PkgRadar

Package evidence

@portel/[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
981
Versions published
63Established · −30% score
First published
Nov 2025
Publisher
luracast

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@portel/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@portel/[email protected]"],"fail_on":"review"}'
Publisherluracast
Artifact bytes8,034,458
Previous version1.33.4
Published2026-05-28T15:54:08.255Z
SHA-256c3fce6879fa2c5e04c31eb98174f481c2f530df4bf66fe46f7af2f66f3ea0d13

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
23Score
1.34.0Version
Status history (1 event)
  1. newavailable · risk review · score 23 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/commands/changelog.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/loader.jsmatched "raw.githubusercontent.com"12
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/commands/changelog.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/loader.jsmatched "raw.githubusercontent.com"12
lowCredential file accesspackage/dist/marketplace-manager.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/dist/cli/commands/package.jsmatched "GITHUB_TOKEN"5
lowLarge Javascript Payloadpackage/dist/beam-ts-worker.js9969988 bytes0
lowLarge Javascript Payloadpackage/dist/beam.bundle.js3912921 bytes0

Manifest

Package metadata

Scripts93
  • buildeslint src/ --quiet && tsc && cp -r src/photons dist/ && chmod +x dist/cli.js && node scripts/build-beam.mjs
  • build:beamnode scripts/build-beam.mjs
  • devtsc --watch
  • dev:beambun run build && bun run build:beam && (trap 'kill 0' EXIT; tsc --watch --preserveWatchOutput & node scripts/build-beam.mjs --watch & sleep 1 && tsx watch src/cli.ts beam)
  • docs:buildbun run docs:sync && vitepress build docs-site && node scripts/fix-docs-site-build.mjs
  • docs:devbun run docs:sync && vitepress dev docs-site
  • docs:previewvitepress preview docs-site
  • docs:syncnode scripts/sync-docs-site.mjs
  • formatprettier --write "src/**/*.ts"
  • format:checkprettier --check "src/**/*.ts"
  • knipknip
  • linteslint src/
  • lint:fixeslint src/ --fix
  • preparegit config core.hooksPath .githooks || true
  • prepublishOnlybun run verify:publish-version && node -e "const p=require('./package.json'); if(JSON.stringify(p.dependencies).includes('file:')) { console.error('ERROR: file: dependency found.'); process.exit(1); }" && node -e "const fs=require('fs'),path=require('path'); const p=require('./package.json'); for(const d of Object.keys(p.dependencies||{})){const t=path.join('node_modules',d); if(fs.lstatSync(t).isSymbolicLink()){console.error('ERROR: '+d+' is linked. Run: bun remove '+d+' && bun add '+d); process.exit(1);}}" && bun run build && bun run build:beam
  • releaserelease-it
  • release:dryrelease-it --dry-run
  • release:majorrelease-it major
  • release:minorrelease-it minor
  • release:patchrelease-it patch
  • testbash scripts/run-tests.sh
  • test:a2uibun run build && tsx tests/a2ui-mapper.test.ts && tsx tests/a2ui-e2e.test.ts && tsx tests/a2ui-renderer-script.test.ts
  • test:allbun run build && bun run test:security && bun run test:schema && bun run test:marketplace && bun run test:loader && bun run test:server && bun run test:integration && bun run test:byte-compat && bun run test:format-registry && bun run test:content-negotiation && bun run test:ui-resources && bun run test:client-adaptive && bun run test:zero-config && bun run test:mcp-config && bun run test:cli && bun run test:intent && bun run test:logger && bun run test:error-handler && bun run test:validation && bun run test:daemon-pubsub && bun run test:daemon-buffer && bun run test:instance-drift && bun run test:daemon-watcher && bun run test:ui-rendering && bun run test:photon-instance-manager && bun run test:viewport-aware-proxy && bun run test:viewport-manager && bun run test:pagination-integration && bun run test:pagination-performance && tsx tests/pagination-phase5.test.ts && tsx tests/pagination-phase5c.test.ts && tsx tests/pagination-phase5d.test.ts && tsx tests/phase6a-service-worker.test.ts && tsx tests/phase6b-offline-state.test.ts && tsx tests/phase6c-offline-sync.test.ts && tsx tests/phase6d-integration.test.ts && tsx tests/promises.test.ts && bun run test:cf-bindings && bun run test:cf-runtime && bun run test:cf-overrides && bun run test:cf-deploy && bun run test:cf-mcp-bearer && bun run test:readme
  • test:beambun run build && tsx tests/beam/rendering.test.ts
  • test:beam:regressionsbun run build && tsx tests/beam/beam-integration-regressions.test.ts
  • test:bridgebun run test:bridge:generation && bun run test:bridge:protocol && bun run test:bridge:beam
  • test:bridge:beamtsx tests/bridge/beam-integration.test.ts
  • test:bridge:generationtsx tests/bridge/bridge-generation.test.ts
  • test:bridge:protocoltsx tests/bridge/protocol.test.ts
  • test:byte-compatRUN_E2E=1 vitest run tests/v128-byte-compat.test.ts
  • …and 63 more.
Dependencies17
  • @chenglou/pretext^0.0.7
  • @modelcontextprotocol/ext-apps^1.0.1
  • @modelcontextprotocol/sdk^1.29.0
  • @portel/cli^1.1.0
  • @portel/photon-core^2.27.0
  • boxen^8.0.1
  • chalk^5.4.1
  • chart.js^4.5.1
  • chokidar^4.0.3
  • cli-highlight^2.1.11
  • cli-table3^0.6.5
  • commander^12.1.0
  • esbuild^0.28.0
  • fast-json-patch^3.1.1
  • miniflare^4.20260507.1
  • ora^9.3.0
  • qrcode^1.5.4
Optional dependencies1
  • better-sqlite3^12.9.0