Package evidence

@specverse/[email protected]

Install-time lifecycle script: prepare="npm run build"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@specverse/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@specverse/[email protected]"],"fail_on":"high"}'

Publishercainen

Artifact bytes566,452

Previous version3.5.1

Published2026-03-26T16:09:57.348Z

SHA-2568b2db1d1494f8672194ac15def5365731d7af23add9dbc60d953f7c66e4dee99

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: prepare added in 3.5.3 vs 3.5.1: "npm run build"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

23d agoLast checked

highRisk

62Score

3.5.3Version

Status history (1 event)

new → available23d ago · risk high · score 62 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

cainen

6 members · evidence strength 79

Evidence

Static findings

7 static · 1 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	prepare added in 3.5.3 vs 3.5.1: "npm run build"	40

Show all 8 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	New Lifecycle Script Vs Previous	package.json	prepare added in 3.5.3 vs 3.5.1: "npm run build"	40
low	Install-time lifecycle script	package.json	prepare="npm run build"	4
low	Obfuscation	package/scripts/maintenance/convert-library-yaml-to-v31.js	matched "\\x1b"	3
low	Obfuscation	package/dist/registry/formatters/error-formatter.js	matched "\\x1b"	3
low	Obfuscation	package/scripts/test/run-all-tests.js	matched "\\x1b"	3
low	Obfuscation	package/dist/cli/specverse-cli.js	matched "\\x1b"	3
low	Obfuscation	package/scripts/test/validate-all-specly.js	matched "\\x1b"	3
low	Obfuscation	package/package.json	matched "\\ud83d"	3

Manifest

Package metadata

Scripts59

//========== PRIMARY COMMANDS (what users run) ==========
//build========== BUILD CHAIN (predictable flow) ==========
//compile========== COMPILE TASKS (atomic, clear purpose) ==========
//docs========== DOCUMENTATION (delegates to documentation dir) ==========
//test========== TEST SUITES (comprehensive coverage) ==========
//utils========== UTILITIES (support tasks) ==========
buildnpm run clean && npm run compile && npm run post-build
build:corenpm run clean && npm run compile:core && npm run compile:libs && npm run post-build
build:devnpm run clean && npm run compile:core && npm run compile:libs && npm run compile:scripts && npm run compile:diagram && npm run post-build
build:releasenpm run clean && npm run compile && npm run post-build:catalog
chmod:clinode -e "try{const fs=require('fs');fs.chmodSync('dist/cli/specverse-cli.js',0o755);console.log('✓ CLI exec bit set');}catch(e){console.log('ℹ️ chmod skipped:',e.message)}"
cleanrm -rf dist/ tools/*/dist/ tools/*/*.vsix && find src -name '*.js' -o -name '*.d.ts' -o -name '*.js.map' | grep -v node_modules | xargs rm -f 2>/dev/null || true
compilenpm run compile:core && npm run compile:libs && npm run compile:scripts && npm run compile:diagram && npm run compile:mcp && npm run compile:extension
compile:coretsc -p tsconfig.json && npm run chmod:cli
compile:diagramcd tools/diagram-generator && npm run build
compile:extensioncd tools/vscode-extension && npm install && npm run package
compile:extension:installcd tools/vscode-extension && npm install && npm run package
compile:extension:verbosecd tools/vscode-extension && VERBOSE=true npm run package
compile:libstsc -p tsconfig.libs.json
compile:mcpcd tools/specverse-mcp && npm run build:all
compile:orchestratorecho 'ai-orchestrator moved to @specverse/engine-ai'
compile:scriptstsc -p tsconfig.scripts.json
devnpm run build && npm run test && npm run docs:validate-snippets
docscd documentation && npm run build
docs:apicd documentation && npm run api
docs:diagramscd documentation && npm run diagrams
docs:testcd documentation && npm run test
docs:validate-snippetsnode scripts/test/validate-docs-snippets.js ../specverse-lang-doc/docs
formatprettier --write src/
library:catalognpx tsx scripts/generate/generate-library-catalog.ts
…and 29 more.

Dependencies17

@specverse/engine-entities^3.5.3
@specverse/engine-generators^3.5.3
@specverse/engine-inference^3.5.3
@specverse/engine-parser^3.5.3
@specverse/engine-realize^3.5.3
@specverse/types^3.5.3
ajv^8.12.0
ajv-formats^2.1.1
chalk^5.3.0
commander^11.1.0
glob^10.3.10
handlebars^4.7.8
js-yaml^4.1.0
semver^7.7.3
tsx^4.20.6
yaml^2.8.1
zod^3.22.4