Package evidence
@mieweb/[email protected]
Install-time lifecycle script: preinstall="if [ -d .git ]; then git submodule update --init --recursive; fi"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,818Niche · −30% score
- Versions published
- 76
- First published
- Jan 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@mieweb/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@mieweb/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: preinstall="if [ -d .git ]; then git submodule update --init --recursive; fi"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | preinstall="if [ -d .git ]; then git submodule update --init --recursive; fi" | 5 |
Manifest
Package metadata
Scripts26
buildnode --max-old-space-size=8192 ./node_modules/tsup/dist/cli-default.js && npm run build:css && npm run copy:brand-css && npm run copy:style-css && npm run copy:markdown-cssbuild-storybooknpm run build:esheet && storybook buildbuild:cssnpx @tailwindcss/cli -i ./src/styles/base.css -o ./dist/styles.css --minifybuild:esheetif [ ! -f packages/esheet/packages/core/dist/index.d.ts ] || [ ! -f packages/esheet/packages/renderer/src/index.output.css ]; then cd packages/esheet && npm ci && npx nx run-many --target=build --projects=@esheet/core,@esheet/fields,@esheet/adapters,@esheet/builder,@esheet/renderer --parallel; ficopy:brand-csscp src/brands/*.css dist/brands/ 2>/dev/null || truecopy:markdown-cssmkdir -p dist/components/Markdown && cp src/components/Markdown/styles.css dist/components/Markdown/ 2>/dev/null || truecopy:style-cssmkdir -p dist/styles && cp src/styles/init.css dist/styles/ 2>/dev/null || truedevtsup --watchformatprettier --check "src/**/*.{ts,tsx,css}"format:fixprettier --write "src/**/*.{ts,tsx,css}"linteslint "src/**/*.{ts,tsx}"lint:fixeslint "src/**/*.{ts,tsx}" --fixplaywright:installplaywright install --with-depsprebuildnpm run build:esheetpreinstallif [ -d .git ]; then git submodule update --init --recursive; fiprepublishOnlynpm run buildprestorybooknpm run build:esheetstorybookstorybook dev -p 6006testvitest runtest:coveragevitest run --coveragetest:storybooktest-storybook --url http://localhost:6006test:visualplaywright testtest:visual:debugplaywright test --debugtest:visual:uiplaywright test --uitest:watchvitesttypechecktsc --noEmit
Dependencies10
@swc/helpers^0.5.19class-variance-authority^0.7.1clsx^2.1.1dompurify^3.3.1google-libphonenumber^3.2.44highlight.js^11.11.1lucide-react^0.562.0luxon^3.7.2marked^17.0.3tailwind-merge^2.6.1