PkgRadar

Package evidence

@oicl/[email protected]

Remote Dependency Spec: devDependencies.@semantic-release/github="github:semantic-release/github"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
196Mature · −50% score
First published
Feb 2024
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@oicl/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@oicl/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes8,053,807
Previous version2.0.0-next.65
Published2026-06-12T12:11:14.988Z
SHA-2561a0b27a283740be16c0decbca08d1246a0421e486bdaf80c4aa65a9f5e3846cb

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.@semantic-release/github="github:semantic-release/github"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
2Score
2.0.0-next.66Version
Status history (1 event)
  1. newavailable · risk review · score 2 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.@semantic-release/github="github:semantic-release/github"8
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.@semantic-release/github="github:semantic-release/github"8
lowLarge Javascript Payloadpackage/bundle/openbridge-webcomponents.bundle.js12320088 bytes0

Manifest

Package metadata

Scripts45
  • analyzecem analyze --litelement --globs "src/**/*.ts" --exclude "src/**/*.stories.ts" && tsx ./script/sort-custom-element-manifest.ts
  • analyze:watchcem analyze --litelement --globs "src/**/*.ts" --exclude "src/**/*.stories.ts" --watch
  • buildnpm run build:translations && npm run build:ts
  • build-storybookstorybook build
  • build:bundletsx ./script/generate-bundle-entry.ts && vite build --mode bundle
  • build:fullnpm run build:translations && npm run typecheck && npm run build:bundle && npm run build:ts && npm run analyze && npm run wrappers
  • build:translationslit localize build
  • build:tsvite build
  • build:ts:watchvite build --watch
  • cleanrm -rf node_modules dist bundle custom-elements.json
  • download:iconstsx ./script/download-icons.ts
  • fix-importsnode fix-imports.mjs
  • fix-imports:checknode fix-imports.mjs --dry-run
  • formatprettier "**/*.{cjs,html,js,json,md,ts,css}" --write
  • format:checkprettier "**/*.{cjs,html,js,json,md,ts,css}" --check
  • lintnpm run lint:mixins && npm run lint:variables && npm run lint:icons && npm run lint:lit-analyzer && npm run lint:eslint
  • lint:eslinteslint 'src/**/*.ts'
  • lint:iconstsx ./script/check-icon-hex-leaks.ts
  • lint:lit-analyzerlit-analyzer --strict --maxWarnings 0
  • lint:mixinstsx ./script/check-css-mixins.ts
  • lint:variablestsx ./script/check-css-variables.ts
  • new:componenttsx ./new-component.ts
  • prebuild-storybooknpm run build:translations
  • prepacknpm run build && npm run build:bundle && npm run analyze
  • previewvite preview
  • storybooknpm run analyze && storybook dev -p 6006 --no-open
  • storybook:serverhttp-server -p 6006 storybook-static
  • test-storybookvitest --project=storybook
  • test-storybook:dockermkdir -p /tmp/openbridge-webcomponents-vis-results && rm -rf /tmp/openbridge-webcomponents-vis-results/* && docker run -it --user $(id -u):$(id -g) -v $(pwd):/app/packages/openbridge-webcomponents -v /tmp/openbridge-webcomponents-vis-results:/app/packages/openbridge-webcomponents/__vis__/linux/__results__ -w /app/packages/openbridge-webcomponents openbridge-webcomponents-storybook npm run test-storybook
  • test-storybook:watchvitest --project=storybook --watch
  • …and 15 more.
Dependencies6
  • @lit-labs/observers^2.1.0
  • @lit/localize^0.12.2
  • chart.js^4.5.1
  • lit^3.3.2
  • semver^7.7.4
  • uplot^1.6.32