Package evidence
@public-ui/[email protected]
Install-time lifecycle script: postinstall="node ./postinstall.js"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 5,629Niche · −30% score
- Versions published
- 582Mature · −50% score
- First published
- Sep 2022
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@public-ui/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@public-ui/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="node ./postinstall.js"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="node ./postinstall.js" | 5 |
| low | Obfuscation Density | package/dist/cjs/component-4yrnT9ww.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/esm/component-CQaxTS4u.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/components/component2.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts21
assets:koliconspnpm --filter @public-ui/icons buildbuildpnpm build:lightbuild:lightmkdir doc && cross-env NODE_ENV=production stencil build --docs --prod && node scripts/autogen.doc.js && node scripts/vaadin.js && pnpm format -wclearrimraf -g dist doc www ../adapters/angular/v19/src ../adapters/angular/v20/src ../adapters/angular/v21/src ../adapters/hydrate/dist ../adapters/react/src ../adapters/react-v19/src ../adapters/solid/src ../adapters/vaadin/*.java ../adapters/vue/src assets/koliconsdevcross-env NODE_ENV=development stencil build --prod --watchformatprettier --check srclintpnpm lint:eslint && pnpm lint:stylelint && pnpm lint:tsclint:eslinteslint srclint:stylelintstylelint "src/**/*.{css,scss}"lint:stylelint:componentsstylelint src/components/**/*.{css,scss}lint:tsctsc --noemitpostinstallnode ./postinstall.jsprebuild:lightpnpm clear && pnpm assets:koliconspretest:e2epnpm assets:koliconsprodstencil build --prodtestpnpm test:unit && pnpm test:e2etest:e2eplaywright testtest:unitmkdir -p dist && cross-env NODE_ENV=test stencil test --spec --json --outputFile dist/jest-test-results.jsontest:update:unitpnpm test:unit -utest:watchcross-env NODE_ENV=test stencil test --spec --watchAllxunusedknip
Dependencies8
@floating-ui/dom1.7.6color-convert3.1.3color-rgba2.4.0lodash-es4.18.1markdown-it14.2.0rgba-convert0.3.0typed-bem1.0.2wcag-contrast3.0.0