Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 101
- Versions published
- 118Mature · −50% score
- First published
- Nov 2023
- Publisher
- rpulkka
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@luomus/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@luomus/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 2451959 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 5 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/laji-form.js | 2451959 bytes | 10 |
Manifest
Package metadata
Scripts18
buildnpm run build:lib && npm run build:dist && npm run build:testsbuild:distrimraf dist && NODE_ENV=production webpack --config webpack.config.dist.js && rimraf dist/styles.jsbuild:librimraf lib && NODE_ENV=production tsc -p tsconfig.lib.json && cpx src/generated/* lib/generatedbuild:testsrimraf test-export && NODE_ENV=production tsc -p tsconfig.test.jsongenerate:api-clientopenapi-typescript http://apitest.laji.fi/openapi-json -o ./src/generated/api.d.ts --properties-required-by-defaultlinteslint src playgroundpostversionnpm publishprepublishOnlynpm run build && git push && git push --tagspreversionnpm run lint && npm run test:lightweightstagingwebpack-dev-server --content-base playground playground/app.js --host 0.0.0.0 --port 4010startnpx webpack servetestnpx playwright testtest:dockernpm run test:docker:build && npm run test:docker:run --test:docker:builddocker build -t laji-form-test -f test.Dockerfile .test:docker:rundocker run laji-form-testtest:lightweightnpx playwright test --project chromiumtest:uinpx playwright test --uiversionbin/update-changelog.sh
Dependencies26
@luomus/laji-map^5.1.19@luomus/laji-validate^0.0.132@rjsf/core~5.1.0@rjsf/utils~5.1.0@rjsf/validator-ajv6~5.1.0@types/deep-equal^1.0.1@types/memoizee^0.4.8@types/react^16.14.10@types/react-dom^16.9.13@types/react-spinner^0.2.0deep-equal^2.0.5deepmerge^4.2.2exifreader^4.32.0immutability-helper^3.1.1isomorphic-fetch^3.0.0memoizee^0.4.15moment^2.29.1prop-types^15.5.8react^17.0.2react-dom^17.0.2react-dropzone^11.3.4react-inlinesvg^2.3.0react-sortable-hoc^2.0.0react-spinner^0.2.7react-widgets^4.6.1react-widgets-moment^4.0.30
Optional dependencies6
@fortawesome/fontawesome-svg-core^6.2.0@fortawesome/free-solid-svg-icons^6.2.0@fortawesome/react-fontawesome^0.2.0@types/react-bootstrap^0.32.22react-bootstrap^0.33.1react-bootstrap-5npm:react-bootstrap@^2.5.0