PkgRadar

Package evidence

@golemio/[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
4,303Niche · −30% score
Versions published
1,090Mature · −50% score
First published
Jan 2021
Publisher
GitLab CI/CD

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@golemio/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@golemio/[email protected]"],"fail_on":"review"}'
PublisherGitLab CI/CD
Artifact bytes190,932
Previous version3.1.1-dev.2566973880
Published2026-06-04T10:34:50.299Z
SHA-256d6a6668e2ef9eb2df7c79abed75bb9c630c2a92f495581aa5e04fa4e4861d80e

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
3.1.1-dev.2576327528Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts9
  • buildrimraf ./dist && tspc -p ./tsconfig.build.json
  • build-minimalrun-s 'build -- --sourceMap false --declaration false'
  • build-watchrun-s 'build -- --watch --preserveWatchOutput'
  • code-coveragenyc run-s test
  • generate-docstypedoc --out docs/typedoc src
  • linteslint --cache "{src,test}/**/*.ts"
  • testcross-env NODE_ENV=test NODE_OPTIONS=--no-experimental-strip-types mocha --exit --check-leaks --timeout 120000 -r ts-node/register -r tsconfig-paths/register --file 'test/setup.ts' -r dotenv/config 'test/**/*.test.ts'
  • test-debugrun-s 'test -- --inspect-brk=9230'
  • validate-dependenciesdependency-cruiser --config .dependency-cruiser.js src
Dependencies59
  • @abraham/reflection^0.10.0
  • @azure/data-tables^13.3.0
  • @azure/identity^4.5.0
  • @azure/storage-blob^12.26.0
  • @golemio/errors2.0.8
  • @golemio/validator0.3.7
  • @google-cloud/storage^7.19.0
  • @opensearch-project/opensearch^3.6.0
  • @opentelemetry/api^1.9.0
  • @opentelemetry/exporter-trace-otlp-grpc^0.214.0
  • @opentelemetry/instrumentation-amqplib^0.50.0
  • @opentelemetry/instrumentation-aws-sdk^0.56.0
  • @opentelemetry/instrumentation-express^0.52.0
  • @opentelemetry/instrumentation-http^0.203.0
  • @opentelemetry/instrumentation-ioredis^0.51.0
  • @opentelemetry/resources^2.0.1
  • @opentelemetry/sdk-trace-base^2.0.1
  • @opentelemetry/sdk-trace-node^2.0.1
  • @types/amqplib^0.10.7
  • @types/express^5.0.5
  • @types/geojson^7946.0.10
  • @types/luxon^2.3.1
  • @types/qs^6.9.18
  • JSONStream^1.3.5
  • ajv^8.20.0
  • amqplib^0.10.8
  • basic-ftp^6.0.1
  • class-transformer^0.5.1
  • class-validator^0.14.0
  • content-type^1.0.4
  • …and 29 more.