Package evidence
@jahia/[email protected]
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 60 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 860
- Versions published
- 62
- First published
- Jan 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@jahia/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@jahia/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 60 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 4 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Manifest Codeless Dependency Stub | package.json | package ships no JS/TS source but declares 60 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape | 15 |
Manifest
Package metadata
Scripts20
buildyarn workspaces foreach --recursive --topological-dev run build && yarn webpackbuild:analyzeyarn build --analyzebuild:productionyarn build --mode=productionbuild:production-analyzeyarn build:production --analyzebuild:types(tsc || true) && tsc-aliascleanrimraf *.log src/main/resources/javascript/appsclean:allyarn clean && rimraf node_modules nodelintyarn lint:scss && yarn lint:jslint:fixyarn lint:js:fix && yarn lint:scss:fix && cd tests && yarn lint:fix && cd ..lint:jseslint --ext js,jsx srclint:js:fixyarn lint:js --fix srclint:scssstylelint "./src/**/*.scss"lint:scss:fixyarn lint:scss --fixsync-pomsync-pom-versionsync-pom-testssync-pom-version --package-file=tests/package.jsontddjest --env=jsdom --watch ./src/javascripttestyarn build && jest --env=jsdom --coverage ./src/javascripttest:clearjest --clearCachewatchyarn webpack --watchwebpacknode --max_old_space_size=2048 ./node_modules/webpack/bin/webpack.js
Dependencies60
@apollo/client^3.7.17@apollo/react-components^4.0.0@apollo/react-hoc^4.0.0@babel/polyfill^7.11.5@jahia/data-helper^1.1.19@jahia/design-system-kit^1.2.1@jahia/icons^1.1.2@jahia/moonstone^2.19.0@jahia/react-material^3.0.5@jahia/ui-extender^1.3.0@material-ui/core^3.9.3@material-ui/icons^3.0.1@material-ui/lab^3.0.0-alpha.30@tanstack/react-virtual^3.11.2bytes^3.1.0ckeditor4-react1.2.0clsx^2.1.1compare-versions^6.1.1connected-react-router^6.9.3dayjs^1.10.6ellipsize^0.5.0es-toolkit^1.39.4formik^2.4.9graphql^16.10.0graphql-tag^2.12.6history^5.3.0i18next^20.6.1image-extensions^1.1.0lodash^4.17.21mime^3.0.0- …and 30 more.