Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 30
- Versions published
- 16Established · −30% score
- First published
- Jul 2025
- Publisher
- ryanlanglois
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@heymantle/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@heymantle/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 2954065 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 42 · status changed
Evidence
Static findings
6 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/cjs/storybook-static/sb-manager/globals-runtime.js | 2954065 bytes | 10 |
| medium | Large Javascript Payload | package/dist/esm/storybook-static/sb-manager/globals-runtime.js | 2954051 bytes | 10 |
| medium | Large Javascript Payload | package/dist/cjs/storybook-static/assets/iframe-CFdo3VNg.js | 2689834 bytes | 10 |
| medium | Large Javascript Payload | package/dist/esm/storybook-static/assets/iframe-CFdo3VNg.js | 2676104 bytes | 10 |
| medium | Large Javascript Payload | package/dist/cjs/storybook-static/assets/iframe-Dh334ofi.js | 2690531 bytes | 10 |
| medium | Large Javascript Payload | package/dist/esm/storybook-static/assets/iframe-Dh334ofi.js | 2676621 bytes | 10 |
Manifest
Package metadata
Scripts13
buildnpm run build:cjs && npm run build:esm && npm run build:typesbuild-and-publish./dev/verify-publish.mjs && npm publishbuild-storybookstorybook buildbuild:cjsnpx swc . --out-dir dist/cjs --config-file .swcrcbuild:esmnpx swc . --out-dir dist/esm --config-file .esm.swcrc --out-file-extension jsbuild:typesnpx tsc --project tsconfig.types.jsonstorybookstorybook dev -p 6006test:visualnpx playwright testtest:visual:dockerdocker compose -f docker-compose.playwright.yml run --rm playwright sh -c 'npm ci && npx playwright test'test:visual:docker:updatedocker compose -f docker-compose.playwright.yml run --rm playwright sh -c 'npm ci && npx playwright test --update-snapshots=all'test:visual:docker:update-missingUPDATE_MISSING_ONLY=true docker compose -f docker-compose.playwright.yml run --rm playwright sh -c 'npm ci && npx playwright test --update-snapshots=all'test:visual:updatenpx playwright test --update-snapshots=allverify-publish./dev/verify-publish.mjs
Dependencies8
@shopify/polaris-icons^7.13.0@uiw/react-color-sketch^2.8.0dayjs^1.11.7events^3.3.0lucide-react^0.575.0react-datepicker^8.1.0tailwind-variants^0.3.1use-debounce^9.0.4