Package evidence

@layerfi/[email protected]

Large Javascript Payload: 3030323 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 12,074Mainstream · −50% score
Versions published: 222Mature · −50% score
First published: Dec 2023
Publisher: danieloneel

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@layerfi/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@layerfi/[email protected]"],"fail_on":"review"}'

Publisherdanieloneel

Artifact bytes1,915,776

Previous version0.1.135-alpha

Published2026-05-26T04:46:55.929Z

SHA-25689f15f2d424b5242bfaf43350f7247dd76ab886328661e6404fca9f9bd8316c7

Why flagged

What the scanner saw

Large Javascript Payload: 3030323 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

22d agoLast checked

reviewRisk

10Score

0.1.135Version

Status history (1 event)

new → available22d ago · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/dist/cjs/index.cjs	3030323 bytes	10
medium	Large Javascript Payload	package/dist/esm/index.mjs	2750808 bytes	10

Manifest

Package metadata

Scripts14

buildvite build --config vite/vite.config.ts --mode esm && vite build --config vite/vite.config.ts --mode cjs
build:cleanrm -rf ./dist && npm run build
clear:reactrm -rf ./node_modules/react && rm -rf ./node_modules/react-dom
devnpm run dev:js & npm run dev:types
dev:jsvite build --config vite/vite.config.ts --mode esm --watch
dev:typestsc -p tsconfig.build.json && tsc-alias -p tsconfig.build.json && tsc -p tsconfig.build.json --watch --preserveWatchOutput & chokidar 'dist/**/*.d.ts' --silent -c 'tsc-alias -p tsconfig.build.json'
linteslint . && stylelint '**/*.{css,scss}'
lint:eslinteslint .
lint:fixeslint . --fix && stylelint '**/*.{css,scss}' --fix
lint:stylelintstylelint '**/*.{css,scss}'
migrate:aliasestsx scripts/migrate-import-aliases.ts
prepacknpm run typecheck && npm run build:clean
preparehusky
typechecktsc --noEmit

Dependencies30

@floating-ui/react^0.27.8
@formatjs/intl-durationformat^0.10.4
@internationalized/date^3.8.2
@react-hook/resize-observer^2.0.2
@tanstack/react-form^1.19.0
@tanstack/react-table^8.21.3
@tanstack/react-virtual^3.13.9
calendar-link^2.11.0
classnames^2.5.1
date-fns^4.1.0
effect^3.16.3
i18next^25.8.17
i18next-pseudo^2.2.1
lodash-es^4.17.21
lucide-react^0.507.0
motion^12.23.11
react-aria-components^1.17.0
react-calendly^4.4.0
react-currency-input-field^3.10.0
react-dropzone^14.3.8
react-i18next^16.5.6
react-intl^7.1.14
react-merge-refs^3.0.2
react-plaid-link^4.0.1
react-select^5.10.1
recharts^3.6.0
swr^2.3.3
ts-ics^2.4.0
uuid^11.1.0
zustand^5.0.4