Package evidence

@kamino-finance/[email protected]

Remote Dependency Spec: devDependencies.anchor-client-gen="git+https://github.com/kklas/anchor-client-gen.git#03a3273a10b804a41878e71cdae1b7d6257aa347"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 385Mature · −50% score
First published: Apr 2024
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@kamino-finance/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@kamino-finance/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes676,981

Previous version8.1.0-beta.3

Published2026-06-12T13:54:42.727Z

SHA-25633476123ec3b0ff55c341e2eca0f9b4d11a4ee8ab5154ebd878c360b29962bf0

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.anchor-client-gen="git+https://github.com/kklas/anchor-client-gen.git#03a3273a10b804a41878e71cdae1b7d6257aa347"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

29h agoLast checked

reviewRisk

2Score

8.1.0-beta.4Version

Status history (1 event)

new → available29h ago · risk review · score 2 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	devDependencies.anchor-client-gen="git+https://github.com/kklas/anchor-client-gen.git#03a3273a10b804a41878e71cdae1b7d6257aa347"	8

Manifest

Package metadata

Scripts36

anchor-client-genyarn tsx ./node_modules/anchor-client-gen/src/main.ts
buildrm -rf dist/; tsc
build:betarm -rf dist/; tsc -p tsconfig.beta.json
build:testyarn tsc --project ./tests/tsconfig.json
build:watchyarn tsc --watch
cleanrm -rf dist/
clean:allyarn clean && yarn clean:deps
clean:depsrm -rf node_modules
clitsx --no-deprecation src/client/client.ts
codegenyarn codegen:klend && yarn codegen:kvault && yarn codegen:jupiter-perps && yarn codegen:pyth-solana-receiver
codegen-unstaking-poolyarn anchor-client-gen src/idl/unstaking_pool.json ./src/@codegen/unstaking_pool/ --program-id USo1uB8RsRuM8y8e8vbL3mwR22EzSTLyZqaJPoZvn3a
codegen:jupiter-perpsyarn anchor-client-gen src/idl/jupiter_perps.json ./src/@codegen/jupiter_perps --program-id PERPHjGBqRHArX4DySjwM6UJHiR3sWAatqfdBS2qQJu && node ./scripts/normalize-jupiter-perps-codegen.js
codegen:klendyarn anchor-client-gen src/idl/klend.json ./src/@codegen/klend --program-id KLend2g3cP87fffoy8q1mQqGKjrxjC8boSyAYavgmjD && node ./scripts/normalize-klend-codegen.js
codegen:kvaultyarn anchor-client-gen src/idl/kvault.json ./src/@codegen/kvault --program-id KvauGMspG5k6rtzrqqn7WNn3oZdyKqLKwK2XWQ8FLjd && node ./scripts/normalize-kvault-codegen.js
codegen:pyth-solana-receiveryarn anchor-client-gen src/idl/pyth_rec.json './src/@codegen/pyth_rec' --program-id rec5EKMGg6MxZYaMdyBfgwp4d5rB9T1VQH5pJv5LtFJ
codegen:switchboardyarn anchor-client-gen src/idl/switchboard_v2.json ./src/@codegen/switchboard_v2 --program-id SW1TCH7qEPTdLsDHRgPuMQjbQxKdH2aBStViMFnt64f
coveragejest --coverage
devconcurrently "yarn build:watch" "nodemon --watch dist -e js,ts --exec 'yarn dev:push-and-update'"
dev:push-and-updateyalc publish && cd examples && yalc update
docstypedoc
dump-programs./deps/dump-from-mainnet.sh
kamino-managertsx src/manager/client_kamino_manager.ts
lintyarn prettier --check .; yarn eslint .
lint:fixyarn prettier --write .; yarn eslint . --fix
start-validatorsolana-test-validator $(./deps/test-validator-params.sh)
start-validator-and-serveryarn start-server-and-test 'yarn start-validator' http://127.0.0.1:8899/health
start-validator-and-testyarn start-validator-and-server test
start-validator-and-test-kvaultsyarn start-validator-and-server test-kvaults
start-validator-and-test-v2USE_V2=true yarn start-validator-and-server test
strip-idl-docsnode ./scripts/strip-idl-docs.js src/idl/klend.json src/idl/kvault.json
…and 6 more.

Dependencies20

@coral-xyz/anchor^0.28.0
@coral-xyz/borsh^0.28.0
@kamino-finance/farms-sdk^3.2.24
@kamino-finance/kliquidity-sdk^11.0.3
@kamino-finance/scope-sdk^10.1.0
@solana-program/address-lookup-table^0.8.0
@solana-program/system^0.8.0
@solana-program/token^0.6.0
@solana-program/token-2022^0.5.0
@solana/compat^2.3.0
@solana/kit^2.3.0
@solana/spl-stake-pool^1.1.8
@solana/sysvars^2.3.0
axios^1.6.8
bn.js^5.2.1
buffer^6.0.3
commander^9.3.0
decimal.js^10.4.3
exponential-backoff^3.1.1
zstddec^0.1.0