Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 3
- First published
- Jun 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@webpresso/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@webpresso/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
56 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 56 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/public/runtime/cli/customer-contract.js | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/public/runtime/cli/index.js | matched ".npmrc" | 5 |
| low | Obfuscation Density | package/dist/public/schema/loaders/action-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/emitters/registry/block-registry-generator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/cli/codegen.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/codegen.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/runtime/cli/decision-trace-sync-contract.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/declarative-asset-loaders.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/entity-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/frontend/entity-route-paths.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/event-trigger-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/field-types-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/frontend/frontend-codegen.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/orchestrators/frontend-pipeline.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/frontend-route-paths.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/i18n-config-loader.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/cli/bundle/index.js | 2408533 bytes | 0 |
| low | Obfuscation Density | package/dist/public/codegen/index.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/runtime/cli/index.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/runtime/id/index.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/public/schema/engine/cli/index.js | 2245765 bytes | 0 |
| low | Large Javascript Payload | package/dist/public/schema/engine/commands/index.js | 2215313 bytes | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/emitters/layout/index.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/emitters/registry/index.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/public/schema/engine/migration/index.js | 10809785 bytes | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/presentation/index.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/validators/index.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/frontend/index.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/index.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/frontend/json-render-list-generator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/codegen/internal/load-entities.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/public/schema/engine/migration/migration-generator.js | 10800614 bytes | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/emitters/layout/nav-registry-generator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/frontend/nav-registry-generator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/navigation-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/notification-types-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/codegen/orchestrator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/page-manifest-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/cli/preview.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/templates/skeleton/qa-config.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/role-ui-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/roles-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/emitters/layout/route-config-generator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/frontend/route-config-generator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/emitters/layout/route-registry-generator.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/commands/schema-check.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema-frontend.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/frontend/commands/schema-generate-frontend.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/public/schema/engine/commands/schema-generate-migration.js | 11649864 bytes | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/commands/schema-introspect.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema-loaders.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/commands/schema-validate-type-definitions.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/cli/sync.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/loaders/type-loader.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/orchestrators/validate-all.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/public/schema/engine/orchestrators/validate-type-definitions.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts16
actbun scripts/act-with-secrets.tsact:cibun scripts/act-with-secrets.ts push -W .github/workflows/ci.ymlact:listbun scripts/act-with-secrets.ts -lact:releasebun scripts/act-with-secrets.ts workflow_dispatch -W .github/workflows/release.yml --input dry-run=truebuildpnpm build:js && pnpm build:types && pnpm build:fix-extensions && pnpm build:templatesbuild:fix-extensionsnode scripts/add-js-extensions.js distbuild:jsrm -rf dist && tsupbuild:templatesbun scripts/copy-templates.tsbuild:typesbun scripts/build-public-slice-types.ts && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir distchangesetchangesetchangeset:statuschangeset status --verboselintoxlintrelease:publishnode scripts/release-publish.jstestpnpm -r --workspace-concurrency=1 --filter='!@webpresso/cli-contract' run test && pnpm build && vitest run --config vitest.root.config.tstest:watchvitest --config vitest.root.config.tstypecheckpnpm -r --workspace-concurrency=1 run typecheck
Dependencies14
@better-auth/sso^1.6.9@clack/prompts^1.3.0@playwright/test^1.47.0@webpresso/cli-contract^0.2.0better-auth^1.6.9glob^13.0.6i18next^25.6.3oxlint^0.15.0react-i18next^16.3.5typescript^6.0.3use-sync-external-store^1.6.0vite^8.0.10vitest^4.1.5yaml^2.8.1