Package evidence

@govtechsg/[email protected]

Remote Dependency Spec: dependencies.pdfjs-dist="github:veraPDF/pdfjs-dist#v4.4.168-taggedPdf-0.1.20"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 40Mature · −50% score
First published: Dec 2024
Publisher: younglim

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@govtechsg/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@govtechsg/[email protected]"],"fail_on":"review"}'

Publisheryounglim

Artifact bytes26,273,809

Previous version0.10.92

Published2026-06-16T05:09:38.186Z

SHA-256bce20d4fe040921335aa6b4e342fb7b31d14f0608020e69e54daa40e994dabd7

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.pdfjs-dist="github:veraPDF/pdfjs-dist#v4.4.168-taggedPdf-0.1.20"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

41h agoLast checked

reviewRisk

6Score

0.10.93Version

Status history (1 event)

new → available41h ago · risk review · score 6 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	dependencies.pdfjs-dist="github:veraPDF/pdfjs-dist#v4.4.168-taggedPdf-0.1.20"	12

Manifest

Package metadata

Scripts8

buildnpm run copyfiles && tsc
build:watchnpm run build -- --watch
clinode --max-old-space-size=10000 dist/cli.js
copyfilesnode ./scripts/copyFiles.js src/static/ejs dist/static && node ./scripts/copyFiles.js src/constants/errorMeta.json dist/constants && node ./scripts/copyFiles.js exclusions.txt dist
linteslint . --report-unused-disable-directives --max-warnings 0
lint:fixeslint . --fix --report-unused-disable-directives --max-warnings 0
startnode --max-old-space-size=10000 dist/index.js
testnode --experimental-vm-modules ./node_modules/.bin/jest

Dependencies38

@aws-sdk/client-s3^3.1049.0
@json2csv/node^7.0.3
@napi-rs/canvas^0.1.53
@sentry/node^10.58.0
@types/aws-sdk^0.0.42
axe-core^4.11.4
axios^1.8.2
base64-stream^1.0.0
cheerio^1.0.0-rc.12
crawlee^3.13.10
ejs^3.1.9
file-type^21.3.3
fs-extra^11.2.0
glob^13.0.6
https^1.0.0
inquirer^9.2.12
jsdom^29.0.0
jszip^3.10.1
lodash^4.18.1
mime^4.0.7
mime-types^2.1.35
minimatch^10.2.4
pdfjs-distgithub:veraPDF/pdfjs-dist#v4.4.168-taggedPdf-0.1.20
playwright^1.58.2
prettier^3.1.0
print-message^3.0.1
safe-regex^2.1.1
text-readability^1.1.0
tldts^7.0.27
typescript^5.4.5
…and 8 more.

Optional dependencies7

@napi-rs/canvas-darwin-arm64^0.1.53
@napi-rs/canvas-darwin-x64^0.1.53
@napi-rs/canvas-linux-arm64-gnu0.1.53
@napi-rs/canvas-linux-arm64-musl0.1.53
@napi-rs/canvas-linux-x64-gnu0.1.53
@napi-rs/canvas-linux-x64-musl0.1.53
@napi-rs/canvas-win32-x64-msvc0.1.53