Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 104Established · −30% score
- First published
- Sep 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@sap-ux/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@sap-ux/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 4406992 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/index.js | 4406992 bytes | 10 |
Manifest
Package metadata
Scripts22
buildnpm-run-all build-compile build-bundlebuild-bundlepnpm run build-esbuild-base --minify && pnpm run copy-iconsbuild-compiletsc --noEmitbuild-devpnpm run build-esbuild-base --sourcemap=inlinebuild-esbuild-baseesbuild --bundle --platform=node --target=node20 --outdir=dist --external:vscode --external:@lancedb/lancedb --external:@xenova/transformers --external:@sap-ux/fiori-docs-embeddings --external:@sap-ux/store --main-fields=module,main src/index.tsbundlenpm-run-all build tgz:package tgz:renamecleanrimraf --glob dist test/test-output *.tsbuildinfocopy-iconsnode -e "const fs=require('node:fs');const path=require('node:path');['icon.png','icon.svg'].forEach(f=>fs.copyFileSync(path.join('assets',f),path.join('dist',f)))"formatprettier --write '**/*.{js,json,ts,yaml,yml}' --ignore-path ../../.prettierignoreinspectornpx @modelcontextprotocol/inspector node dist/index.jsinspector-tsnpx @modelcontextprotocol/inspector ts-node -T src/index.ts --log-level=debuglinteslintlint:fixeslint --fixstartnpx -y supergateway --port 9881 --sessionTimeout 300000 --stdio "node ./dist/index.js"testjest --ci --forceExit --detectOpenHandles --colorstest:integration:devpromptfoo eval --config test/integration/scenarios/test-dev.yaml --max-concurrency 1 --repeat 1 --output reports/integration.txttest:integration:multiplenpm run test:promptfoo -- --repeat 5test:integration:oncepromptfoo eval --config test/integration/scenarios/promptfooconfig.yaml --max-concurrency 1 --repeat 1 --output reports/integration.txttgz:packagepnpm packtgz:renamenode -e "const fs=require('fs'), p=require('./package.json'), d=new Date().toISOString().split('T')[0], oldName=p.name.startsWith('@') ? `${p.name.replace('@', '').replace('/', '-')}-${p.version}.tgz` : `${p.name}-${p.version}.tgz`; fs.renameSync(oldName, `${oldName.replace('.tgz','')}-${d}.tgz`)"view:integrationpromptfoo view -ywatchtsc --watch
Dependencies7
@lancedb/lancedb0.22.0@sap-ux/fiori-docs-embeddings0.5.1@sap-ux/store1.6.0@xenova/transformers2.17.2apache-arrow18.1.0mem-fs2.1.0mem-fs-editor9.4.0