PkgRadar

Package evidence

@sentio/[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1,645Mature · −50% score
First published
May 2022
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@sentio/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@sentio/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes1,773,241
Previous version4.0.0-rc.2
Published2026-06-11T06:52:53.483Z
SHA-2569e293d499020de7609e4223bf850b05c75c7f8ff6859acdbfb5afbd6ac5cc849

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
4.0.0-rc.3Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/lib/iota/ext/coin.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/lib/sui/ext/coin.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/lib/aptos/ext/token.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/src/iota/ext/coin.tsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/src/sui/ext/coin.tsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/src/aptos/ext/token.tsmatched "raw.githubusercontent.com"12

Manifest

Package metadata

Scripts23
  • buildpnpm gen && pnpm compile
  • build:allpnpm --filter=$(node -p "require('./package.json').name")... build
  • build:bundlepnpm gen && pnpm bundle
  • bundletsup --config src/bundle.config.ts
  • bundle:dtstsc --emitDeclarationOnly --declaration
  • compiletsc && cp src/tsup.config.ts lib
  • genpnpm gen:eth && pnpm gen:aptos && pnpm gen:sui && pnpm gen:iota && pnpm gen:solana && pnpm gen:fuel && pnpm gen:store
  • gen:aptoscp node_modules/@typemove/aptos/src/abis/*.json src/aptos/abis && tsx src/aptos/codegen/run.ts src/aptos/abis src/aptos/builtin && pnpm gen:aptos_test
  • gen:aptos_testtsx src/aptos/codegen/run.ts src/aptos/tests/abis src/aptos/tests/types
  • gen:docstypedoc --options typedoc.json
  • gen:ethtsx src/eth/codegen/run.ts src/eth/abis src/eth/builtin && pnpm gen:eth_test
  • gen:eth_testtsx src/eth/codegen/run.ts src/eth/tests/abis/eth ./src/eth/tests/types
  • gen:fueltsx src/fuel/codegen/run.ts src/fuel/abis src/sui/builtin && pnpm gen:fuel_test
  • gen:fuel_testtsx src/fuel/codegen/run.ts src/fuel/tests/abis src/fuel/tests/types
  • gen:iotacp node_modules/@typemove/iota/src/abis/*.json src/iota/abis && tsx src/iota/codegen/run.ts src/iota/abis src/iota/builtin && pnpm gen:iota_test
  • gen:iota_testtsx src/iota/codegen/run.ts src/iota/tests/abis src/iota/tests/types
  • gen:solanatsx src/solana/codegen/run.ts src/solana/tests/abis src/solana/tests/types
  • gen:storetsx src/store/run.ts src/store/tests src/store/tests/generated
  • gen:suicp node_modules/@typemove/sui/src/abis/*.json src/sui/abis && tsx src/sui/codegen/run.ts src/sui/abis src/sui/builtin && pnpm gen:sui_test
  • gen:sui_testtsx src/sui/codegen/run.ts src/sui/tests/abis src/sui/tests/types
  • sync_sui_to_iotatsx sync-sui-to-iota.ts
  • testtsx --test 'src/**/*.test.ts'
  • test:dbtsx --test 'src/store/tests/database.test.ts'
Dependencies38
  • @anchor-lang/borsh^1.0.2
  • @anchor-lang/core^1.0.2
  • @aptos-labs/ts-sdk~7.1.0
  • @bufbuild/protobuf^2.12.0
  • @connectrpc/connect^2.0.0
  • @iota/iota-sdk~1.14.0
  • @mysten/sui~2.17.0
  • @prettier/sync^0.6.0
  • @sentio/api1.0.2
  • @sentio/bigdecimal9.1.1-patch.3
  • @sentio/chain~3.4.29
  • @sentio/ethers-v6^1.0.29
  • @sentio/protos4.0.0-rc.3
  • @sentio/runtime^4.0.0-rc.3
  • @solana/kit^6.9.0
  • @typemove/aptos2.0.3
  • @typemove/iota2.0.3
  • @typemove/move2.0.3
  • @typemove/sui2.0.3
  • bs58^6.0.0
  • chalk^5.3.0
  • csv-parse^6.0.0
  • ethersnpm:@sentio/[email protected]
  • fuels^0.103.0
  • got^14.4.7
  • graphql^16.11.0
  • js-sha3^0.9.3
  • lru-cache^11.1.1
  • mkdirp^3.0.1
  • node-fetch^3.3.2
  • …and 8 more.