PkgRadar

Package evidence

@mangs/[email protected]

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 1 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
11
Versions published
112Mature · −50% score
First published
Feb 2024
Publisher
mangs

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mangs/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mangs/[email protected]"],"fail_on":"review"}'
Publishermangs
Artifact bytes21,881
Previous version2.33.6
Published2025-05-22T17:38:38.557Z
SHA-256c0d4bf41f8c9ee2830743c8a9c92eb2ae0e5c5d23b0b6476570a7f338fe6917d

Why flagged

What the scanner saw

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 1 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
2.34.0Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumManifest Codeless Dependency Stubpackage.jsonpackage ships no JS/TS source but declares 1 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape15
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumManifest Codeless Dependency Stubpackage.jsonpackage ships no JS/TS source but declares 1 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape15
lowInstall-time lifecycle scriptpackage.jsonpostinstall="bun scripts/git/removeGitHooks.mts && bun scripts/git/installGitHooks.mts"5

Manifest

Package metadata

Scripts20
  • audit:node-modulescd node_modules && du -sh -- * | sort -h
  • build:documentationtypedoc --options ./config/typedoc/typedoc.json
  • check:environmentbun --bun run --silent check:environment:symlinks && bun run --silent check:environment:versions
  • check:environment:symlinksscripts/bun/checkEnvironmentSymlinks.mts
  • check:environment:versionsscripts/bun/checkEnvironmentVersions.mts
  • check:formattingprettier --check --no-editorconfig .
  • check:lint-conflictseslint-config-prettier ./src/index.mts
  • check:package-versionscripts/bun/checkPackageVersion.mts
  • check:typestsc --noEmit
  • delete:build-artifactsrm -rf dist
  • delete:node-modulesrm -rf node_modules
  • delete:package-lockrm -f bun.lockb
  • format:codeprettier --write --no-editorconfig .
  • install:bun:expected-versionbun --print '(await import(Bun.env.npm_package_json)).engines.bun' | (read BUN_VERSION; if [ $BUN_VERSION == `bun --version` ]; then echo Bun version $BUN_VERSION is already installed; else echo Installing Bun version $BUN_VERSION... && curl -fsSL https://bun.sh/install | bash -s "bun-v$BUN_VERSION"; fi)
  • lint:typescriptecho Linting all TypeScript... && eslint --ext cts,ts,mts --max-warnings 0 .
  • list:eslint:disable-directivesrg '/(/|\*+)[ \t]*eslint-disable[^*]*(\*+/)?'
  • list:todo-commentsrg --only-matching '(TODO|FIXME):[a-zA-Z0-9\t .,;?]+'
  • postinstallbun scripts/git/removeGitHooks.mts && bun scripts/git/installGitHooks.mts
  • reinstallbun run --silent delete:package-lock && bun run --silent delete:node-modules && bun install
  • reinstall:use-lock-filebun run --silent delete:node-modules && bun install --frozen-lockfile
Dependencies1
  • type-fest4.41.0