PkgRadar

Package evidence

@oicl/[email protected]

Remote Dependency Spec: devDependencies.@semantic-release/github="github:semantic-release/github"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
20
First published
May 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@oicl/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@oicl/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes9,526,653
Previous version2.0.0-next.65
Published2026-06-12T12:15:50.098Z
SHA-256ffeffef07279ac6a506c0d6c059e0c6b3b580dce91abe0353d676e2abdb621b2

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.@semantic-release/github="github:semantic-release/github"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
2Score
2.0.0-next.66Version
Status history (1 event)
  1. newavailable · risk review · score 2 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.@semantic-release/github="github:semantic-release/github"8
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.@semantic-release/github="github:semantic-release/github"8
lowLarge Javascript Payloadpackage/bundle/openbridge-webcomponents.bundle.js12320088 bytes0

Manifest

Package metadata

Scripts39
  • analyzecem analyze --litelement --globs "src/**/*.ts" --exclude "src/**/*.stories.ts" && tsx ./script/sort-custom-element-manifest.ts
  • analyze:watchcem analyze --litelement --globs "src/**/*.ts" --exclude "src/**/*.stories.ts" --watch
  • buildnpm run build:translations && npm run build:ts
  • build-storybookstorybook build
  • build:bundletsx ./script/generate-bundle-entry.ts && vite build --mode bundle
  • build:translationslit localize build
  • build:tsvite build
  • build:ts:watchvite build --watch
  • cleanrm -rf node_modules dist bundle custom-elements.json
  • download:iconstsx ./script/download-icons.ts
  • fix-importsnode fix-imports.mjs
  • fix-imports:checknode fix-imports.mjs --dry-run
  • formatprettier "**/*.{cjs,html,js,json,md,ts,css}" --write
  • format:checkprettier "**/*.{cjs,html,js,json,md,ts,css}" --check
  • lintnpm run lint:mixins && npm run lint:variables && npm run lint:icons && npm run lint:lit-analyzer && npm run lint:eslint
  • lint:eslinteslint 'src/**/*.ts'
  • lint:iconstsx ./script/check-icon-hex-leaks.ts
  • lint:lit-analyzerlit-analyzer --strict --maxWarnings 0
  • lint:mixinstsx ./script/check-css-mixins.ts
  • lint:variablestsx ./script/check-css-variables.ts
  • new:componenttsx ./new-component.ts
  • prebuild-storybooknpm run build:translations
  • prepacknpm run build && npm run build:bundle && npm run analyze
  • previewvite preview
  • storybooknpm run analyze && storybook dev -p 6006 --no-open
  • storybook:serverhttp-server -p 6006 storybook-static
  • test-storybookvitest --project=storybook
  • test-storybook:watchvitest --project=storybook --watch
  • test:browservitest --config=vitest.browser.config.ts
  • translations:extractlit localize extract
  • …and 9 more.
Dependencies6
  • @lit-labs/observers^2.1.0
  • @lit/localize^0.12.2
  • chart.js^4.5.1
  • lit^3.3.2
  • semver^7.7.4
  • uplot^1.6.32