Package evidence

@rocketleap/[email protected]

Large Javascript Payload: 3005024 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 58
First published: Jan 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@rocketleap/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@rocketleap/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes3,771,755

Previous version1.4.1

Published2026-05-27T17:48:05.963Z

SHA-256eb502081412fa84ae445f0a79e80a1317f4b16eeef1bccb49317c5776be21981

Why flagged

What the scanner saw

Large Javascript Payload: 3005024 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

9Score

1.5.0Version

Status history (1 event)

new → available16d ago · risk review · score 9 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/.yarn/releases/yarn-4.9.2.cjs	3005024 bytes	10
medium	Large Javascript Payload	package/releases/yarn-4.9.2.cjs	3005024 bytes	10

Show all 4 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/.yarn/releases/yarn-4.9.2.cjs	3005024 bytes	10
medium	Large Javascript Payload	package/releases/yarn-4.9.2.cjs	3005024 bytes	10
low	Credential file access	package/lib/common/workflows.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/lib/common/yarn.js	matched "GITHUB_TOKEN"	5

Manifest

Package metadata

Scripts22

buildnpx projen build
bumpnpx projen bump
clobbernpx projen clobber
compatnpx projen compat
compilenpx projen compile
defaultnpx projen default
docgennpx projen docgen
ejectnpx projen eject
eslintnpx projen eslint
packagenpx projen package
package-allnpx projen package-all
package:jsnpx projen package:js
post-compilenpx projen post-compile
post-upgradenpx projen post-upgrade
pre-compilenpx projen pre-compile
projennpx projen
releasenpx projen release
testnpx projen test
test:watchnpx projen test:watch
unbumpnpx projen unbump
upgradenpx projen upgrade
watchnpx projen watch