Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 231
- Versions published
- 203Established · −30% score
- First published
- Sep 2025
- Publisher
- cynanrhodes
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@gvnrdao/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@gvnrdao/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 4064217 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Large Javascript Payload | package/browser/dist/browser.js | 4064217 bytes | 0 |
| low | Large Javascript Payload | package/dist/index.js | 4844053 bytes | 0 |
| low | Large Javascript Payload | package/dist/index.mjs | 4840955 bytes | 0 |
Manifest
Package metadata
Scripts28
authorize:pkpnode scripts/authorize-pkp-actions.jsbuildnpm run sync:deployments && npm run validate:contracts && npm run build:nodebuild:allnpm run sync:deployments && npm run validate:contracts && npm run build:node && npm run build:browserbuild:browsercd browser && npm install && npm run buildbuild:nodenpm run sync:deployments && tsup && npm run build:typesbuild:typestsc -p tsconfig.build.jsoncleanrm -rf dist && rm -rf browser/distdevtsc --watchlinteslint src --ext .ts && npm run lint:server-boundarylint:server-boundarynode scripts/check-pkp-mint-server-imports.mjspostbuild:browsergrep -qE 'require\("http"\)|require\("https"\)|require\("fs"\)' browser/dist/browser.js && echo 'ERROR: Node built-ins found in browser bundle' && exit 1 || trueprepublishOnlynpm run sync:deployments && npm run validate:contracts && npm run build:allsync:deploymentsnode scripts/sync-deployments.jssync:typechaincd ../contracts && npm run compiletestjesttest:coveragejest --coveragetest:e2ejest tests/networks/**/e2etest:integrationjest tests/shared/integrationtest:networksjest tests/networkstest:position-queryts-node test/position-query.test.tstest:psmnode test-psm-v2.jstest:sharedjest tests/sharedtest:typestsc --noEmit -p tsconfig.types.jsontest:unitjest tests/shared/unittest:watchjest --watchtypechecktsc --noEmittypecheck:stricttsc --noEmit -p tsconfig.strict.jsonvalidate:contractsnode scripts/validate-contract-mapping.js
Dependencies15
@gvnrdao/dh-lit-actions^0.0.305@gvnrdao/dh-lit-ops^0.0.292@noble/hashes^1.5.0axios^1.15.2bech32^2.0.0bip66^2.0.0bitcoinjs-lib^6.1.0bs58check^3.0.1buffer^6.0.3crypto-js^4.2.0dotenv^17.4.2ethers^6.16.0process^0.11.10valibot^1.1.0viem^2.48.4
Optional dependencies3
@esbuild/darwin-arm64^0.27.2esbuild^0.27.0node-telegram-bot-api^0.67.0