Package evidence
@meridianlabs/[email protected]
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 33 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,005Niche · −30% score
- Versions published
- 71Established · −30% score
- First published
- Oct 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@meridianlabs/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@meridianlabs/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 33 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 4 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Manifest Codeless Dependency Stub | package.json | package ships no JS/TS source but declares 33 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape | 15 |
Manifest
Package metadata
Scripts20
buildvite buildbuild:appvite build --mode developmentbuild:libvite build --mode librarycheck-allpnpm tsc && pnpm lint:fix && pnpm format && pnpm test && pnpm builddevvitedev-watchNODE_ENV=development vite build --mode development --watchdev-watch-logcross-env DEV_LOGGING=true NODE_ENV=development vite build --mode development --watchdev:libNODE_ENV=development vite build --mode library --watche2eplaywright test --config playwright.config.tsformatprettier --write .format:checkprettier --check .linteslint 'src/**/*.{js,jsx,mjs,ts,tsx}'lint:fixeslint 'src/**/*.{js,jsx,mjs,ts,tsx}' --fixprepublishOnlypnpm run build:libtestvitest runtest:coveragevitest run --coveragetest:watchvitesttsctsc --noEmittypechecktsc --noEmitwatchvite build --watch
Dependencies33
@codemirror/autocomplete^6.20.2@codemirror/language^6.12.1@codemirror/lint^6.9.6@codemirror/state^6.5.4@codemirror/view^6.43.0@lezer/highlight^1.2.2@popperjs/core^2.11.8@vscode-elements/react-elements^2.4.0ag-grid-community^34.3.1ag-grid-react^34.3.1ansi-output^0.0.9asciinema-player^3.15.1bootstrap^5.3.8bootstrap-icons^1.13.1clipboard^2.0.11clsx^2.1.1codemirror^6.0.2dexie^4.4.2fast-json-patch^3.1.1fflate^0.8.3filtrex^3.1.0fzstd^0.1.1immer^11.1.8json5^2.2.3jsondiffpatch^0.7.6markdown-it^14.2.0postcss-url^10.1.4prismjs^1.30.0react^19.2.6react-dom^19.2.6- …and 3 more.