PkgRadar

Package evidence

@runloop/[email protected]

Known Indicator Filename: package/sdk/execution.js

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
26,144Mainstream · −50% score
Versions published
132Mature · −50% score
First published
Jun 2024
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@runloop/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@runloop/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes495,519
Previous version1.20.0
Published2026-05-13T16:05:47.351Z
SHA-2568de1718b54212dd7cdc6841d6fbfc53aea189f408de729295502e8987fa38fe3

Why flagged

What the scanner saw

Known Indicator Filename: package/sdk/execution.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
13Score
1.21.0Version
Status history (1 event)
  1. newavailable · risk review · score 13 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/sdk/execution.jspackage/sdk/execution.js45

Manifest

Package metadata

Scripts19
  • build./scripts/build
  • check:examples-mdyarn generate:examples-md && git diff --exit-code EXAMPLES.md examples/registry.ts
  • deploy-gh-pagesgh-pages -d typedoc
  • docstypedoc --options typedoc.json
  • docs:mdtypedoc --options typedoc.md.json
  • docs:watchtypedoc --options typedoc.json --watch
  • fix./scripts/format
  • formatprettier --write --cache --cache-strategy metadata . !dist
  • generate:examples-mdnode ./scripts/generate-examples-md.cjs
  • lint./scripts/lint
  • predeploy-gh-pagesyarn docs:sdk
  • test./scripts/test
  • test:built-packageyarn build && RUN_BUILT_PACKAGE_TEST=1 jest --verbose tests/smoketests/build-package.test.ts
  • test:examplesRUN_SMOKETESTS=1 jest --verbose tests/smoketests/examples/examples.test.ts
  • test:objectsRUN_SMOKETESTS=1 jest --config jest.config.objects.js --verbose
  • test:objects-coverageRUN_SMOKETESTS=1 jest --verbose --config jest.config.objects.js --coverage --coverageReporters=text --coverageReporters=json-summary
  • test:objects-coverage:htmlRUN_SMOKETESTS=1 jest --verbose --config jest.config.objects.js --coverage --coverageReporters=html --coverageReporters=text && open coverage-objects/index.html
  • test:smokeRUN_SMOKETESTS=1 jest --verbose tests/smoketests
  • tsnts-node -r tsconfig-paths/register
Dependencies10
  • @types/node^18.11.18
  • @types/node-fetch^2.6.4
  • abort-controller^3.0.0
  • agentkeepalive^4.2.1
  • form-data-encoder1.7.2
  • formdata-node^4.3.2
  • node-fetch^2.6.7
  • tar^7.5.2
  • uuidv7^1.0.2
  • zod^3.24.1