Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 240
- Versions published
- 128Mature · −50% score
- First published
- Jul 2022
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@open-formulieren/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@open-formulieren/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 4085590 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/bundles/open-forms-sdk.js | 4085590 bytes | 10 |
Manifest
Package metadata
Scripts19
buildnpm run build:esm && npm run build:umd && npm run build:esm-bundle && python ./bin/extract_i18n_source_messages.pybuild:design-tokensnpm run build --workspace=design-tokensbuild:esmBUILD_TARGET=esm vite buildbuild:esm-bundleBUILD_TARGET=esm-bundle vite buildbuild:storybookstorybook build --webpack-stats-jsonbuild:typechecktsc --noEmitbuild:umdBUILD_TARGET=umd vite buildcheckformatprettier --check 'src/**/*.{js,jsx,ts,tsx,scss,mdx}'compilemessagesformatjs compileformatprettier --write 'src/**/*.{js,jsx,ts,tsx,scss,mdx}'linteslint srcmakemessagesnpm run makemessages-nl && npm run makemessages-enmakemessages-enformatjs extract 'src/**/*.{js,jsx,ts,tsx}' --ignore='**/*.d.ts' --format bin/i18n-formatter.mjs --out-file src/i18n/messages/en.json --id-interpolation-pattern '[sha512:contenthash:base64:6]'makemessages-nlformatjs extract 'src/**/*.{js,jsx,ts,tsx}' --ignore='**/*.d.ts' --format bin/i18n-formatter.mjs --out-file src/i18n/messages/nl.json --id-interpolation-pattern '[sha512:contenthash:base64:6]'prepare-packagenode bin/prepare-package.mjsstartnpm run build:design-tokens && vitestorybookstorybook dev -p 6006testTZ=Europe/Amsterdam vitest --project=unittest:storybookTZ=Europe/Amsterdam vitest --project=storybook
Dependencies38
@date-fns/tz^1.4.1@floating-ui/react^0.27.5@formio/protected-eval^1.2.1@fortawesome/fontawesome-free^6.4.0@open-formulieren/design-tokens^0.66.0@open-formulieren/formio-renderer^1.5.3@open-formulieren/formiojs^4.13.14@open-formulieren/leaflet-tools^1.0.0@sentry/react^8.50.0clsx^2.1.1date-fns^4.1.0dompurify^3.3.1fast-deep-equal^3.1.3flatpickr^4.6.9formik^2.2.9ibantools^4.5.1immer^10.1.1json-logic-engine^5.0.6leaflet^1.9.4leaflet-draw^1.0.4leaflet-geosearch^4.2.0leaflet-gesture-handling^1.2.2moment^2.29.1nuqs^2.8.6proj4leaflet^1.0.2react-formio^4.3.0react-intl^7.1.14react-leaflet4.2.1react-leaflet-draw^0.20.6react-number-format^5.2.2- …and 8 more.