Package evidence

@sitecore-jss/[email protected]

Remote Payload: matched "cUrl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 29,376Mainstream · −50% score
Versions published: 1,577Mature · −50% score
First published: Dec 2020
Publisher: sc_illiakovalenko

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@sitecore-jss/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@sitecore-jss/[email protected]"],"fail_on":"review"}'

Publishersc_illiakovalenko

Artifact bytes61,739

Previous version22.12.1

Published2026-04-29T14:21:32.847Z

SHA-2560b5150b8f03fdef5940cf9557b01267c19a2df4c3f581ac4902bf9e42e163c64

Why flagged

What the scanner saw

Remote Payload: matched "cUrl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

19d agoLast checked

reviewRisk

18Score

22.12.2-canary.1Version

Status history (1 event)

new → available19d ago · risk review · score 18 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/cjs/utils/index.js	matched "cUrl "	12
medium	Remote Payload	package/dist/cjs/utils/utils.js	matched "cUrl "	12
medium	Remote Payload	package/dist/esm/utils/utils.js	matched "cUrl "	12

Manifest

Package metadata

Scripts8

buildnpm run clean && tsc -p tsconfig.json && tsc -p tsconfig-esm.json
cleandel-cli dist types
coveragenyc npm test
generate-docsnpx typedoc --plugin typedoc-plugin-markdown --outputFileStrategy Members --parametersFormat table --readme none --out ../../ref-docs/sitecore-jss-nextjs --entryPoints src/index.ts --entryPoints src/monitoring/index.ts --entryPoints src/editing/index.ts --entryPoints src/middleware/index.ts --entryPoints src/context/index.ts --entryPoints src/utils/index.ts --entryPoints src/site/index.ts --entryPoints src/graphql/index.ts --githubPages false
linteslint "./src/**/*.tsx" "./src/**/*.ts"
prepublishOnlynpm run build
testmocha --require ./test/setup.js "./src/**/*.test.ts" "./src/**/*.test.tsx" --exit
test-devmocha --require ./test/setup.js "./src/**/RichText.test.tsx" --exit

Dependencies6

@sitecore-jss/sitecore-jss22.12.2-canary.1
@sitecore-jss/sitecore-jss-dev-tools22.12.2-canary.1
@sitecore-jss/sitecore-jss-react22.12.2-canary.1
@vercel/kv^0.2.1
regex-parser^2.2.11
sync-disk-cache^2.1.0