Package evidence

@rio-cloud/[email protected]

Remote Dependency Spec: dependencies.react-datetime="github:rio-cloud/react-datetime#v3.1.1-1-merged"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 169Mature · −50% score
First published: Nov 2020
Publisher: rio_cop_frontend

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@rio-cloud/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@rio-cloud/[email protected]"],"fail_on":"review"}'

Publisherrio_cop_frontend

Artifact bytes1,164,113

Previous version2.3.0

Published2026-04-27T13:59:25.562Z

SHA-256f3176c178437020b2c4724053666405190b88461bbd6805e72fb5ff845ea28a0

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.react-datetime="github:rio-cloud/react-datetime#v3.1.1-1-merged"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

12h agoLast checked

reviewRisk

3Score

2.4.0Version

Status history (1 event)

new → available12h ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	dependencies.react-datetime="github:rio-cloud/react-datetime#v3.1.1-1-merged"	12

Manifest

Package metadata

Scripts16

buildnpm run build:rioglyph && npm run build:styles && npm run build:lib && npm run format-code && echo ' 📦 Publish to npm only from within 'package' folder 📦'
build:libvite build
build:rioglyphsvgo -f rioglyph/svgs && vite build --mode rioglyph
build:stylesvite build --mode styles
check-licensesecho check-licenses
coveragevitest run --coverage
format-codenpm run format-code:uikit && npm run format-code:demo
format-code:demobiome format --write uikit-demo/src
format-code:uikitbiome format --write .
license-checkecho license-check
lintbiome check --max-diagnostics 2000
lint-fixbiome check --write
testvitest run
test-devvitest
test:civitest run --reporter=junit --outputFile.junit=./results/jest/junit.xml
test:uinode tools/testUI.js && backstop reference --config='test/backstop/config.js' && backstop test --config='test/backstop/config.js'

Dependencies31

@dnd-kit/core6.3.1
@dnd-kit/modifiers9.0.0
@dnd-kit/sortable10.0.0
@dnd-kit/utilities3.2.2
@formkit/auto-animate0.9.0
@popperjs/core2.11.8
@tanstack/react-virtual3.13.24
date-fns4.1.0
driver.js1.4.0
es-toolkit1.45.1
events3.3.0
iframe-resizer-react1.1.0
moment2.30.1
motion12.38.0
natural-orderby5.0.0
process0.11.10
prop-types15.8.1
react-bootstrap1.6.4
react-content-loader7.1.2
react-custom-scrollbars-44.5.1
react-datetimegithub:rio-cloud/react-datetime#v3.1.1-1-merged
react-day-picker9.14.0
react-dropzone14.3.8
react-imask7.6.1
react-notifications1.7.4
react-onclickoutside6.13.2
react-popper2.3.0
react-toastify11.0.5
recharts3.8.1
tiny-invariant1.3.3
…and 1 more.