Package evidence
@requestnetwork/[email protected]
Remote Dependency Spec: dependencies.commerce-payments="git+https://github.com/base/commerce-payments.git#v1.0.0"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,445Niche · −30% score
- Versions published
- 702Mature · −50% score
- First published
- Dec 2019
- Publisher
- rodrigopavezi-request
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@requestnetwork/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@requestnetwork/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.commerce-payments="git+https://github.com/base/commerce-payments.git#v1.0.0"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 6 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | dependencies.commerce-payments="git+https://github.com/base/commerce-payments.git#v1.0.0" | 12 |
Manifest
Package metadata
Scripts38
buildyarn build:sol && yarn build:libbuild:libtsc -b tsconfig.build.json && cp src/types/*.d.ts dist/src/types && cp -r dist/src/types typesbuild:solyarn hardhat compilecleanyarn clean:lib && yarn clean:types && yarn clean:hardhatclean:hardhatrm -rf cache && rm -rf buildclean:librm -rf dist tsconfig.tsbuildinfo tsconfig.build.tsbuildinfoclean:typesrm -rf types && rm -rf src/typesdeployyarn hardhat deploy-local-env --network privateganacheyarn hardhat nodelintyarn run lint:lib && yarn run lint:sollint:checkyarn run lint:lib:check && yarn run lint:sol:checklint:libeslint . --fixlint:lib:checkeslint .lint:solsolhint "src/contracts/**/*.sol" --fixlint:sol:checksolhint "src/contracts/**/*.sol"prebuild:solyarn workspace @requestnetwork/types build && yarn workspace @requestnetwork/utils build && yarn workspace @requestnetwork/currency buildsecurity:allyarn security:slither && yarn security:echidna:quicksecurity:echidna./scripts/run-echidna.shsecurity:echidna:ci./scripts/run-echidna.sh --cisecurity:echidna:quick./scripts/run-echidna.shsecurity:echidna:thorough./scripts/run-echidna.sh --thoroughsecurity:fullyarn security:slither && yarn security:echidna:thoroughsecurity:slither./scripts/run-slither.shtestyarn hardhat test --network privatetest:libyarn jest test/libtron:compiletronbox compile --config tronbox-config.jstron:deploy:mainnetnode scripts/tron/deploy-mainnet.jstron:deploy:nilenode scripts/tron/deploy-nile.jstron:deploy:test-tokennode scripts/tron/deploy-test-token.jstron:migrate:developmenttronbox migrate --config tronbox-config.js --network development- …and 8 more.
Dependencies2
commerce-paymentsgit+https://github.com/base/commerce-payments.git#v1.0.0tslib2.8.1