Package evidence
@trustify-da/[email protected]
Remote Dependency Spec: dependencies.tree-sitter-gomod="github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 123Established · −30% score
- First published
- Nov 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@trustify-da/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@trustify-da/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.tree-sitter-gomod="github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 7 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | dependencies.tree-sitter-gomod="github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda" | 12 |
| medium | Remote Dependency Spec | package.json | dependencies.tree-sitter-requirements="github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801" | 12 |
Manifest
Package metadata
Scripts10
compiletsc -p tsconfig.jsoncompile:devtsc -p tsconfig.dev.jsonlinteslint src testlint:fixeslint src test --fixpostcompilecp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm dist/src/providers/tree-sitter-gomod.wasmprecompilerm -rf distpretestcp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasmtestc8 npm run teststestsmocha --config .mocharc.jsontests:repmocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json
Dependencies18
@babel/core^7.23.2@cyclonedx/cyclonedx-library^10.0.0eslint-import-resolver-typescript^4.4.4fast-glob^3.3.3fast-xml-parser^5.3.4help^3.0.2https-proxy-agent^9.0.0js-yaml^4.1.1jsonc-parser^3.3.1micromatch^4.0.8node-fetch^3.3.2p-limit^7.3.0packageurl-js~1.0.2smol-toml^1.6.0tree-sitter-gomodgithub:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcddatree-sitter-requirementsgithub:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801web-tree-sitter^0.26.7yargs^18.0.0