PkgRadar

Package evidence

@nysds/[email protected]

Remote Dependency Spec: devDependencies.cem-plugin-examples="github:its-hcd/cem-plugin-examples"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
596
Versions published
55Mature · −50% score
First published
Feb 2025
Publisher
esteinborn

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@nysds/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@nysds/[email protected]"],"fail_on":"review"}'
Publisheresteinborn
Artifact bytes1,033,963
Previous version1.17.0
Published2026-05-13T20:19:12.709Z
SHA-256f94b91d279e60be443620f73d2b8b9d357dacea5c28c57f2d8c6ff2b9985cfda

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.cem-plugin-examples="github:its-hcd/cem-plugin-examples"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
4Score
1.18.0Version
Status history (1 event)
  1. newavailable · risk review · score 4 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.cem-plugin-examples="github:its-hcd/cem-plugin-examples"8

Manifest

Package metadata

Scripts30
  • buildtsc --emitDeclarationOnly && vite build
  • build-storybooknpm run build:packages && storybook build
  • build:allnpm run clean:dist && npm run lint && npm run lit-analyze || true && cross-env NODE_ENV=production npm run build:packages && npm run build:root && npm run cem && npm run build:mcp
  • build:linknpm run build:all && npm link && cd packages/styles && npm link
  • build:mcpnpm run build -w @nysds/mcp-server
  • build:packagesnpm run tsc:packages && turbo run build --filter='./packages/*' --log-order=grouped
  • build:rootcross-env NODE_ENV=production npm run build && cross-env NODE_ENV=production npm run build:umd
  • build:umdcross-env BUILD_FORMAT=umd vite build
  • cemnpx cem analyze --config ./custom-elements-manifest.config.mjs && cp ./custom-elements.json dist/ && node src/scripts/patch-react-utils.js
  • clean:allnpm run clean:dist && npm run clean:node && find packages -name '*.tsbuildinfo' -delete 2>/dev/null || true && npm run clean:turbo
  • clean:distrm -rf storybook-static && rm -rf coverage && rm -rf packages/*/coverage && rm -rf dist && find packages -type d -name dist ! -path '*/mcp-server/dist' -exec rm -rf {} + 2>/dev/null || true
  • clean:noderm -rf node_modules && rm -rf packages/*/node_modules && rm -rf packages/**/*/node_modules
  • clean:turbofind packages -type d -name '.turbo' -exec rm -rf {} + && rm -rf .turbo
  • code-connectdotenv -- npx figma connect publish
  • devvite
  • genplop
  • linteslint --cache --cache-location node_modules/.cache/eslint && stylelint **/*.scss || true
  • lint:fixeslint --fix && stylelint **/*.scss --fix
  • lit-analyzefind ./packages/nys-*/ -name '*.ts' ! -name '*.figma.*' | xargs lit-analyzer {}
  • mcp-server:buildturbo run build --filter=@nysds/mcp-server
  • releasecross-env NODE_ENV=production npm run build:all && cross-env NODE_ENV=production npm run test && npm run cem && cross-env NODE_ENV=production npm publish --workspaces --access public && cross-env NODE_ENV=production npm publish --access public
  • release:alphanpm run build && npm run build:umd && npm publish --tag next
  • release:dry-runcross-env NODE_ENV=production npm run build:all && cross-env NODE_ENV=production npm run test && npm run cem && node src/scripts/publish-dry-run.js
  • release:zipnpm run build:all && node src/scripts/create-release-zip.js
  • storybookcross-env NODE_ENV=production storybook dev -p 6006
  • storybook:build:allcross-env NODE_ENV=production npm run build:all && npm run storybook
  • storybook:cibuildstorybook build
  • testnpx playwright install && wtr --node-resolve
  • test:buildnpm run build:all && npm run test
  • tsc:packagestsc -b tsconfig.build.json
Dependencies1
  • wc-datepicker^0.10.0