PkgRadar

Package evidence

@webpresso/[email protected]

Known Indicator Filename: package/dist/esm/cli/commands/blueprint/execution.js

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
2
First published
May 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@webpresso/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@webpresso/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes983,549
Previous version0.21.3
Published2026-05-28T22:13:07.457Z
SHA-256d928b68eeccfe110be2016408f3df8629efb31ca74c04d70d9c68515c0fcb44d

Why flagged

What the scanner saw

Known Indicator Filename: package/dist/esm/cli/commands/blueprint/execution.js

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
27Score
0.21.4Version
Status history (1 event)
  1. newavailable · risk review · score 27 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highKnown Indicator Filenamepackage/dist/esm/cli/commands/blueprint/execution.jspackage/dist/esm/cli/commands/blueprint/execution.js45
highKnown Indicator Filenamepackage/dist/esm/e2e/execution.jspackage/dist/esm/e2e/execution.js45

Manifest

Package metadata

Scripts37
  • audit:secret-provider-quarantinebun scripts/audit-secret-provider-quarantine.ts
  • audits:checkWP_SKIP_UPDATE_CHECK=1 wp audit guardrails && vp run hooks:doctor:ci
  • blueprints:checkWP_SKIP_UPDATE_CHECK=1 wp audit blueprint-lifecycle
  • buildtshy && vp run chmod-bins && vp run link-self-bins
  • catalog:checkWP_SKIP_UPDATE_CHECK=1 wp audit catalog-drift
  • changesetchangeset
  • changeset:statuschangeset status
  • chmod-binsbun scripts/chmod-bins.ts
  • dev:linkbun scripts/link-edge-local.ts
  • docs:checkWP_SKIP_UPDATE_CHECK=1 wp audit docs-frontmatter
  • evalbun src/runners/evals/index.ts
  • formatWP_SKIP_UPDATE_CHECK=1 wp format
  • format:checkWP_SKIP_UPDATE_CHECK=1 wp format --check
  • generate-skillsbun src/build/generate-skills-dir.ts
  • hooks:doctorWP_SKIP_UPDATE_CHECK=1 wp hooks doctor
  • hooks:doctor:ciWP_SKIP_UPDATE_CHECK=1 wp hooks doctor --skip-mcp
  • imports:checkWP_SKIP_UPDATE_CHECK=1 wp audit no-relative-parent-imports
  • license:checkWP_SKIP_UPDATE_CHECK=1 bun src/cli/cli.ts audit open-source-licenses && bash scripts/verify-no-context-mode.sh
  • link-self-binsbun scripts/link-self-bins.ts
  • lintvp lint
  • lint:fixvp lint --fix
  • lint:pkgpublint && attw --pack . && (command -v claude >/dev/null 2>&1 && claude plugin validate . || true)
  • postbuildvp run generate-skills
  • postpackbun src/build/package-manifest.ts restore
  • prepackbun src/build/package-manifest.ts prepare
  • preparehusky
  • public:readinessbun scripts/public-readiness.ts
  • qavp run build && vp run typecheck && vp run lint && vp run format:check && vp run test && vp run lint:pkg && vp run audits:check
  • release:publishpnpm run build && npm publish --provenance --access public
  • setup:agentwp setup
  • …and 7 more.
Dependencies20
  • @manypkg/find-root^3.1.0
  • @modelcontextprotocol/sdk^1.29.0
  • @vitejs/plugin-react^6.0.1
  • better-sqlite3^12.9.0
  • cac^7.0.0
  • env-paths^4.0.0
  • glob^13.0.6
  • gray-matter^4.0.3
  • js-yaml^4.1.0
  • ora^8.2.0
  • proper-lockfile^4.1.2
  • remark^15.0.1
  • remark-frontmatter^5.0.0
  • remark-validate-links^13.1.0
  • rulesync8.15.1
  • ts-pattern^5.9.0
  • vite-plus^0.1.19
  • yaml^2.8.1
  • zod^4.4.3
  • zod-to-json-schema^3.25.2