Package evidence

@nextcloud/[email protected]

Remote Dependency Spec: devDependencies.@nextcloud/webpack-vue-config="github:nextcloud/webpack-vue-config#vue3"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 24,835Mainstream · −50% score
Versions published: 250Mature · −50% score
First published: Oct 2019
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@nextcloud/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@nextcloud/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes1,773,673

Previous version9.8.1

Published2026-06-02T12:21:45.252Z

SHA-256339421827403a6788d06553ae437083d9aa219867820395a9e3b52d0ba20b211

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.@nextcloud/webpack-vue-config="github:nextcloud/webpack-vue-config#vue3"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

14d agoLast checked

reviewRisk

2Score

9.8.2Version

Status history (1 event)

new → available14d ago · risk review · score 2 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	devDependencies.@nextcloud/webpack-vue-config="github:nextcloud/webpack-vue-config#vue3"	8

Manifest

Package metadata

Scripts17

buildvite build --mode production
devvite build --mode development
l10n:extractnode build/extract-l10n.mjs
linteslint
lint:fixeslint --fix
prerelease:format-changelognode build/format-changelog.mjs
styleguidevue-styleguidist --config styleguide.config.cjs server
styleguide:buildvue-styleguidist --config styleguide.config.cjs build
stylelintstylelint "src/**/*.vue" "src/**/*.scss" "src/**/*.css"
stylelint:fixstylelint "src/**/*.vue" "src/**/*.scss" "src/**/*.css" --fix
testvitest run
test:componentplaywright test -c playwright.config.ts
test:component:guiplaywright test --ui -c playwright.config.ts
test:coveragevitest run --coverage
ts:checkvue-tsc -p src/tsconfig.json --noEmit
update:snapshotsnpm run test:component -- --grep @visual --update-snapshots
watchvite build --mode development --watch

Dependencies44

@ckpack/vue-color^1.6.0
@floating-ui/dom^1.7.6
@nextcloud/auth^2.6.0
@nextcloud/axios^2.6.0
@nextcloud/browser-storage^0.5.0
@nextcloud/capabilities^1.2.1
@nextcloud/event-bus^3.3.3
@nextcloud/initial-state^3.0.0
@nextcloud/l10n^3.4.1
@nextcloud/logger^3.0.3
@nextcloud/router^3.1.0
@nextcloud/sharing^0.4.0
@nextcloud/vue-select^4.1.0
@vuepic/vue-datepicker^11.0.3
@vueuse/components^14.3.0
@vueuse/core^14.3.0
blurhash^2.0.5
clone^2.1.2
debounce^3.0.0
dompurify^3.4.7
emoji-mart-vue-fast^15.0.5
escape-html^1.0.3
floating-vue^5.2.2
focus-trap^8.2.1
linkifyjs^4.3.3
mdast-util-to-string^4.0.0
p-queue^9.3.0
rehype-external-links^3.0.0
rehype-highlight^7.0.2
rehype-react^8.0.0
…and 14 more.