PkgRadar

Package evidence

@vellumai/[email protected]

Install Lifecycle Suppresses Failure: postinstall="cd .. && (git config core.hooksPath || git config core.hooksPath .githooks 2>/dev/null || true) && ([ -f meta/feature-flags/sync-bundled-copies.ts ] && bun run meta/feature-flags/sync-bundled-copies.ts 2>/dev/null || true)"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
734
Versions published
217
First published
Feb 2026
Publisher
devops-vellum

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@vellumai/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@vellumai/[email protected]"],"fail_on":"high"}'
Publisherdevops-vellum
Artifact bytes1,553,918
Previous version0.8.10-dev.202606111334.d8a7740
Published2026-06-11T15:26:27.960Z
SHA-256eadf6b95391f00aefcead3b5fb9ff34a0c948fd203b5313426953aff21f83b32

Why flagged

What the scanner saw

Install Lifecycle Suppresses Failure: postinstall="cd .. && (git config core.hooksPath || git config core.hooksPath .githooks 2>/dev/null || true) && ([ -f meta/feature-flags/sync-bundled-copies.ts ] && bun run meta/feature-flags/sync-bundled-copies.ts 2>/dev/null || true)"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
45Score
0.8.10-dev.202606111519.39ad418Version
Status history (1 event)
  1. newavailable · risk high · score 45 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="cd .. && (git config core.hooksPath || git config core.hooksPath .githooks 2>/dev/null || true) && ([ -f meta/feature-flags/sync-bundled-copies.ts ] && bun run meta/feature-flags/sync-bundled-copies.ts 2>/dev/null || true)"20
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="cd .. && (git config core.hooksPath || git config core.hooksPath .githooks 2>/dev/null || true) && ([ -f meta/feature-flags/sync-bundled-copies.ts ] && bun run meta/feature-flags/sync-bundled-copies.ts 2>/dev/null || true)"20
lowCredential file accesspackage/src/risk/bash-risk-classifier.test.tsmatched ".ssh/"5
lowCredential file accesspackage/src/risk/shell-parser-property.test.tsmatched ".ssh/"5
lowCredential file accesspackage/src/risk/shell-parser.test.tsmatched ".ssh/"5
lowCredential file accesspackage/src/risk/shell-parser.tsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="cd .. && (git config core.hooksPath || git config core.hooksPath .githooks 2>/dev/null || true) && ([ -f meta/feature-flags/sync-bundled-copies.ts ] && bun run meta/feature-flags/sync-bundled-copies.ts 2>/dev/null || true)"5

Manifest

Package metadata

Scripts15
  • buildbun build src/index.ts --outdir dist --target bun
  • db:generatedrizzle-kit generate --dialect sqlite --schema src/db/schema.ts --out src/db/migrations
  • devbun run --watch src/index.ts
  • dev:proxybun run src/cli/enable-proxy.ts && bun run --watch src/index.ts
  • formatprettier --write .
  • format:checkprettier --check .
  • linteslint
  • lint:unusedknip --include files,dependencies,unlisted
  • postinstallcd .. && (git config core.hooksPath || git config core.hooksPath .githooks 2>/dev/null || true) && ([ -f meta/feature-flags/sync-bundled-copies.ts ] && bun run meta/feature-flags/sync-bundled-copies.ts 2>/dev/null || true)
  • prebuildcd .. && bun run meta/feature-flags/sync-bundled-copies.ts
  • prepacknode ../scripts/prepack-bundled-deps.mjs
  • schemabun run src/cli/schema.ts
  • startbun run src/index.ts
  • testbash scripts/test.sh
  • typecheckbunx tsc --noEmit
Dependencies14
  • @vellumai/assistant-clientfile:../packages/assistant-client
  • @vellumai/ces-clientfile:../packages/ces-client
  • @vellumai/ipc-server-utilsfile:../packages/ipc-server-utils
  • @vellumai/service-contractsfile:../packages/service-contracts
  • @vellumai/slack-textfile:../packages/slack-text
  • @vellumai/twilio-clientfile:../packages/twilio-client
  • drizzle-kit0.30.6
  • drizzle-orm0.45.2
  • file-type21.3.0
  • pino9.14.0
  • pino-pretty13.1.3
  • tree-sitter-bash0.25.1
  • web-tree-sitter0.26.5
  • zod4.3.6