Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 2,336Niche · −30% score
- Versions published
- 70
- First published
- May 2026
- Publisher
- zehua.wang
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@shwfed/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@shwfed/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 3444585 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
25 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 25 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Large Javascript Payload | package/dist/preview/assets/index-CpLuDJe9.js | 3444585 bytes | 0 |
| low | Obfuscation Density | package/dist/runtime/share/layout.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/actions/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-04-29/com.shwfed.form.field.combobox.single/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-05-13/com.shwfed.form.field.combobox.single.remote/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-05-13/com.shwfed.form.field.list/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-05-28/com.shwfed.form.field.combobox.multi/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-05-28/com.shwfed.form.field.combobox.single/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-05-28/com.shwfed.form.field.tree.combobox.multi/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-05-28/com.shwfed.form.field.tree.combobox.single/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/form/fields/2026-05-28/com.shwfed.form.field.tree.multi/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-24/com.shwfed.table.column.combobox-single.remote.options-remote/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-25/com.shwfed.table.column.combobox-multi.remote.options-remote/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-26/com.shwfed.table.column.combobox-multi.remote/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-26/com.shwfed.table.column.combobox-multi/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-26/com.shwfed.table.column.combobox-single.remote/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-26/com.shwfed.table.column.combobox-single/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-27/com.shwfed.table.column.tree-combobox-multi/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-27/com.shwfed.table.column.tree-combobox-single/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-28/com.shwfed.table.column.combobox-multi/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-28/com.shwfed.table.column.combobox-single/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-28/com.shwfed.table.column.tree-combobox-multi/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/columns/2026-05-28/com.shwfed.table.column.tree-combobox-single/schema.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/runtime/components/table/schema.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/mcp.mjs | 3510225 bytes | 0 |
Manifest
Package metadata
Scripts10
devnpm run dev:prepare && nuxt dev playgrounddev:buildnuxt build playgrounddev:preparenuxt-module-build build --stub && nuxt-module-build prepare && nuxt prepare playgroundlinteslint .prepacknuxt-module-build build && vite build --config vite.mcp.config.ts && vite build --config vite.preview.config.ts && chmod +x dist/mcp.mjspreparehusky && nuxt preparereleasenpm run lint && npm run test && npm run prepack && bumpp && npm publishtestvitest runtest:typesvue-tsc --noEmit && cd playground && vue-tsc --noEmittest:watchvitest watch
Dependencies36
@atlaskit/pragmatic-drag-and-drop^1.8.1@atlaskit/pragmatic-drag-and-drop-hitbox^1.1.0@codemirror/commands^6.10.3@codemirror/language^6.12.3@codemirror/state^6.6.0@codemirror/view^6.43.0@date-fns/tz^1.4.1@iconify/vue^5.0.1@internationalized/date^3.12.1@intlify/unplugin-vue-i18n^11.2.3@lezer/highlight^1.2.3@modelcontextprotocol/sdk^1.29.0@number-flow/vue^0.5.0@nuxt/kit^4.4.5@tailwindcss/typography^0.5.19@tailwindcss/vite^4.3.0@tanstack/vue-table^8.21.3@tanstack/vue-virtual^3.13.24@unovis/ts^1.6.5@unovis/vue^1.6.5@vueuse/core^14.3.0class-variance-authority^0.7.1clsx^2.1.1date-fns^4.1.0defu^6.1.7dot-prop^10.1.0effect^3.21.2fx-fetch^1.1.2markdown-it^14.1.1reka-ui^2.9.7- …and 6 more.