Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,484Niche · −30% score
- Versions published
- 59
- First published
- Apr 2026
- Publisher
- luke.birdeau
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@hotmeshio/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@hotmeshio/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
No high-signal static finding in the saved report.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
No findings stored for this release.
Manifest
Package metadata
Scripts32
buildtsc --build tsconfig.json && cp -r lib/db/schemas build/lib/db/schemasbuild:allnpm run build && npm run dashboard:buildcleanrimraf ./buildclean-buildnpm run clean && npm run builddashboard:buildcd dashboard && npm run builddashboard:devcd dashboard && npm run devdashboard:installcd dashboard && npm installdashboard:testcd dashboard && npm testdashboard:test:watchcd dashboard && npm run test:watchdemobash scripts/demo.shlinteslint . --ext .tslint:fixeslint . --fix --ext .tsltctsx bin/ltc.tsmigratets-node lib/db/migrate.tsprocesstsx scripts/process.tsrelease:majornpm version major && git push && git push --tagsrelease:minornpm version minor && git push && git push --tagsrelease:patchnpm version patch && git push && git push --tagsstartts-node index.tsstart:devts-node-dev --respawn index.tstestvitest runtest:exportvitest run tests/workflows/export.test.tstest:functionaldocker compose down -v && rm -rf .docker-data/files/* && docker compose up -d --build && npx playwright test --config tests/functional/playwright.config.tstest:functional:skip-resetnpx playwright test --config tests/functional/playwright.config.tstest:integrationdocker compose down -v && rm -rf .docker-data/files/* && docker compose up -d --build && vitest run --config tests/integration/vitest.config.tstest:integration:skip-resetvitest run --config tests/integration/vitest.config.tstest:mcpvitest run tests/mcp.test.tstest:mcp:triagevitest run tests/workflows/mcp-triage.test.tstest:visionvitest run tests/services/mcp/vision-server.test.tstest:watchvitest- …and 2 more.
Dependencies26
@anthropic-ai/sdk^0.92.0@aws-sdk/client-s3^3.1017.0@aws-sdk/s3-request-presigner^3.1045.0@hotmeshio/hotmesh^0.19.5@modelcontextprotocol/sdk^1.27.1@opentelemetry/exporter-trace-otlp-proto^0.215.0@opentelemetry/resources^2.5.1@opentelemetry/sdk-node^0.218.0@opentelemetry/semantic-conventions^1.39.0ajv^8.20.0arctic^3.7.0bcryptjs^2.4.3commander^14.0.3express^5.1.0hono^4.12.23jsonwebtoken^9.0.3nats^2.28.0openai^5.9.0ora^9.4.0pg^8.13.0picocolors^1.1.1pino^9.6.0playwright^1.58.2sharp^0.34.5socket.io^4.8.3zod^3.25.76