Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 4
- First published
- May 2026
- Publisher
- additherebel
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@lautec-gis/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@lautec-gis/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 19389139 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/mapbox-gl-dev.js | 19389139 bytes | 10 |
Manifest
Package metadata
Scripts57
build-allrun-p build-umd build-esm-dev build-esm-prod build-cspbuild-csprollup -c rollup.config.csp.tsbuild-csspostcss -o dist/mapbox-gl.css src/css/mapbox-gl.cssbuild-devrollup -c --environment BUILD:devbuild-dtsdts-bundle-generator --no-banner --export-referenced-types=false --umd-module-name=mapboxgl --project ./tsconfig.browser.json -o ./dist/mapbox-gl.d.ts ./src/index.tsbuild-dts-esmdts-bundle-generator --no-banner --export-referenced-types=false --project ./tsconfig.browser.json -o ./dist/esm/mapbox-gl.d.ts ./src/index.esm.tsbuild-esm-devrollup -c rollup.config.esm.ts --environment BUILD:devbuild-esm-prodrollup -c rollup.config.esm.ts --environment BUILD:production,MINIFY:truebuild-prodrollup -c --environment BUILD:production,MINIFY:truebuild-style-specnpm run build --workspace src/style-spec && mkdir -p dist/style-spec && cp src/style-spec/dist/* dist/style-specbuild-tokennode build/generate-access-token-script.jsbuild-umdrun-s build-dev build-prodbump-version./build/bump-version.tscodegentsx ./build/generate-style-code.ts && tsx ./build/generate-struct-arrays.ts && tsx ./build/generate-typed-style-spec.tslinteslint --cache .lint-cssstylelint 'src/css/mapbox-gl.css'preparenpm run build-prod && npm run build-css && npm run build-esm-prodprepare-release-pagesln -sfn $PWD/dist test/release/dist && ln -sfn $PWD/debug test/release/debug && cp debug/access_token_generated.js test/release/prepublishOnlyrun-s build-all build-css build-style-spec build-dts build-dts-esmpretest-rendernpm run build-devpretest-render-cspnpm run build-csppretest-render-prodnpm run build-prodprint-release-urlnode build/print-release-url.jspublish-alpha./build/publish-alpha.tspublish-cdn./build/publish-cdn.tspublish-packagebash -c 'set -a && source .env && set +a && npm publish'publish-release./build/publish.tssizesize-limitstartrun-p build-token watch-css watch-esm start-serverstart-allrun-p build-token watch-css watch-dev watch-esm start-server- …and 27 more.
Dependencies22
@mapbox/mapbox-gl-supported^3.0.0@mapbox/point-geometry^1.1.0@mapbox/tiny-sdf^2.0.6@mapbox/unitbezier^0.0.1@mapbox/vector-tile^2.0.4@types/geojson^7946.0.16@types/geojson-vt^3.2.5@types/pbf^3.0.5@types/supercluster^7.1.3cheap-ruler^4.0.0csscolorparser~1.0.3earcut^3.0.1geojson-vt^4.0.2gl-matrix^3.4.4kdbush^4.0.2martinez-polygon-clipping^0.8.1murmurhash-js^1.0.0pbf^4.0.1potpack^2.0.0quickselect^3.0.0supercluster^8.0.1tinyqueue^3.0.0