Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 126
- Versions published
- 3
- First published
- May 2026
- Publisher
- oscharko-dev
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@oscharko-dev/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@oscharko-dev/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 2577835 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 20 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/cli.cjs | 2577835 bytes | 10 |
| medium | Large Javascript Payload | package/dist/cli.js | 2571048 bytes | 10 |
Manifest
Package metadata
Scripts47
buildpnpm run workspaces:build && pnpm run build:packagebuild:packagetsupcheck:attwattw --packcheck:depcruisedepcruise --config .dependency-cruiser.cjs packages srccheck:license-policynode scripts/check-license-policy.mjscheck:lockfile-hostsnode scripts/check-lockfile-hosts.mjscheck:no-telemetrynode scripts/check-no-telemetry.mjscheck:npm-sbom-smokenode scripts/npm-sbom-smoke.mjscheck:package-shapenode scripts/check-package-shape.mjscheck:paritynode --import tsx scripts/check-parity.mjscheck:publintpublintcheck:reproducible-buildnode scripts/verify-reproducible-build.mjscheck:sandbox-paritynode --import tsx scripts/check-sandbox-parity.mjscheck:sbom-paritynode scripts/check-sbom-parity.mjscheck:scorecard-thresholdnode scripts/check-scorecard-threshold.mjscheck:supply-chain-iocsnode scripts/check-supply-chain-iocs.mjsclitsx packages/cli/src/cli.tsdocstypedocdocs:apitypedocformatprettier --write .format:checkprettier --check .linteslint srclocal:startnode scripts/start-local.mjslocal:start:mocknode scripts/start-local.mjs --mocklocal:start:prodnode scripts/start-local.mjs --mode=prodlocal:stopnode scripts/stop-local.mjsparity:extractnode --import tsx scripts/extract-parity-fixtures.mjspreparegit config core.hooksPath .githooksrelease:checknode scripts/release-readiness.mjssbom:cyclonedxnode scripts/generate-cyclonedx.mjs --ignore-npm-errors- …and 17 more.
Dependencies15
@oscharko-dev/ti-agentic-harnessworkspace:*@oscharko-dev/ti-cliworkspace:*@oscharko-dev/ti-contractsworkspace:*@oscharko-dev/ti-core-engineworkspace:*@oscharko-dev/ti-evalworkspace:*@oscharko-dev/ti-evidenceworkspace:*@oscharko-dev/ti-integrationsworkspace:*@oscharko-dev/ti-model-gatewayworkspace:*@oscharko-dev/ti-multi-sourceworkspace:*@oscharko-dev/ti-production-runnerworkspace:*@oscharko-dev/ti-qualityworkspace:*@oscharko-dev/ti-reviewworkspace:*@oscharko-dev/ti-securityworkspace:*@oscharko-dev/ti-tenantworkspace:*zod^4.4.2