Package evidence
@vertigis/[email protected]
Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,038Niche · −30% score
- Versions published
- 417Mature · −50% score
- First published
- Apr 2020
- Publisher
- vertigis-sa
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@vertigis/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@vertigis/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"
1 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz" | 12 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| dependencies.xlsx | https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz | low | 0 | no remote findings |
Manifest
Package metadata
Scripts16
app-schemanode build/js/appSchema.jsauditnpx --yes audit-ci@^6 --config ./audit-ci.jsoncbuildnpm run -s cleanup-build && npm run -s copy-static-files && tsc -p src/tsconfig.bundle.json && tsc-strict -p src/tsconfig.bundle.json && npm run -s minify && npm run -s docs && npm run -s app-schemabuild-debugnpm run -s cleanup-build && npm run -s copy-static-files && tsc -p src/tsconfig.bundle.json && tsc-strict -p src/tsconfig.bundle.jsoncleanup-builddel-cli *.js *.js.map *.d.ts "!jest.config.js" "!eslint.config.js" data forked-libs layer-preset locale mapping menus portal printing reports support tasks tests utilities workflowcopy-static-filescpx "src/**/*.{js,d.ts}" "./"docstypedocinitializedel-cli build/js && tsc -p build && node build/js/postInstall.jslinteslint --max-warnings=0 ./srcminifynode build/js/minify.jspreparein-install && npm run -s initialize || not-in-installprettierprettier --write "**/*.ts" "**/*.json" "**/*.js"startnpm run -s cleanup-build && npm run -s copy-static-files && tsc -w -p src/tsconfig.bundle.jsontesttsc -p ./src/tsconfig.test.json && cross-env TZ="America/Los_Angeles" NODE_OPTIONS="--max-old-space-size=4096 --experimental-vm-modules" jest --maxWorkers=50% --workerIdleMemoryLimit=800MBtest-watchnpm run test -- --watchwatch-build-foldertsc -p build -w
Dependencies10
alasql~4.5.2dxf-parser^1.1.2elasticlunr~0.9.5esri-proj-codes~1.0.3jszip~3.10.1luxon~3.5.0safe-stable-stringify^2.5.0shpjs~4.0.2ts-essentials10.0.3xlsxhttps://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz