Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,901Niche · −30% score
- Versions published
- 767Mature · −50% score
- First published
- Mar 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@sme.up/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@sme.up/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 16 · status changed
Evidence
Static findings
5 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/chunk-727SXJPM-DTmqhRKX.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/flowDiagram-I6XJVG4X-ChI_6giU.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/chunk-727SXJPM-Dof0vDVV.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/ketchup2.cjs.js | 3194241 bytes | 10 |
| medium | Large Javascript Payload | package/dist/ketchup2.es.js | 4097031 bytes | 10 |
Manifest
Package metadata
Scripts25
buildrimraf dist && tsc -b && vite build --config vite.lib.config.tsbuild:storybookrimraf storybook-static && npm run typecheck:storybook && storybook buildcleanrimraf storybook-static && rimraf dist && rimraf node_modulesdevstorybook dev -p 6006docker:builddocker build -f Dockerfile.vrt .linteslint .lint:cssstylelint 'src/**/*.css' --fixpackage:updatenpm i -g npm-check-updates && ncu -u && npm installserve-storybooknode server.jstest:domvitest --config vitest.dom.config.tstest:nodevitest --config vitest.node.config.tstest:reportplaywright show-reporttest:visualnpm run test:vrttest:visual:listts-node test/visual/list-visual-stories.tstest:visual:updatenpm run test:vrt:updatetest:visual:update:namets-node test/visual/update-story-by-name.tstest:visual:update:singlenode test/visual/update-single.mjstest:vrtdocker compose run --rm vrttest:vrt:cinpm run build:storybook && playwright test test/visual/visual.spec.test.jstest:vrt:ci:updatenpm run build:storybook && playwright test test/visual/visual.spec.test.js --update-snapshotstest:vrt:hostnpm run test:vrt:citest:vrt:host:updatenpm run test:vrt:ci:updatetest:vrt:updatedocker compose run --rm vrt npm run test:vrt:ci:updatetypecheck:storybooktsc --noEmit --project tsconfig.storybook.jsontypecheck:storybook:watchtsc --noEmit --project tsconfig.storybook.json --watch
Dependencies6
d3-hierarchy^3.1.2dompurify^3.3.1echarts^6.0.0mermaid^11.14.0pdfjs-dist^5.6.205react-svg^17.2.4