Package evidence

@vue/[email protected]

Large Javascript Payload: 16996067 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 173Mature · −50% score
First published: Jan 2018
Publisher: webfansplz

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@vue/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@vue/[email protected]"],"fail_on":"review"}'

Publisherwebfansplz

Artifact bytes19,571,494

Previous version6.6.3

Published2024-09-09T12:41:00.257Z

SHA-256a40e5fb0eec46247a85908c5da06ba3dd2fc76dda6a7e39ef4ec8dfa1f0db035

Why flagged

What the scanner saw

Large Javascript Payload: 16996067 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

6h agoLast checked

lowRisk

0Score

6.6.4Version

Status history (1 event)

new → available6h ago · risk low · score 0 · status changed

Evidence

Static findings

10 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 10 findings (low-signal and informational)

Severity	Kind	Path	Detail
low	Large Javascript Payload	package/build-node/344.js	16996067 bytes
low	Large Javascript Payload	package/build/344.js	17007997 bytes
low	Large Javascript Payload	package/build-node/440.js	2208369 bytes
low	Large Javascript Payload	package/build/440.js	2208408 bytes
low	Large Javascript Payload	package/build-node/6980.js	3912961 bytes
low	Large Javascript Payload	package/build/6980.js	3912999 bytes
low	Large Javascript Payload	package/build-node/backend.js	3165045 bytes
low	Large Javascript Payload	package/build/backend.js	2810333 bytes
low	Large Javascript Payload	package/build-node/devtools.js	15378281 bytes
low	Large Javascript Payload	package/build/devtools.js	15122116 bytes

Manifest

Package metadata

Scripts6

buildnpm run build:client && npm run build:node
build:clientrimraf ./build && cross-env NODE_ENV=production webpack
build:noderimraf ./build-node && cross-env NODE_ENV=production webpack --config webpack.node.config.js
dev:clientwebpack --watch
dev:nodewebpack --watch --config webpack.node.config.js
startnode bin.js

Dependencies7

cross-spawn^7.0.3
electron^21.0.1
express^4.17.1
ip^1.1.5
socket.io^4.4.0
socket.io-client^4.4.1
utf-8-validate^5.0.9