PkgRadar

Package evidence

@ionic/[email protected]

Large Javascript Payload: 2814334 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
335,916Ubiquitous · −70% score
Versions published
4,717Mature · −50% score
First published
Jul 2017
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@ionic/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@ionic/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes3,646,224
Previous version8.8.9-nightly.20260527
Published2026-05-28T07:24:35.989Z
SHA-256221c0ee127c7033a7e8b3fa891e1cd40aa1e06f342478ea5fbc706d5fb6f8685

Why flagged

What the scanner saw

Large Javascript Payload: 2814334 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
6Score
8.8.9-nightly.20260528Version
Status history (1 event)
  1. newavailable · risk review · score 6 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/hydrate/index.js2814334 bytes10
mediumLarge Javascript Payloadpackage/hydrate/index.mjs2814074 bytes10

Manifest

Package metadata

Scripts28
  • buildnpm run clean && npm run build.css && stencil build --es5 --docs-json dist/docs.json
  • build.cssnpm run css.sass && npm run css.minify
  • build.debugnpm run clean && stencil build --debug
  • build.docs.jsonstencil build --docs-json dist/docs.json
  • cleannode scripts/clean.js
  • css.minifycleancss -O2 -o ./css/ionic.bundle.css ./css/ionic.bundle.css
  • css.sasssass --embed-sources --style compressed src/css:./css
  • docker.builddocker build -t ionic-playwright .
  • eslinteslint src
  • lintnpm run lint.ts && npm run lint.sass && npm run prettier -- --write --cache
  • lint.fixnpm run lint.ts.fix && npm run lint.sass.fix && npm run prettier -- --write --cache
  • lint.sassstylelint "src/**/*.scss"
  • lint.sass.fixnpm run lint.sass -- --fix
  • lint.tsnpm run eslint
  • lint.ts.fixnpm run eslint -- --fix
  • prerender.e2enode scripts/testing/prerender.js
  • prettierprettier "./src/**/*.{html,ts,tsx,js,jsx}"
  • startnpm run build.css && stencil build --dev --watch --serve
  • testnpm run test.spec && npm run test.e2e
  • test.e2enpx playwright test
  • test.e2e.dockernpm run docker.build && node ./scripts/docker.mjs
  • test.e2e.docker.cinpm run docker.build && CI=true node ./scripts/docker.mjs
  • test.e2e.docker.update-snapshotsnpm run test.e2e.docker -- --update-snapshots='changed'
  • test.e2e.update-snapshotsnpm run test.e2e -- --update-snapshots='changed'
  • test.specstencil test --spec --max-workers=2
  • test.treeshakenode scripts/treeshaking.js dist/index.js
  • test.watchjest --watch --no-cache
  • validatenpm run lint && npm run test && npm run build && npm run test.treeshake
Dependencies3
  • @stencil/core4.43.0
  • ionicons^8.0.13
  • tslib^2.1.0