PkgRadar

Package evidence

@hyperframes/[email protected]

Large Javascript Payload: 6370190 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
20,172Mainstream · −50% score
Versions published
171
First published
Mar 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@hyperframes/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@hyperframes/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes14,162,040
Previous version0.6.51
Published2026-05-28T00:25:07.196Z
SHA-256265a57fa8e69ee29d90a86f219b0bf952e52babab6b05a8fb8cf91ffdf7fde49

Why flagged

What the scanner saw

Large Javascript Payload: 6370190 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
9Score
0.6.52Version
Status history (1 event)
  1. newavailable · risk review · score 9 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/distributed.js6370190 bytes10
mediumLarge Javascript Payloadpackage/dist/index.js6505656 bytes10
mediumLarge Javascript Payloadpackage/dist/public-server.js6448961 bytes10

Manifest

Package metadata

Scripts21
  • bench:hdrtsx src/benchmark.ts --tags hdr
  • benchmarktsx src/benchmark.ts
  • buildbun run build:fonts && bun run --cwd ../.. build:hyperframes-runtime:modular && node build.mjs
  • build:fontsnode scripts/build-fonts.mjs
  • check:runtime-conformancetsx src/runtime-conformance.ts
  • docker:build:testdocker build -f ../../Dockerfile.test -t hyperframes-producer:test ../..
  • docker:testdocker run --rm --security-opt seccomp=unconfined --shm-size=2g -v ./tests:/app/packages/producer/tests hyperframes-producer:test
  • docker:test:distributeddocker run --rm --security-opt seccomp=unconfined --shm-size=2g -v ./tests:/app/packages/producer/tests hyperframes-producer:test --mode=distributed-simulated
  • docker:test:lambda-localdocker run --rm --security-opt seccomp=unconfined --shm-size=2g -v ./tests:/app/packages/producer/tests hyperframes-producer:test --mode=lambda-local
  • docker:test:updatedocker run --rm --security-opt seccomp=unconfined --shm-size=2g -v ./tests:/app/packages/producer/tests hyperframes-producer:test --update
  • parity:checktsx src/parity-harness.ts
  • parity:check:citsx src/parity-harness.ts --preview-url "http://127.0.0.1:4173/minimal-wysiwyg.html" --producer-url "http://127.0.0.1:4173/minimal-wysiwyg.html?mode=producer" --checkpoints "0,0.5,1,1.5" --allow-mismatch-ratio 0 --emulate-producer-swap true --artifacts-dir ".debug/parity-harness-ci"
  • parity:fixturestsx src/parity-fixtures.ts
  • parity:fixtures:citsx src/parity-fixtures.ts
  • perf:gatetsx src/perf-gate.ts
  • testtsx src/regression-harness.ts --exclude-tags transparency
  • test:distributedtsx src/regression-harness.ts --exclude-tags transparency --mode=distributed-simulated
  • test:lambda-localtsx src/regression-harness.ts --exclude-tags transparency --mode=lambda-local
  • test:transparencytsx src/transparency-test.ts
  • test:updatetsx src/regression-harness.ts --update --exclude-tags transparency
  • typechecktsc --noEmit
Dependencies19
  • @fontsource/archivo-black^5.2.8
  • @fontsource/eb-garamond^5.2.7
  • @fontsource/ibm-plex-mono^5.2.7
  • @fontsource/inter^5.2.8
  • @fontsource/jetbrains-mono^5.2.8
  • @fontsource/league-gothic^5.2.8
  • @fontsource/montserrat^5.2.8
  • @fontsource/nunito^5.2.7
  • @fontsource/oswald^5.2.8
  • @fontsource/outfit^5.2.8
  • @fontsource/space-mono^5.2.9
  • @hono/node-server^1.13.0
  • @hyperframes/core^0.6.52
  • @hyperframes/engine^0.6.52
  • hono^4.6.0
  • linkedom^0.18.12
  • postcss^8.4.0
  • puppeteer^24.0.0
  • puppeteer-core^24.39.1