PkgRadar

Package evidence

@johnatas-henrique/[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@johnatas-henrique/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@johnatas-henrique/[email protected]"],"fail_on":"review"}'
Publisherjohnatas-henrique
Artifact bytes27,581
Previous version0.7.1
Published2026-05-24T04:47:49.017Z
SHA-256742bc2b1f979c491aee4d06d03625cb992e37683cf568e47c38c12fe63a8ca20

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
31Score
0.8.0Version
Status history (1 event)
  1. newavailable · risk review · score 31 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/assets/opencode-hooks.schema.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/index.mjsmatched "raw.githubusercontent.com"12
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/assets/opencode-hooks.schema.jsonmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/index.mjsmatched "raw.githubusercontent.com"12
lowInstall-time lifecycle scriptpackage.jsonprepare="husky"4
lowObfuscationpackage/dist/index.mjsmatched "\\u2192"3

Manifest

Package metadata

Scripts20
  • buildtsup --no-config --entry.index=.opencode/plugins/opencode-hooks.ts --out-dir dist --format esm --dts --dts-resolve --clean --tsconfig tsconfig.json --target es2022 --external fs --external path --external @opencode-ai/plugin --external @opencode-ai/sdk
  • cov:ncFORCE_COLOR=1 vitest run --coverage --coverage.skipFull | grep -v '^ ✓*'
  • coverage:reportFORCE_COLOR=1 vitest run --coverage --coverage.reporter=text-summary 2>&1 | grep -A 7 "Coverage summary"
  • formatprettier --write "**/*.ts" --ignore-path .gitignore
  • format:checkprettier --check "**/*.ts" --ignore-path .gitignore
  • linteslint "**/*.ts" --ignore-pattern "node_modules/**" --ignore-pattern "dist/**" --ignore-pattern "coverage/**"
  • lint:fixeslint "**/*.ts" --ignore-pattern "node_modules/**" --ignore-pattern "dist/**" --ignore-pattern "coverage/**" --fix
  • preparehusky
  • prepublishOnlynpm run build
  • startnode .
  • testvitest
  • test:allnpm run test:unit && npm run test:integration && npm run test:e2e
  • test:covvitest run --coverage
  • test:e2ebash test/e2e/session-lifecycle.sh && bash test/e2e/tool-execution.sh
  • test:integrationvitest run test/integration/
  • test:integration:covvitest run test/integration/ --coverage --coverage.skipFull
  • test:unitvitest run test/unit/
  • test:unit:covvitest run test/unit/ --coverage --coverage.skipFull
  • typechecktsc --noEmit
  • watch:covFORCE_COLOR=1 vitest run --coverage 2>&1 | grep -e 'Tests ' -e 'All files' -e '% Stmts'