Package evidence

@the-bearded-bear/[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 287
First published: Jan 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@the-bearded-bear/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@the-bearded-bear/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes4,640,783

Previous version8.13.0-next.31f2270

Published2026-06-12T16:03:31.656Z

SHA-256cbc6bd324dfa3393c89d01d34695855523097d4b1a0770b611d319e393e8a282

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

26h agoLast checked

reviewRisk

15Score

8.13.0Version

Status history (1 event)

new → available26h ago · risk review · score 15 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/Tools/i18n/rtk/de.sh	matched "curl "	12
medium	Remote Payload	package/Tools/i18n/rtk/en.sh	matched "curl "	12
medium	Remote Payload	package/Tools/i18n/rtk/es.sh	matched "curl "	12
medium	Remote Payload	package/Tools/i18n/rtk/fr.sh	matched "curl "	12
medium	Remote Payload	package/Tools/i18n/rtk/pt.sh	matched "curl "	12

Manifest

Package metadata

Scripts25

commitlintcommitlint --edit
community:awesomenode scripts/awesome-claude-code-submit.mjs
docs:checknode scripts/generate-references.mjs --check
docs:generatenode scripts/generate-references.mjs
formatprettier --write cli/
format:checkprettier --check cli/
kanban:buildvite build --config cli/kanban/client/vite.config.js
kanban:devvite --config cli/kanban/client/vite.config.js
linteslint cli/ scripts/
lint:fixeslint cli/ scripts/ --fix
lint:i18nbash scripts/verify-i18n-parity.sh
lint:includesnode scripts/verify-claude-includes.mjs
lint:shellfind Dev/ Infra/ Project/ Tools/ scripts/ .bmad/ -name '*.sh' -type f | xargs shellcheck --severity=warning
lint:versionsnode scripts/verify-versions.mjs
metrics:adoptionnode scripts/track-adoption-metrics.mjs
mutationstryker run
mutation:cistryker run --reporters progress,json
prepublishOnlynode -e "import{readFileSync}from'node:fs';const p=JSON.parse(readFileSync('./package.json','utf8'));if(!/^\d+\.\d+\.\d+(-[a-z0-9.]+)?$/i.test(p.version)){console.error('Invalid version format');process.exit(1)}"
testvitest run
test:contentvitest run tests/content/
test:coveragevitest run --coverage
test:e2e:toolscd tests/e2e/tools && docker compose -f docker-compose.test.yml up --abort-on-container-exit --exit-code-from e2e-runner
test:watchvitest
vale:checkvale docs/ .claude/CLAUDE.md README.md CHANGELOG.md
vale:syncvale sync

Dependencies7

@hono/node-server^2.0.4
chokidar^5.0.0
gray-matter^4.0.3
hono^4.12.14
js-yaml^4.1.1
marked^18.0.4
zod^4.4.3