/dev-server.tslintoxlint .preparegit config core.hooksPath .githooksrelease:majorbun scripts/release.ts majorrelease:minorbun scripts/release.ts minorrelease:patchbun scripts/release.ts patchstartbun src/server/index.tstestbun scripts/test-runner.tstest:coveragebun scripts/test-runner.ts --coverage --coverage-reporter=lcov --skip-isolated && bun run coverage:alltest:e2eplaywright testtest:e2e:headedplaywright test --headedtypechecktsc --noEmit
Dependencies23
@base-ui/react^1.2.0@dnd-kit/core^6.3.1@dnd-kit/sortable^10.0.0@dnd-kit/utilities^3.2.2@fontsource-variable/jetbrains-mono^5.2.8@untitledui-icons/react^1.0.3@xterm/addon-clipboard^0.2.0@xterm/addon-fit^0.11.0@xterm/addon-progress^0.1.0@xterm/addon-search^0.15.0@xterm/addon-serialize^0.14.0@xterm/addon-web-links^0.12.0@xterm/addon-webgl^0.18.0@xterm/xterm^5.5.0clsx^2.1.1hono^4.6.10motion^12.25.0node-pty^1.1.0pino^10.3.0react^18.3.1react-dom^18.3.1tailwind-merge^3.4.0zustand^5.0.0
Optional dependencies4
@gbasin/agentboard-darwin-arm640.2.48@gbasin/agentboard-darwin-x640.2.48@gbasin/agentboard-linux-arm640.2.48@gbasin/agentboard-linux-x640.2.48