Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,011Niche · −30% score
- Versions published
- 353Mature · −50% score
- First published
- Oct 2019
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@teipublisher/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@teipublisher/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 8037916 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/pb-mei.js | 8037916 bytes | 10 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/pb-mei.js | 8037916 bytes | 10 |
| low | Credential file access | package/.github/workflows/node.js.yml | matched "GITHUB_TOKEN" | 3 |
Manifest
Package metadata
Scripts22
buildnpm run clean && rollup -c rollup.config.mjsbuild:productionnpm run clean && rollup -c rollup.config.mjs --environment BUILD:productioncleannpm run clean-lib && rimraf dist css images/leaflet demo/build docsclean-librimraf -g lib/leaflet* lib/paged* lib/web-midi-player.js lib/airtable.browser.jscy:openconcurrently --kill-others --success first 'vite --no-open' 'cypress open'cy:run:ctcypress run --componentcy:run:e2econcurrently --kill-others --success first 'vite --no-open' 'cypress run'devvite --no-opendockernpm run build:production && docker build --no-cache --pull --rm -f 'Dockerfile' -t pbcomponents:master '.'docker:rundocker run --rm -it -p 8080:8080/tcp -p 8443:8443/tcp pbcomponents:masterdocswca src -f json --outFile pb-elements.jsonformatnpm run format:eslint; npm run format:prettierformat:eslinteslint --ext .js,.html . --fixformat:prettierprettier "**/*.js" --write --ignore-path .gitignoregh-pagesnode gh-pages.jslintnpm run lint:eslint && npm run lint:prettierlint:eslinteslint --ext .js,.html .lint:prettierprettier "**/*.js" --check --ignore-path .gitignorepreparenpm run docs && npm run build:productionpreviewvite previewsemantic-releasesemantic-releasestartnpm run docs && vite
Dependencies31
@jinntec/jinn-codemirror^1.18.2@lrnwebcomponents/es-global-bridge^8.0.2@vaadin/tabs^25.0.3@vaadin/upload^25.0.3airtable^0.12.2animejs^4.2.2browser-fs-access^0.38.0construct-style-sheets-polyfill^3.1.0dompurify^3.4.1gridjs^6.2.0hotkeys-js^4.0.0i18next^25.7.4i18next-browser-languagedetector^8.2.0i18next-chained-backend^5.0.1i18next-http-backend^3.0.2js-cookie^3.0.5leaflet^1.9.4leaflet-control-geocoder^3.3.1leaflet.markercluster^1.5.3lit^3.3.2marked^17.0.1openseadragon^5.0.1pagedjs^0.4.3path-to-regexp^8.3.0prismjs^1.29.0tify^0.34.5tippy.js^6.3.7tom-select^2.2.2uniqolor^1.1.0verovio^5.7.0- …and 1 more.