PkgRadar

Package evidence

@planu/[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
990
Versions published
376
First published
Mar 2026
Publisher
planudev

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@planu/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@planu/[email protected]"],"fail_on":"review"}'
Publisherplanudev
Artifact bytes3,704,691
Previous version4.6.1
Published2026-06-13T00:47:35.163Z
SHA-256cca40f61c54047140cdc57e91284f933f1c9b424abe88bca3a104409653ed5c5

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
30Score
4.7.0Version
Status history (1 event)
  1. newavailable · risk review · score 30 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/engine/llm-runtime/pricing-resolver.jsmatched "raw.githubusercontent.com"12
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/engine/llm-runtime/pricing-resolver.jsmatched "raw.githubusercontent.com"12
lowCredential file accesspackage/dist/engine/supply-chain/dependency-checker.jsmatched ".npmrc"5
lowCredential file accesspackage/dist/engine/detectors/finops-detector.jsmatched ".aws/"5
lowCredential file accesspackage/dist/engine/detectors/monitoring-detector.jsmatched ".aws/"5
lowCredential file accesspackage/dist/config/env-patterns.jsonmatched "AWS_ACCESS_KEY"3

Manifest

Package metadata

Scripts44
  • audit:circularmadge --circular --extensions ts src/
  • audit:deadcodeknip
  • audit:i18nbash scripts/audit-i18n.sh
  • audit:licensesbash scripts/audit-licenses.sh
  • audit:mutationstryker run
  • audit:securitybash scripts/audit-security.sh
  • audit:sizebash scripts/audit-package-size.sh
  • audit:tokensbash scripts/audit-token-usage.sh 10
  • audit:typestype-coverage --at-least 98 --ignore-catch --strict --ignore-files 'tests/**'
  • buildpnpm clean && pnpm build:rust && pnpm build:ts
  • build:obfuscatedpnpm build && node scripts/obfuscate.mjs
  • build:rustbash scripts/build-rust-local.sh --host
  • build:rust:allbash scripts/build-rust-local.sh --all
  • build:rust:check-toolsbash scripts/build-rust-local.sh --check-tools
  • build:tstsc -p tsconfig.build.json && tsc-alias -p tsconfig.build.json && node scripts/copy-runtime-assets.mjs
  • checkpnpm typecheck && pnpm lint && pnpm format:check
  • check:deps:freshbash scripts/check-dependency-freshness.sh
  • check:strictpnpm typecheck && pnpm lint && pnpm format:check && pnpm audit:deadcode && pnpm audit:circular && pnpm audit:types && pnpm audit:security && pnpm audit:licenses && pnpm audit:i18n
  • cleanrm -rf dist
  • devtsc --watch
  • docker:builddocker build -t planu .
  • docker:rundocker compose up
  • formatprettier --write 'src/**/*.ts' 'tests/**/*.test.ts'
  • format:checkprettier --check 'src/**/*.ts' 'tests/**/*.test.ts'
  • linteslint src/ tests/ --max-warnings 0
  • lint:fixeslint src/ tests/ --fix --max-warnings 0
  • package:sizenode scripts/check-package-size.mjs
  • postpublishpnpm build
  • prepackpnpm clean && pnpm build:ts && pnpm package:size
  • preparehusky || true
  • …and 14 more.
Dependencies5
  • @anthropic-ai/sdk^0.104.1
  • @modelcontextprotocol/sdk^1.29.0
  • glob^13.0.6
  • yaml^2.9.0
  • zod^4.4.3
Optional dependencies8
  • @planu/core-darwin-arm644.7.0
  • @planu/core-darwin-x644.7.0
  • @planu/core-linux-arm64-gnu4.7.0
  • @planu/core-linux-arm64-musl4.7.0
  • @planu/core-linux-x64-gnu4.7.0
  • @planu/core-linux-x64-musl4.7.0
  • @planu/core-win32-arm64-msvc4.7.0
  • @planu/core-win32-x64-msvc4.7.0