Package evidence
@kezaa/[email protected]
Remote Dependency Spec: devDependencies.@whiskeysockets/libsignal-node="git+https://github.com/whiskeysockets/libsignal-node"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 15
- Versions published
- 4
- First published
- May 2026
- Publisher
- kezaa
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@kezaa/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@kezaa/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: devDependencies.@whiskeysockets/libsignal-node="git+https://github.com/whiskeysockets/libsignal-node"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 16 · status changed
Evidence
Static findings
1 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | devDependencies.@whiskeysockets/libsignal-node="git+https://github.com/whiskeysockets/libsignal-node" | 8 |
| medium | Dependency Changed To Remote Vs Previous | package.json | devDependencies.@whiskeysockets/libsignal-node changed to remote spec in 0.6.0-alpha.31 vs 0.6.0-alpha.30: "git+https://github.com/whiskeysockets/libsignal-node" | 8 |
Manifest
Package metadata
Scripts15
benchbun run build && bun run benches/binary.ts && bun run benches/signal.ts && bun run benches/curve.ts && bun run benches/crypto.tsbench:nodebun run build && node --expose-gc benches/binary.ts && node --expose-gc benches/signal.ts && node --expose-gc benches/curve.ts && node --expose-gc benches/crypto.tsbuildbun run gen && bun run build:wasm && bun run build:ts && bun run postbuildbuild:devbun run gen && bun run build:wasm:dev && bun run build:ts && bun run postbuildbuild:profilecargo build --profile profiling --target wasm32-unknown-unknown && wasm-bindgen --target web --out-dir pkg --keep-debug target/wasm32-unknown-unknown/profiling/whatsapp_rust_bridge.wasm && wasm-tools strip pkg/whatsapp_rust_bridge_bg.wasm -o pkg/whatsapp_rust_bridge_bg.wasm && bun run build:ts && bun run postbuildbuild:tsbun build ts/index.ts --minify --outfile dist/index.js --target node && cp pkg/whatsapp_rust_bridge_bg.wasm dist/ && cp ts/proto-types.d.ts dist/proto-types.d.ts && cp ts/proto-types.d.ts pkg/proto-types.d.ts && printf 'export { proto } from "./index.js";\n' > dist/proto-types.jsbuild:wasmwasm-pack build --target web --out-dir pkg --no-packbuild:wasm:devwasm-pack build --target web --out-dir pkg --no-pack --devbump:wacorecargo update -p whatsapp-rust && bun run buildexampleNODE_TLS_REJECT_UNAUTHORIZED=0 bun run examples/connect.tsgenbun run gen:bridge-types && bun run gen:proto-typesgen:bridge-typescd codegen && cargo run -q --bin gen-types --target $(rustc -vV | grep host | cut -d' ' -f2) > ../src/generated_types.rs.tmp && mv ../src/generated_types.rs.tmp ../src/generated_types.rsgen:proto-typesbun run scripts/gen-protobufjs-dts.tspostbuildtsc -p tsconfig.json --outDir dist && rm -f dist/macro.d.ts && rm -rf dist/generatedprepublishOnlybun run build