PkgRadar

Package evidence

@pellux/[email protected]

Install-time lifecycle script: preinstall="sh scripts/check-bun.sh"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
108
First published
Apr 2026
Publisher
mgd34msu

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@pellux/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@pellux/[email protected]"],"fail_on":"review"}'
Publishermgd34msu
Artifact bytes1,104,356
Previous version0.22.0
Published2026-06-12T19:49:29.371Z
SHA-256290909f9dd02b276903d5d7d26f645fbc0f9384ce98b7b0415677183ae8974d6

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="sh scripts/check-bun.sh"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
0.23.0Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpreinstall="sh scripts/check-bun.sh"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="bun scripts/postinstall.js"5

Manifest

Package metadata

Scripts42
  • architecture:checkbun run scripts/check-architecture.ts
  • audit:homebun run scripts/audit-goodvibes-home.ts
  • buildbun build src/main.ts --compile --outfile dist/goodvibes
  • build:allbun run scripts/build.ts --all
  • build:all-shellbun run build:linux-x64 && bun run build:linux-arm64 && bun run build:macos-x64 && bun run build:macos-arm64 && bun run build:windows
  • build:daemon:linux-arm64bun run scripts/build.ts --target daemon-linux-arm64
  • build:daemon:linux-x64bun run scripts/build.ts --target daemon-linux-x64
  • build:daemon:macos-arm64bun run scripts/build.ts --target daemon-macos-arm64
  • build:daemon:macos-x64bun run scripts/build.ts --target daemon-macos-x64
  • build:linux-arm64bun build src/main.ts --compile --target=bun-linux-arm64 --outfile dist/goodvibes-linux-arm64
  • build:linux-x64bun build src/main.ts --compile --target=bun-linux-x64 --outfile dist/goodvibes-linux-x64
  • build:macos-arm64bun build src/main.ts --compile --target=bun-darwin-arm64 --outfile dist/goodvibes-macos-arm64
  • build:macos-x64bun build src/main.ts --compile --target=bun-darwin-x64 --outfile dist/goodvibes-macos-x64
  • build:prodbun run scripts/build.ts
  • build:windowsbun build src/main.ts --compile --target=bun-windows-x64 --outfile dist/goodvibes-windows.exe
  • daemonbun run src/daemon/cli.ts
  • devbun run src/main.ts
  • dev:watchbun --watch src/main.ts
  • eval:baselinebun run scripts/eval-gate.ts --save-baseline
  • eval:gatebun run scripts/eval-gate.ts
  • eval:gate:verbosebun run scripts/eval-gate.ts --verbose
  • foundation:artifactsbun run scripts/export-foundation-artifacts.ts
  • package:install-checkbun run scripts/package-install-check.ts
  • perf:baselineGOODVIBES_PERF_SAVE_BASELINE=1 bun run scripts/perf-check.ts
  • perf:checkbun run scripts/perf-check.ts
  • postbuildbun scripts/postinstall.js --no-download
  • postinstallbun scripts/postinstall.js
  • prebuildbun run scripts/prebuild.ts
  • preinstallsh scripts/check-bun.sh
  • publish:checkbun run scripts/publish-check.ts
  • …and 12 more.
Dependencies26
  • @agentclientprotocol/sdk^0.16.1
  • @anthropic-ai/bedrock-sdk^0.28.1
  • @anthropic-ai/sdk^0.82.0
  • @anthropic-ai/vertex-sdk^0.16.0
  • @ast-grep/napi^0.42.0
  • @aws/bedrock-token-generator^1.1.0
  • @pellux/goodvibes-sdk0.33.36
  • bash-language-server^5.6.0
  • fuse.js^7.1.0
  • graphql^16.13.2
  • jszip^3.10.1
  • node-edge-tts^1.2.10
  • openai^6.29.0
  • pyright^1.1.408
  • simple-git^3.33.0
  • sql.js^1.14.1
  • sqlite-vec^0.1.9
  • tree-sitter-css^0.25.0
  • tree-sitter-javascript^0.25.0
  • tree-sitter-json^0.24.8
  • tree-sitter-python^0.25.0
  • tree-sitter-typescript^0.23.2
  • typescript-language-server^5.1.3
  • vscode-langservers-extracted^4.10.0
  • web-tree-sitter^0.26.7
  • zustand^5.0.12