Package evidence

@tldiagram/[email protected]

Large Javascript Payload: 2134375 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 511
Versions published: 33
First published: Apr 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@tldiagram/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@tldiagram/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes970,484

Previous version2.2.0-alpha.4

Published2026-05-27T20:36:27.652Z

SHA-256727ce81ed1804afd87b71e3da4fe767c943bde73e43747170215bbf81ed56020

Why flagged

What the scanner saw

Large Javascript Payload: 2134375 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

3Score

2.2.0Version

Status history (1 event)

new → available16d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/dist/index.js	2134375 bytes	10

Manifest

Package metadata

Scripts18

buildnpm run build:lib && npm run strip:icons
build:apptsc && vite build --config vite.config.ts
build:libvite build --config vite.lib.config.ts && tsc -p tsconfig.lib.json
build:vscodevite build --config vite.vscode.config.ts
devvite --config vite.config.ts
dev:libvite build --config vite.lib.config.ts --watch
linteslint .
lint:fixeslint . --fix
prebuild:appnpm run prepare:icons
predevnpm run prepare:icons
prepare:iconsgo run ../scripts/extract_icons.go ./public
pretest:e2eif [ -z "$TLD_E2E_BINARY" ]; then cd .. && go tool task frontend-build >/dev/null && go build -o /tmp/tld-e2e ./cmd/tld; fi
previewvite preview
strip:iconsrm -rf dist/icons dist/icons.json
testvitest run src
test:e2eTLD_E2E_BINARY=${TLD_E2E_BINARY:-/tmp/tld-e2e} TLD_E2E_PORT=${TLD_E2E_PORT:-18060} TLD_E2E_DATA_DIR=${TLD_E2E_DATA_DIR:-/tmp/tld-playwright-local-$$} playwright test -c playwright.config.ts
test:e2e:debugplaywright test -c playwright.config.ts --debug
test:e2e:headedplaywright test -c playwright.config.ts --headed

Dependencies4

@buf/tldiagramcom_diagram.bufbuild_es^2.12.0-20260524111623-37a0c88b57ed.1
@bufbuild/protobuf^2.11.0
@mdxeditor/editor^4.0.1
zustand^5.0.12

Optional dependencies2

@rollup/rollup-linux-arm64-gnu^4.59.0
@rollup/rollup-linux-arm64-musl^4.59.0