Package evidence

@nativescript/[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@nativescript/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@nativescript/[email protected]"],"fail_on":"review"}'

Publishernativescript-bot

Artifact bytes734,581

Previous version8.0.0-alpha.20

Published2026-05-23T22:49:52.628Z

SHA-256f65b94ae0c89347a8216675f471644965c4711606092e36b9628cf072ee64655

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

23d agoLast checked

reviewRisk

39Score

8.0.0-alpha.21Version

Status history (1 event)

new → available23d ago · risk review · score 39 · status changed

Evidence

Static findings

10 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/hmr/shared/runtime/root-placeholder.js	matched "raw.githubusercontent.com"	12

Show all 10 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/hmr/shared/runtime/root-placeholder.js	matched "raw.githubusercontent.com"	12
low	Obfuscation	package/configuration/angular.js	matched "\\u0275"	3
low	Obfuscation	package/configuration/base.js	matched "eval("	3
low	Obfuscation	package/hmr/shared/runtime/http-only-boot.js	matched "Eval("	3
low	Obfuscation	package/helpers/angular/inject-hmr-vite-ignore.js	matched "\\u0275"	3
low	Obfuscation	package/configuration/javascript.js	matched "\\u2028"	3
low	Obfuscation	package/hmr/frameworks/angular/server/linker.js	matched "\\u0275"	3
low	Obfuscation	package/hmr/shared/vendor/manifest.js	matched "\\u0275"	3
low	Obfuscation	package/helpers/prelink-angular.js	matched "\\u0275"	3
low	Obfuscation	package/configuration/typescript.js	matched "\\u2028"	3

Manifest

Package metadata

Dependencies23

@analogjs/vite-plugin-angular^2.0.0
@angular-devkit/build-angular^21.0.0
@angular/build^21.0.0
@babel/core^7.28.0
@babel/generator^7.28.0
@babel/parser^7.28.0
@babel/plugin-transform-typescript^7.28.0
@rollup/plugin-alias^6.0.0
@rollup/plugin-commonjs^29.0.0
@rollup/plugin-replace^6.0.2
@vitejs/plugin-vue^6.0.5
@vitejs/plugin-vue-jsx^5.1.5
@vue/compiler-sfc^3.5.0
css^3.0.0
esbuild^0.27.4
minimist^1.2.8
react-reconciler^0.32.0
sass>=1.70.0 <2
vite^8.0.0
vite-plugin-solid^2.11.11
vite-plugin-static-copy^4.0.1
vue-tsc^3.2.0
ws^8.18.0