PkgRadar

Package evidence

@vtex/[email protected]

Remote Dependency Spec: devDependencies.nodemon-notifier-cli="https://github.com/Slessi/nodemon-notifier-cli.git"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
3
First published
Mar 2020
Publisher
tiagonapoli

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@vtex/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@vtex/[email protected]"],"fail_on":"review"}'
Publishertiagonapoli
Artifact bytes11,706
Previous version0.0.1
Published2021-01-04T14:14:28.766Z
SHA-25675a02a04af1b68099e77b875fd2f97525fe98719be1e8c684001ff01634464de

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.nodemon-notifier-cli="https://github.com/Slessi/nodemon-notifier-cli.git"

1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
13Score
0.1.0Version
Status history (1 event)
  1. newavailable · risk review · score 13 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.nodemon-notifier-cli="https://github.com/Slessi/nodemon-notifier-cli.git"8
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.nodemon-notifier-cli="https://github.com/Slessi/nodemon-notifier-cli.git"8
lowCredential file accesspackage/build/lib/deprecate.jsmatched "AWS_ACCESS_KEY"5

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
devDependencies.nodemon-notifier-clihttps://github.com/Slessi/nodemon-notifier-cli.giterror0invalid gzip header

Manifest

Package metadata

Scripts12
  • buildyarn build-clean && tsc && yarn oclif-dev manifest
  • build-cleanrm -rf build && rm -rf oclif.manifest.json
  • build-incrementaltsc --incremental && yarn oclif-dev manifest
  • ci:prettier-checkprettier --check --config ./.prettierrc "**/*.{ts,js,json}"
  • ci:testyarn test --ci
  • docsyarn oclif-dev readme
  • formatprettier --config ./.prettierrc --write "**/*.{ts,js,json}"
  • format-lintyarn format && yarn lint
  • linteslint ./src --cache --ext .ts --config .eslintrc
  • prepublishOnlybash ./scripts/publishLock.sh
  • testjest --passWithNoTests
  • watchbash ./scripts/symlink.sh && yarn build-clean && yarn nodemon
Dependencies12
  • @oclif/command^1.0.0
  • @oclif/config^1.0.0
  • @vtex/api^3.72.1
  • @vtex/toolbelt-message-renderer^0.0.1
  • aws-sdk^2.814.0
  • axios^0.21.0
  • chalk^3.0.0
  • fs-extra^9.0.1
  • js-sha256^0.9.0
  • jsonwebtoken^8.5.1
  • ora^5.1.0
  • tslib^1.11.1