Package evidence
@shbernal/[email protected]
Suspicious Publish Context: {"package_age_days":7,"publisher":"GitHub Actions","burst_same_day":0,"burst_week":0,"lure":{"kind":"token_affix","target":"pptxgenjs"},"version_anomaly":true,"new_account":false}
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,044Niche · −30% score
- Versions published
- 8
- First published
- Jun 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@shbernal/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@shbernal/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Suspicious Publish Context: {"package_age_days":7,"publisher":"GitHub Actions","burst_same_day":0,"burst_week":0,"lure":{"kind":"token_affix","target":"pptxgenjs"},"version_anomaly":true,"new_account":false}
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Suspicious Publish Context | manifest | {"package_age_days":7,"publisher":"GitHub Actions","burst_same_day":0,"burst_week":0,"lure":{"kind":"token_affix","target":"pptxgenjs"},"version_anomaly":true,"new_account":false} | 10 |
Manifest
Package metadata
Scripts43
buildtsdowncheck-validatornode tools/ooxml-validator/check-updates.jsdocs:apinode scripts/docs-api.mjsdocs:buildpnpm run docs:prepare && python3 scripts/docs-check.py && vitepress build docsdocs:checkpnpm run docs:api && python3 scripts/docs-check.pydocs:devpnpm run docs:prepare && vitepress dev docsdocs:initpython3 scripts/docs-init.pydocs:listpython3 scripts/docs-list.pydocs:llmsnode scripts/generate-llms-docs.mjsdocs:newpython3 scripts/docs-new.pydocs:preparepnpm run docs:api && pnpm run docs:llmsdocs:previewvitepress preview docsformatprettier package.json pnpm-workspace.yaml typedoc.docs.json tsconfig*.json docs/docs.json docs/tsconfig.json docs/.vitepress/config.mts eslint.config.mjs tsdown.config.ts "scripts/**/*.mjs" "test/**/*.mjs" "test/**/*.js" ".github/**/*.yml" --writeformat:checkprettier package.json pnpm-workspace.yaml typedoc.docs.json tsconfig*.json docs/docs.json docs/tsconfig.json docs/.vitepress/config.mts eslint.config.mjs tsdown.config.ts "scripts/**/*.mjs" "test/**/*.mjs" "test/**/*.js" ".github/**/*.yml" --checklinteslint . --no-warn-ignoredlint:fixpnpm run lint -- --fixpack:checkpnpm pack --dry-run --jsonpackage:lintnode scripts/package-lint.mjsprepackpnpm run buildpreparelefthook installstartpnpm run watchstrict:checktsc -p tsconfig.strict.json --noEmitstrict:null:checktsc -p tsconfig.strict-null.json --noEmittestpnpm run build && vitest run test/regression test/schema-validation.test.mjstest:coveragepnpm run build && vitest run --coverage test/regressiontest:demo:nodenode scripts/demo-smoke.mjs nodetest:demo:vitenode scripts/demo-smoke.mjs vitetest:demosnode scripts/demo-smoke.mjstest:packagenode scripts/package-smoke.mjstest:readpnpm run build && vitest run test/read- …and 13 more.
Dependencies3
@xmldom/xmldom^0.9.10fast-xml-parser^5.8.0jszip^3.10.1