PkgRadar

Package evidence

@plone/[email protected]

Install-time lifecycle script: postinstall="yarn patches"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,171Niche · −30% score
Versions published
745Mature · −50% score
First published
Oct 2018
Publisher
sneridagh

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@plone/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@plone/[email protected]"],"fail_on":"high"}'
Publishersneridagh
Artifact bytes218,305,318
Previous version16.0.0-alpha.45
Published2022-10-28T10:53:54.613Z
SHA-256

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: postinstall added in 16.0.0-alpha.46 vs 16.0.0-alpha.45: "yarn patches"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
45Score
16.0.0-alpha.46Version
Status history (2 events)
  1. scan_erroravailable · risk high · score 45 · status scan_error -> available, risk none -> high, score none -> 45
  2. newscan_error · risk none · score · refusing to fetch https://registry.npmjs.org/@plone/volto/-/volto-16.0.0-alpha.46.tgz: content-length 128470802 exceeds 50000000

Evidence

Static findings

2 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 16.0.0-alpha.46 vs 16.0.0-alpha.45: "yarn patches"40
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 16.0.0-alpha.46 vs 16.0.0-alpha.45: "yarn patches"40
lowInstall-time lifecycle scriptpackage.jsonpostinstall="yarn patches"5
lowOversized Unscannedmanifesttarball exceeds the 50MB fetch cap; scanned registry metadata (install scripts + dependencies) only0

Manifest

Package metadata

Scripts27
  • analyzeBUNDLE_ANALYZE=true razzle build
  • buildrazzle build --noninteractive
  • build-storybookbuild-storybook
  • deduplicateyarn-deduplicate yarn.lock
  • dry-releaserelease-it --dry-run
  • i18nrm -rf build/messages && NODE_ENV=production i18n
  • i18n:ciyarn i18n && git diff -G'^[^"POT]' --exit-code
  • lint./node_modules/eslint/bin/eslint.js --max-warnings=0 'src/**/*.{js,jsx,json}'
  • lint:fix./node_modules/eslint/bin/eslint.js --fix 'src/**/*.{js,jsx,json}'
  • patches/bin/bash patches/patchit.sh > /dev/null 2>&1 ||true
  • postinstallyarn patches
  • prettierprettier --single-quote --check 'src/**/*.{js,jsx,ts,tsx,json}'
  • prettier:fixprettier --single-quote --write 'src/**/*.{js,jsx,ts,tsx,json}'
  • releaserelease-it
  • release-alpharelease-it --preRelease=alpha
  • release-major-alpharelease-it major --preRelease=alpha
  • startrazzle start
  • start:prodNODE_ENV=production node build/server.js
  • storybookstart-storybook -p 6006
  • stylelintstylelint 'theme/**/*.{css,less}' 'src/**/*.{css,less}'
  • stylelint:fixyarn stylelint --fix && yarn stylelint:overrides --fix
  • stylelint:overridesstylelint 'theme/**/*.overrides' 'src/**/*.overrides'
  • stylelint:patchespatch -p0 -N node_modules/stylelint/lib/getPostcssResult.js < patches/fixstylelint.patch || true
  • testrazzle test --maxWorkers=50%
  • test:ciCI=true NODE_ICU_DATA=node_modules/full-icu razzle test
  • test:debugnode --inspect node_modules/.bin/jest --runInBand
  • test:huskyCI=true yarn test --bail --findRelatedTests
Dependencies165
  • @babel/core^7.0.0
  • @babel/plugin-proposal-export-default-from7.18.9
  • @babel/plugin-proposal-export-namespace-from7.18.9
  • @babel/plugin-proposal-json-strings7.18.6
  • @babel/plugin-proposal-nullish-coalescing-operator7.18.6
  • @babel/plugin-proposal-throw-expressions7.18.6
  • @loadable/babel-plugin5.13.2
  • @loadable/component5.14.1
  • @loadable/server5.14.0
  • @loadable/webpack-plugin5.14.0
  • @plone/scripts2.1.2
  • @testing-library/cypress8.0.3
  • @testing-library/jest-dom5.16.4
  • @testing-library/react12.1.5
  • @testing-library/react-hooks8.0.1
  • autoprefixer10.4.8
  • axe-core4.4.2
  • babel-eslint10.1.0
  • babel-plugin-add-module-exports0.2.1
  • babel-plugin-lodash3.3.4
  • babel-plugin-react-intl5.1.17
  • babel-plugin-root-import6.1.0
  • babel-preset-razzle4.2.17
  • bundlewatch0.2.7
  • circular-dependency-plugin5.2.2
  • classnames2.2.6
  • commander8.2.0
  • connected-react-router6.8.0
  • crypto-random-string3.2.0
  • css-loader5.2.7
  • …and 135 more.