Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 7,296Niche · −30% score
- Versions published
- 328Mature · −50% score
- First published
- Apr 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@vendure/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@vendure/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 5096806 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- new → available · risk review · score 3 · status changed
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/bundle/chunks/use-job-queue-polling-B3samPQx.js | 5096806 bytes | 10 |
Manifest
Package metadata
Scripts20
buildnpm run check-types && npm run build:vite && npm run build:plugin && npm run build:libbuild:libvite build --config vite.lib.config.mtsbuild:plugintsc --project tsconfig.plugin.json && node scripts/build-plugin.jsbuild:standalonevite buildbuild:vitetsc --project tsconfig.vite.jsoncheck-typestsc --project tsconfig.check.json --noEmitdevvitee2e:pwplaywright test --config e2e/playwright.config.tse2e:uiplaywright test --config e2e/playwright.config.ts --uigenerate-indexnode scripts/generate-index.jsi18n:applynode ./scripts/translate/i18n-tool.js applyi18n:checknode ./scripts/translate/check-translations.jsi18n:extractlingui extract && node ./scripts/translate/i18n-tool.js extractlinteslint .previewvite previewstorybookstorybook dev -p 6006storybook:buildstorybook buildstorybook:deploynpm run build --prefix ../common && npm run build --prefix ../core && npm run build:vite && storybook buildtestvitest runwatchtsc --project tsconfig.vite.json --watch
Dependencies67
@babel/core^7.29.0@babel/preset-react^7.28.5@babel/preset-typescript^7.28.5@dnd-kit/core^6.3.1@dnd-kit/modifiers^9.0.0@dnd-kit/sortable^10.0.0@fontsource-variable/geist-mono^5.2.7@fontsource-variable/inter^5.2.8@fontsource-variable/public-sans^5.2.7@hookform/resolvers^5.0.0@lingui/babel-plugin-lingui-macro^5.9.3@lingui/cli^5.9.3@lingui/core^5.9.3@lingui/react^5.9.3@lingui/vite-plugin^5.9.3@tailwindcss/vite^4.2.2@tanstack/eslint-plugin-query^5.91.0@tanstack/react-query^5.91.0@tanstack/react-query-devtools^5.91.0@tanstack/react-router^1.166.0@tanstack/react-table^8.21.2@tanstack/router-devtools^1.166.0@tanstack/router-plugin^1.166.0@tiptap/extension-floating-menu^3.20.0@tiptap/extension-image^3.20.0@tiptap/extension-placeholder^3.20.4@tiptap/extension-table^3.20.0@tiptap/extension-text-style^3.20.0@tiptap/pm^3.20.0@tiptap/react^3.20.0- …and 37 more.
Optional dependencies2
lightningcss-linux-arm64-musl^1.29.3lightningcss-linux-x64-musl^1.29.1