Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@planu/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@planu/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Known Indicator Filename: package/dist/types/execution.js
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk review · score 220 · status available -> available, risk high -> review, score 771 -> 220
- new → available · risk high · score 771 · status changed
Related candidates
Linked campaigns and clusters
planudev
7 members · evidence strength 84Install Lifecycle Suppresses Failure — prepare="husky || true"
13 members · evidence strength 90Known Indicator Filename — package/dist/types/execution.js
7 members · evidence strength 90Evidence
Static findings
40 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/dist/types/execution.js | package/dist/types/execution.js | 45 |
| medium | Remote Payload | package/dist/tools/suggest-tooling/advanced-testing-catalog.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/advanced-testing/chaos-generator.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/tools/configure-oauth-handler.js | matched "Curl " | 12 |
| medium | Remote Payload | package/dist/tools/suggest-tooling/dagger-catalog.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/execution-plan/phases.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/llm-runtime/pricing-resolver.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/tools/suggest-tooling/skills-catalog.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/advanced-testing/test-data-advisor.js | matched "curl " | 12 |
Show all 40 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/dist/types/execution.js | package/dist/types/execution.js | 45 |
| medium | Remote Payload | package/dist/tools/suggest-tooling/advanced-testing-catalog.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/advanced-testing/chaos-generator.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/tools/configure-oauth-handler.js | matched "Curl " | 12 |
| medium | Remote Payload | package/dist/tools/suggest-tooling/dagger-catalog.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/execution-plan/phases.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/llm-runtime/pricing-resolver.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/tools/suggest-tooling/skills-catalog.js | matched "curl " | 12 |
| medium | Remote Payload | package/dist/engine/advanced-testing/test-data-advisor.js | matched "curl " | 12 |
| low | Credential file access | package/dist/tools/suggest-tooling/advanced-testing-catalog.js | matched ".aws" | 5 |
| low | Credential file access | package/dist/engine/detectors/finops-detector.js | matched ".aws" | 5 |
| low | Credential file access | package/dist/engine/detectors/monitoring-detector.js | matched ".aws" | 5 |
| low | Credential file access | package/dist/engine/infrastructure/terraform-generator.js | matched ".aws" | 5 |
| low | Obfuscation | package/dist/cli/commands/activate.js | matched "\\u25a1" | 3 |
| low | Obfuscation | package/dist/cli/colors.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/dist/engine/spec-changelog/core.js | matched "\\u2795" | 3 |
| low | Obfuscation | package/dist/tools/create-spec-helpers.js | matched "\\u0300" | 3 |
| low | Obfuscation | package/dist/tools/design-schema.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/engine/auditor-security/electron-checks.js | matched "eval(" | 3 |
| low | Obfuscation | package/dist/engine/analytics-detector/events.js | matched "\\u0300" | 3 |
| low | Obfuscation | package/dist/engine/runtime-security/checkers/input-sanitizer.js | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/cli/commands/install.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/dist/engine/reviewer-tokens/issuer.js | matched "Buffer.from(raw, 'base64" | 3 |
| low | Obfuscation | package/dist/tools/list-specs.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/transports/oauth-validator.js | matched "Buffer.from(payloadB64, 'base64" | 3 |
| low | Obfuscation | package/dist/engine/detectors/orphan-spec-refs.js | matched "\\x1e" | 3 |
| low | Obfuscation | package/dist/engine/runtime-security/checkers/prompt-injection.js | matched "\\u0400" | 3 |
| low | Obfuscation | package/dist/engine/github/review-analyzer.js | matched "eval(" | 3 |
| low | Obfuscation | package/dist/engine/github/review-dimensions.js | matched "eval(" | 3 |
| low | Obfuscation | package/dist/engine/multi-agent-review/security-analyzer.js | matched "eval(" | 3 |
| low | Obfuscation | package/dist/engine/workers/handlers/security-audit.js | matched "eval(" | 3 |
| low | Obfuscation | package/dist/engine/auditor-security/security-checks.js | matched "eval(" | 3 |
| low | Credential file access | package/dist/config/agent-platforms.json | matched ".aws" | 3 |
| low | Credential file access | package/dist/config/db-engines.json | matched ".aws" | 3 |
| low | Credential file access | package/dist/config/deploy-platforms.json | matched ".aws" | 3 |
| low | Credential file access | package/dist/config/dev-lifecycle-catalog.json | matched ".aws" | 3 |
| low | Credential file access | package/dist/config/docs-registry.json | matched ".aws" | 3 |
| low | Credential file access | package/dist/config/env-patterns.json | matched "AWS_ACCESS_KEY" | 3 |
| low | Credential file access | package/dist/config/framework-registry/ruby-rails.json | matched ".aws" | 3 |
| low | Obfuscation | package/dist/config/security-patterns.json | matched "eval(" | 3 |
Manifest
Package metadata
Scripts44
audit:circularmadge --circular --extensions ts src/audit:deadcodeknipaudit:i18nbash scripts/audit-i18n.shaudit:licensesbash scripts/audit-licenses.shaudit:mutationstryker runaudit:securitybash scripts/audit-security.shaudit:sizebash scripts/audit-package-size.shaudit:tokensbash scripts/audit-token-usage.sh 10audit:typestype-coverage --at-least 98 --ignore-catch --strict --ignore-files 'tests/**'buildpnpm clean && pnpm build:rust && pnpm build:tsbuild:obfuscatedpnpm build && node scripts/obfuscate.mjsbuild:rustbash scripts/build-rust-local.sh --hostbuild:rust:allbash scripts/build-rust-local.sh --allbuild:rust:check-toolsbash scripts/build-rust-local.sh --check-toolsbuild:tstsc -p tsconfig.build.json && tsc-alias -p tsconfig.build.json && node scripts/copy-runtime-assets.mjscheckpnpm typecheck && pnpm lint && pnpm format:checkcheck:deps:freshbash scripts/check-dependency-freshness.shcheck:strictpnpm typecheck && pnpm lint && pnpm format:check && pnpm audit:deadcode && pnpm audit:circular && pnpm audit:types && pnpm audit:security && pnpm audit:licenses && pnpm audit:i18ncleanrm -rf distdevtsc --watchdocker:builddocker build -t planu .docker:rundocker compose upformatprettier --write 'src/**/*.ts' 'tests/**/*.test.ts'format:checkprettier --check 'src/**/*.ts' 'tests/**/*.test.ts'linteslint src/ tests/ --max-warnings 0lint:fixeslint src/ tests/ --fix --max-warnings 0package:sizenode scripts/check-package-size.mjspostpublishpnpm buildprepackpnpm clean && pnpm build:ts && pnpm package:sizepreparehusky || true- …and 14 more.
Dependencies4
@modelcontextprotocol/sdk^1.29.0glob^13.0.6yaml^2.9.0zod^4.4.3
Optional dependencies8
@planu/core-darwin-arm644.3.4@planu/core-darwin-x644.3.4@planu/core-linux-arm64-gnu4.3.4@planu/core-linux-arm64-musl4.3.4@planu/core-linux-x64-gnu4.3.4@planu/core-linux-x64-musl4.3.4@planu/core-win32-arm64-msvc4.3.4@planu/core-win32-x64-msvc4.3.4