PkgRadar

Package evidence

@goodgamestudios/[email protected]

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 2 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
5
First published
Mar 2026
Publisher
tschrader-ggs

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@goodgamestudios/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@goodgamestudios/[email protected]"],"fail_on":"review"}'
Publishertschrader-ggs
Artifact bytes12,213
Previous version0.2.0-qa.0
Published2026-05-07T11:32:00.095Z
SHA-256fd87f51b70f5cad81b3475056e3e5b89a27459bd8323f9610cf2d44791fd1976

Why flagged

What the scanner saw

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 2 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
0.2.0-qa.1Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumManifest Codeless Dependency Stubpackage.jsonpackage ships no JS/TS source but declares 2 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape15

Manifest

Package metadata

Scripts19
  • GO-LIVEnpm run build:production && npm run deploy:production
  • QA-TESTnpm run build:qa && npm run deploy:qa
  • bddjest bdd/*
  • buildparcel build src/empire.ts src/bigfarm.ts
  • build:devcross-env NODE_ENV=dev npm run build
  • build:localcross-env NODE_ENV=production parcel build src/empire.ts src/bigfarm.ts -d local
  • build:productioncross-env NODE_ENV=production npm run build --experimental-scope-hoisting -- --no-source-maps
  • build:qacross-env NODE_ENV=qa npm run build
  • deploy:devnpm run release -- --prerelease dev && npm publish --access public --tag dev
  • deploy:productionnpm run release && npm publish --access public --tag production
  • deploy:qanpm run release -- --prerelease qa && npm publish --access public --tag qa
  • flush:qacurl -s https://purge.jsdelivr.net/npm/@goodgamestudios/cxf-ia-venatus@qa/dist/index.js && curl -s https://purge.jsdelivr.net/npm/@goodgamestudios/cxf-ia-venatus@qa/dist/index.js.map
  • linttslint './src/**/*.ts'
  • localhttp-server --cors ./local -p 3366 -c-1
  • prebuildrimraf dist .cache
  • releasestandard-version
  • startparcel bdd/src/index.html -p 3330
  • testnpm run unit && npm run bdd
  • unitjest src/*
Dependencies2
  • @goodgamestudios/cxf-ready^1.0.1
  • readuz^1.0.0