Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 36,272Mainstream · −50% score
- Versions published
- 6,310Mature · −50% score
- First published
- May 2022
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@lightdash/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@lightdash/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 8 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/track.sh | matched "curl " | 12 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/track.sh | matched "curl " | 12 |
| low | Credential file access | package/dist/dbt/targets/athena.js | matched "aws_access_key" | 5 |
| low | Install-time lifecycle script | package.json | preinstall="bash track.sh started || echo 'skipping preinstall'" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="bash track.sh completed || echo 'skipping postinstall'" | 5 |
Manifest
Package metadata
Scripts17
buildtsc --build tsconfig.jsonbuild:binaryDUCKDB_BINDINGS=node-bindings-darwin-x64,node-bindings-darwin-arm64 pnpm bundle && npx @yao-pkg/pkg bundle/index.js --config pkg.config.json --targets node20-macos-x64,node20-macos-arm64 --output bin/lightdash --compress Brotlibuild:fasttsgo --build tsconfig.fast.jsonbundlencc build dist/index.js -o bundle -e @duckdb/node-api -e @duckdb/node-bindings -e @duckdb/node-bindings-darwin-arm64 -e @duckdb/node-bindings-darwin-x64 -e @duckdb/node-bindings-linux-arm64 -e @duckdb/node-bindings-linux-x64 -e @duckdb/node-bindings-win32-x64 && bash ./scripts/copy-bundle-assets.shdevts-node src/index.tsfix-formatoxfmt ./srcfix-lintpnpm run linter ./src --fixformatoxfmt ./src --checkformatteroxfmtlintpnpm run linter ./srclintereslint -c .eslintrc.js --ignore-path ./../../.gitignorepostinstallbash track.sh completed || echo 'skipping postinstall'preinstallbash track.sh started || echo 'skipping preinstall'releasepnpm publish --no-git-checks --access publictestjesttypechecktsc --project tsconfig.json --noEmittypecheck:fasttsgo --project tsconfig.fast.json --noEmit
Dependencies26
@actions/core1.11.1@casl/ability6.8.0@lightdash/common0.3158.0@lightdash/warehouses0.3158.0@types/columnify1.5.1ajv8.18.0ajv-formats2.1.1better-ajv-errors1.2.0chalk4.1.2chokidar3.6.0columnify1.6.0commander9.5.0execa5.1.1google-auth-library9.15.1inquirer8.2.7js-yaml4.1.1lodash4.18.1node-fetch2.7.0nunjucks3.2.4openid-client5.6.4ora5.4.1p-limit3.1.0parse-node-version2.0.0unique-names-generator4.7.1uuid11.1.1yaml2.8.3