Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,054Niche · −30% score
- Versions published
- 30
- First published
- Apr 2026
- Publisher
- linemanio
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@lineman-io/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@lineman-io/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 8 · status available -> available, risk high -> review, score 149 -> 8
- new → available · risk high · score 149 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/node_modules/better-sqlite3/deps/download.sh | matched "curl " | 12 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/node_modules/better-sqlite3/deps/download.sh | matched "curl " | 12 |
| low | Large Javascript Payload | package/dist/main.js | 2023433 bytes | 0 |
Manifest
Package metadata
Scripts7
disablenode -e "const f=require('os').homedir()+'/.goodex/lineman.json';const c=JSON.parse(require('fs').readFileSync(f,'utf8'));c.enabled=false;require('fs').writeFileSync(f,JSON.stringify(c,null,2)+'\n');console.log('Lineman DISABLED — restart Claude session')"enablenode -e "const f=require('os').homedir()+'/.goodex/lineman.json';const c=JSON.parse(require('fs').readFileSync(f,'utf8'));c.enabled=true;require('fs').writeFileSync(f,JSON.stringify(c,null,2)+'\n');console.log('Lineman ENABLED — restart Claude session')"startnode dist/main.jsstatusnode -e "const f=require('os').homedir()+'/.goodex/lineman.json';const c=JSON.parse(require('fs').readFileSync(f,'utf8'));console.log('Lineman:',c.enabled===false?'DISABLED':'ENABLED','| Model:',c.model,'| URL:',c.url)"test:install-smoke./scripts/install-smoke.shtest:integration-pkgvitest run tests/integration/test:watchervitest run --config vitest.config.watcher.ts
Dependencies22
@modelcontextprotocol/sdk^1.12.0@sentry/node10.47.0@sentry/node-native10.47.0better-sqlite3^11.8.1chokidar^5.0.0diff^5.2.0get-tsconfig^4.14.0gpt-tokenizer^3.4.0open^10.2.0tree-sitter-c^0.24.1tree-sitter-c-sharp^0.23.5tree-sitter-cpp^0.23.4tree-sitter-go^0.25.0tree-sitter-java^0.23.5tree-sitter-php^0.24.2tree-sitter-python^0.25.0tree-sitter-ruby^0.23.1tree-sitter-rust^0.24.0tree-sitter-typescript^0.23.2turndown^7.2.2web-tree-sitter^0.26.8zod^3.25.76