Package evidence

@gravitee/[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 887Mature · −50% score
First published: May 2020
Publisher: gravitee

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@gravitee/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@gravitee/[email protected]"],"fail_on":"review"}'

Publishergravitee

Artifact bytes674,083

Previous version4.4.0

Published2026-06-03T11:06:36.863Z

SHA-256e071157315f77daa4e3e07da3f361d3229c033328e848f2b75e3ce6a4777e141

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

10d agoLast checked

reviewRisk

3Score

4.4.1Version

Status history (1 event)

new → available10d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/src/organisms/gv-schema-form/gv-schema-form.stories.js	matched "raw.githubusercontent.com"	12

Manifest

Package metadata

Scripts24

buildyarn docs && yarn check:i18n && yarn generate:theme && yarn generate:dist && build-storybook -s assets --modern --quiet
check:i18nnode tasks/check-i18n.js
compiletsc
compile:watchtsc -w
dangerdanger ci
docswca analyze src/** --outFile .docs/custom-elements.json && node tasks/generate-docs.js
generate:distyarn compile && cp -R assets dist/ && cp package.json dist/
generate:iconsnode tasks/generate-icons.js && yarn lint:fix
generate:themezx tasks/generate-theme.mjs && yarn lint:fix
linteslint src testing tasks && yarn prettier
lint:commitcommitlint --from $(git describe --tags --abbrev=0) --to HEAD --verbose
lint:fixeslint --fix src testing tasks && yarn prettier:fix
lint:licenselicense-check-and-add check -f license-check-config.json
lint:license:fixlicense-check-and-add add -f license-check-config.json -r $(date +%Y)
lint:packagesort-package-json
prepareis-ci || husky install
prettierprettier --check "**/*.{ts,js,html,css,json}"
prettier:fixprettier --write "**/*.{ts,js,html,css,json}"
releasesemantic-release
serveyarn docs && start-storybook -p 6006 --ci -s assets --modern
serve:prodyarn build && static -a 0.0.0.0 -p 8080 storybook-static --modern
testNODE_OPTIONS=--unhandled-rejections=warn jest
test:coverageyarn test --collect-coverage
test:watchyarn test --watchAll

Dependencies17

@codemirror/basic-setup^0.19.1
@codemirror/language-data^0.19.1
@codemirror/stream-parser^0.19.9
@formatjs/intl-locale^2.4.40
@formatjs/intl-relativetimeformat^9.3.2
@messageformat/core3.3.0
@popperjs/core^2.11.7
clipboard-copy^4.0.0
codemirror-asciidoc^2.0.0
date-fns^2.26.0
dompurify3.1.5
jdenticon^3.1.0
jsonschema1.4.1
lit^2.0.2
object-path^0.11.8
resize-observer-polyfill^1.5.1
whatwg-fetch^3.6.17