Package evidence
@kqinfo/[email protected]
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 57 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 166
- Versions published
- 752Mature · −50% score
- First published
- Mar 2021
- Publisher
- may529
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@kqinfo/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@kqinfo/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 57 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 6 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Manifest Codeless Dependency Stub | package.json | package ships no JS/TS source but declares 57 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape | 15 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Manifest Codeless Dependency Stub | package.json | package ships no JS/TS source but declares 57 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape | 15 |
| low | Install-time lifecycle script | package.json | postinstall="patch-package" | 5 |
Manifest
Package metadata
Scripts16
buildSOURCE_MAP_JS=1 father-builddeploynpm run docs:build && npm run docs:deploydevfather-build -wdocs:buildNODE_OPTIONS=--openssl-legacy-provider dumi builddocs:deploygh-pages -d docs-diste2eplaywright teste2e:installplaywright installe2e:uiplaywright test --uigenerate:typesnode generate-types.jsiconiconfont-h5 --config iconfont.web.json && iconfont-remax --config iconfont.other.json && iconfont-rn --config iconfont.jsonpostinstallpatch-packageprettierprettier --write "**/*.{js,jsx,tsx,ts,less,md,json}"releaserelease-itstartNODE_OPTIONS=--openssl-legacy-provider dumi devtestumi-testtest:coverageumi-test --coverage
Dependencies57
@antv/f2^3.8.10-beta.1@flyskywhy/react-native-gcanvas^2.3.7@gcanvas/core^1.0.0@react-native-community/cameraroll^4.1.2@sentry/react^6.7.1@sentry/react-native^3.1.1@sentry/tracing^6.7.1aes-js^3.1.2ahooks^3.7.0antd-mobile^5.22.0array-flat-polyfill^1.0.1axios-ali-adapter^0.0.6axios-wechat-adapter^0.0.8base64-js^1.5.1china-id-card^1.2.1circular-json^0.5.9classnames^2.3.1clipboard^2.0.8color^4.2.3create-api-hooks^0.0.30crypto-js^4.0.0es7-object-polyfill^1.0.1eval5^1.4.7file-saver^2.0.5immutable^4.0.0import-cdn-js^0.0.2jigsaw-captcha-js^1.0.0jsbarcode^3.11.3mini-html-parser2^0.3.0parsec-hooks^1.0.19- …and 27 more.