PkgRadar

Package evidence

@golemio/[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
7,797Niche · −30% score
Versions published
2,130Mature · −50% score
First published
Feb 2021
Publisher
GitLab CI/CD

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@golemio/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@golemio/[email protected]"],"fail_on":"review"}'
PublisherGitLab CI/CD
Artifact bytes3,490,234
Previous version5.15.0-rc.2572806793
Published2026-06-04T11:04:58.419Z
SHA-256864b0c990a4ef95611aa05d5c575a66e534beddaddd007bc8227ffb62acc0a73

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
5.15.0-rc.2576391291Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts17
  • apidocs-testnpm run apidocs-test-output
  • apidocs-test-inputcross-env NODE_ENV=test golemio swagger api-test --oas docs/openapi-input.yaml --script test/api-docs/input-gateway/server.js --filter test/api-docs/input-gateway/portman-filter.json
  • apidocs-test-outputcross-env NODE_ENV=test golemio swagger api-test --oas docs/openapi-output.yaml --script test/api-docs/output-gateway/server.js --config test/api-docs/output-gateway/portman-config.json
  • buildrimraf ./dist && tspc -p ./tsconfig.build.json
  • build-minimalrun-s 'build -- --sourceMap false --declaration false'
  • build-watchrun-s 'build -- --watch --preserveWatchOutput'
  • code-coveragerun-s prepare-db coverage:only
  • coverage:onlynyc --reporter=text --reporter=lcov run-s 'test:only -- --reporter min -r source-map-support/register'
  • format:check-stagedpretty-quick --staged --pattern '**/*.ts'
  • generate-docstypedoc --out docs/typedoc src
  • linteslint --cache "{src,test}/**/*.ts"
  • prepare-dbgolemio import-db-data && run-s "refresh-precomputed-tables"
  • refresh-precomputed-tablescross-env NODE_ENV='test' TZ='UTC' ts-node -r tsconfig-paths/register -r dotenv/config test/scripts/refresh-precomputed-tables.ts
  • testrun-s prepare-db test:only
  • test:debugrun-s 'test -- --inspect-brk=9230'
  • test:onlycross-env NODE_ENV='test' TZ='UTC' mocha --exit --check-leaks --timeout 120000 --reporter-option maxDiffSize=0 -r ts-node/register -r tsconfig-paths/register --file 'test/setup.ts' -r dotenv/config 'test/**/*.test.ts'
  • validate-dependenciesdependency-cruiser --config .dependency-cruiser.js src
Dependencies8
  • @golemio/ovapi-gtfs-realtime-bindings1.4.0
  • @turf/turf^6.5.0
  • cheap-ruler^3.0.2
  • csv-parser^3.0.0
  • csv-stringify^5.6.2
  • fast-xml-builder^1.1.5
  • html-entities^2.6.0
  • pg-copy-streams^7.0.0