Package evidence

@gusto/[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 112Mature · −50% score
First published: Oct 2024
Publisher: gusto-devops

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@gusto/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@gusto/[email protected]"],"fail_on":"review"}'

Publishergusto-devops

Artifact bytes1,691,731

Previous version0.46.2

Published2026-06-01T17:11:36.559Z

SHA-2569c3604c03812ef68603be3332e1c362af12a1ff02d948bfd96244d6c1759645b

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

12d agoLast checked

lowRisk

0Score

0.46.3Version

Status history (1 event)

new → available12d ago · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts55

adapter:docs:generatenpx tsx ./build/generateAdapterPropDocs.ts
buildnpm run build:clean && npm run i18n:generate && vite build && npm run endpoints:derive
build-storybookstorybook build
build:cinpm run build && npm run lint:check && npm run format:check && npm run test:ci
build:cleanrm -rf ./dist && mkdir ./dist
commitlintcommitlint --edit
devnode ./build/prompt.js && npm run i18n:generate && npm-run-all --parallel watch:vite watch:translations
dev:setupnpm link ../gws-flows/node_modules/react ../gws-flows/node_modules/react-dom && (cd ../gws-flows && yarn link -r ../embedded-react-sdk)
docsnpm --prefix docs-site start
docs:buildnpm --prefix docs-site run build
docs:clearnpm --prefix docs-site run clear
docs:eventsnpx tsx ./build/eventTypeDocsEmitter.ts
docs:installnpm --prefix docs-site install
docs:servenpm --prefix docs-site run serve
e2e:refresh-tokennpx tsx e2e/scripts/refreshToken.ts
e2e:scenarios:prewarmnpx tsx e2e/scenario/scripts.ts prewarm
e2e:servevite --config e2e/vite.config.ts
e2e:setupnpx tsx e2e/scripts/runGlobalSetup.ts
endpoints:derivenpx tsx ./build/deriveEndpointInventory.ts
endpoints:verifynpx tsx ./build/deriveEndpointInventory.ts --verify
formatprettier . --write --log-level warn
format:checkprettier . --check --log-level warn
format:stagedprettier --write --log-level warn
i18n:generatenode ./build/interface.js
lintnpm run lint:check -- --fix
lint:checkeslint .
lint:stagedeslint --fix --cache
packnpm run build && npm pack
postversiongit push
preparehusky
…and 25 more.

Dependencies17

@gusto/embedded-api0.13.0
@hookform/error-message^2.0.1
@hookform/resolvers^5.4.0
@internationalized/date^3.12.2
@internationalized/number^3.6.7
classnames^2.5.1
deepmerge^4.3.1
dompurify^3.4.7
i18next^26.3.0
react-aria^3.47.0
react-aria-components1.16.0
react-error-boundary^6.1.2
react-hook-form^7.76.1
react-i18next^17.0.8
react-robot^1.2.1
robot3^1.2.0
zod^4.3.6