PkgRadar

Package evidence

@quenty/[email protected]

Install-time lifecycle script: preinstall="npx only-allow pnpm"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
407Mature · −50% score
First published
Mar 2022
Publisher
quenty

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@quenty/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@quenty/[email protected]"],"fail_on":"review"}'
Publisherquenty
Artifact bytes22,473
Previous version11.46.0
Published2026-05-30T00:41:12.874Z
SHA-256de460897b63de23a4e7764a9dd960d8a6d74c30ffe29d48bd7e531c8e1cabf4f

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="npx only-allow pnpm"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
2Score
11.46.1Version
Status history (1 event)
  1. newavailable · risk review · score 2 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpreinstall="npx only-allow pnpm"5

Manifest

Package metadata

Scripts1
  • preinstallnpx only-allow pnpm
Dependencies29
  • @quenty/adorneedata7.34.1
  • @quenty/attributeutils14.30.1
  • @quenty/baseobject10.13.0
  • @quenty/binder14.36.1
  • @quenty/brio14.30.1
  • @quenty/defaultvalueutils1.4.1
  • @quenty/ducktype5.11.0
  • @quenty/enums1.3.0
  • @quenty/instanceutils13.30.1
  • @quenty/jsonutils10.18.1
  • @quenty/linkutils13.30.1
  • @quenty/loader10.11.0
  • @quenty/maid3.9.0
  • @quenty/nevermore-test-runner1.4.0
  • @quenty/observablecollection12.38.1
  • @quenty/remoting12.32.1
  • @quenty/rx13.28.3
  • @quenty/rxbinderutils14.36.1
  • @quenty/rxsignal7.28.3
  • @quenty/servicebag11.18.1
  • @quenty/signal7.13.1
  • @quenty/spring10.12.0
  • @quenty/string3.3.7
  • @quenty/table3.9.2
  • @quenty/tie10.40.1
  • @quenty/valuebaseutils13.30.1
  • @quenty/valueobject13.31.1
  • @quentystudios/jest-lua3.10.0-quenty.2
  • @quentystudios/t^3.0.0