PkgRadar

Package evidence

@telicent-oss/[email protected]

Install-time lifecycle script: postinstall="[ \"$LOCAL_MACHINE\" = \"false\" ] && echo 'Skipping tefe hook-postinstall' || tefe hook-postinstall"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
144
Versions published
202Mature · −50% score
First published
Mar 2024
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@telicent-oss/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@telicent-oss/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes14,704,206
Previous version2.0.1
Published2026-05-19T12:58:44.940Z
SHA-2568e9d7f52074f630de3adf9a8830155f0c0254e46c39c7dbbe6bf8e9cba3696ca

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="[ \"$LOCAL_MACHINE\" = \"false\" ] && echo 'Skipping tefe hook-postinstall' || tefe hook-postinstall"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
1Score
2.1.0-LAB-10.0Version
Status history (1 event)
  1. newavailable · risk review · score 1 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="[ \"$LOCAL_MACHINE\" = \"false\" ] && echo 'Skipping tefe hook-postinstall' || tefe hook-postinstall"5
lowLarge Javascript Payloadpackage/dist/ds.umd.cjs7442120 bytes0
lowLarge Javascript Payloadpackage/dist/ds.js7093689 bytes0

Manifest

Package metadata

Scripts30
  • buildvite build
  • build-storybookstorybook build
  • build-storybook-docsstorybook build --docs
  • bump:preyarn bump:prerelease
  • bump:prereleaseyarn version --prerelease && git push && git push --tags
  • check./.husky/pre-commit
  • chromaticchromatic --exit-zero-on-changes
  • cleanrimraf dist storybook-static
  • cssnpx tailwindcss -i ./src/index.css -o ./src/main.css
  • ejectreact-scripts eject
  • git-checks ./.husky/pre-commit && ./.husky/pre-push
  • git-hooksyarn git-checks
  • link-to-local-packages./scripts/link-to-local-packages.sh
  • linteslint --resolve-plugins-relative-to src
  • local-installyarn install --registry http://localhost:4873
  • local-publish./scripts/local-publish.sh
  • lpyarn local-publish
  • postinstall[ "$LOCAL_MACHINE" = "false" ] && echo 'Skipping tefe hook-postinstall' || tefe hook-postinstall
  • postlocal-publish./scripts/update-deps.mjs --file ./updateDeps.gitignored.json
  • prebuildyarn clean
  • preparehusky install
  • prestartyarn run css
  • previewvite preview
  • startvite
  • storybookstorybook dev -p 6006
  • storybook-docsstorybook dev --docs --no-manager-cache
  • testreact-scripts test
  • test:ciyarn test --ci --json --outputFile="results.json" --watchAll=false
  • test:diffreact-scripts test --watchAll=false --coverage=false --onlyChanged --bail
  • test:diffMainreact-scripts test --watchAll=false --coverage=false --changedSince=origin/main --bail
Dependencies31
  • @emotion/react^11.10.6
  • @emotion/styled^11.10.6
  • @fortawesome/fontawesome-svg-core^6.5.1
  • @fortawesome/free-regular-svg-icons^6.5.1
  • @fortawesome/free-solid-svg-icons^6.5.1
  • @fortawesome/react-fontawesome^0.2.0
  • @mui/lab5.0.0-alpha.170
  • @mui/material^5.16.6
  • @mui/x-date-pickers^8.9.2
  • @react-spring/web9.7.3
  • @telicent-oss/fe-auth-lib1.0.3
  • @telicent-oss/mui-icons-material^1.0.0
  • @telicent-oss/react-lib^0.5.0
  • @telicent-oss/telicent-frontend-cli^1.5.0
  • @types/lodash.debounce^4.0.9
  • classnames^2.3.1
  • d3^7.8.2
  • dayjs^1.11.13
  • gsap^3.13.0
  • lodash^4.17.21
  • lodash.debounce^4.0.8
  • lodash.merge^4.6.2
  • maplibre-gl^3.5.0
  • ol^10.7.0
  • ol-mapbox-style^12.6.1
  • react-error-boundary^5.0.0
  • react-map-gl^7.1.6
  • react-rnd^10.4.13
  • react-router-dom^6.23.1
  • svg-path-parser^1.1.0
  • …and 1 more.