Package evidence

@sjcrh/[email protected]

Large Javascript Payload: 6331115 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 466
Versions published: 438Mature · −50% score
First published: Mar 2023
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@sjcrh/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@sjcrh/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes1,837,471

Previous version2.189.0

Published2026-05-22T17:31:27.798Z

SHA-256e9aef529a6defdfc1bc77de76b96e3d72136c02adc8587704b2c7f4f7c8199f5

Why flagged

What the scanner saw

Large Javascript Payload: 6331115 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

3Score

2.190.0Version

Status history (1 event)

new → available16d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/src/app.js	6331115 bytes	10

Manifest

Package metadata

Scripts17

build./build.sh
cjsesbuild "$DIR/*.ts" --platform=node --outdir="$DIR" --format=cjs
combined:coveragecoverageKey=test c8 --all --src=proteinpaint/server --experimental-monocart -r=v8 -r=html -r=json -r=markdown-summary -r=markdown-details -o=./.coverage tsx ./coverage.js &
dedup./dedupjs.sh
devnpm run start
doc../augen/build.sh routes shared/types/routes shared/checkers ../public/docs/server
getconf../build/getConfigProp.cjs
mjsesbuild "$DIR/*.ts" --platform=node --outdir="$DIR" --format=esm
postcombined:coveragerm -rf ./cache
postpack./dedupjs.sh
precombined:coveragetsx emitImports.js unit > serverTests.js
prepacknpm run build
prestarttsx emitImports.js dev > server.js
spec:coveragetsx test/relevant.js
starttsx watch ./start.js
testtsc && npm run test:unit
test:unittsx emitImports.js unit > serverTests.js && c8 tsx --conditions=sjpp/dev serverTests.js && rm -rf ./cache

Dependencies30

@sjcrh/augen2.190.0
@sjcrh/proteinpaint-python2.190.0
@sjcrh/proteinpaint-r2.190.0
@sjcrh/proteinpaint-rust2.190.0
@sjcrh/proteinpaint-shared2.190.0
@sjcrh/proteinpaint-types2.190.0
@types/express^5.0.0
@types/express-session^1.18.1
better-sqlite3^12.4.1
body-parser^1.15.2
canvas~3.2.0
compression^1.6.2
connect-redis^6.1.3
cookie-parser^1.4.5
d3^7.6.1
deep-object-diff^1.1.0
express^4.17.1
express-basic-auth^1.1.5
express-session^1.18.1
got^14.2.0
image-size^0.9.7
jsonwebtoken^9.0.3
ky^1.2.1
micromatch^4.0.5
minimatch^10.0.1
node-fetch^2.6.1
partjson^0.58.2
redis^4.7.0
tiny-async-pool^1.2.0
tough-cookie^4.1.4