PkgRadar

Package evidence

@wisemen/[email protected]

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 22 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,154Niche · −30% score
Versions published
60Mature · −50% score
First published
Mar 2024
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@wisemen/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@wisemen/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes4,143
Previous version2.1.3
Published2026-06-05T13:23:48.752Z
SHA-256e3496ff9c91fa1b74e1ef47525ecab50688b1b96148b84b1eadcd054cbdb14d7

Why flagged

What the scanner saw

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 22 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
4Score
2.1.4Version
Status history (1 event)
  1. newavailable · risk review · score 4 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumManifest Codeless Dependency Stubpackage.jsonpackage ships no JS/TS source but declares 22 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape15

Manifest

Package metadata

Scripts11
  • build tsdown
  • cleanuprimraf dist/ node_modules/ .turbo/
  • devtsdown --watch
  • eslinteslint . --fix
  • eslint-statseslint . --stats -f json
  • linteslint .
  • packpnpm pack
  • pub:betapnpm publish --no-git-checks --access public --tag beta
  • pub:nextpnpm publish --no-git-checks --access public --tag next
  • pub:releasepnpm publish --access public
  • testvitest --run
Dependencies22
  • @antfu/eslint-config7.7.0
  • @eslint/eslintrc3.3.3
  • @intlify/eslint-plugin-vue-i18n4.1.1
  • @typescript-eslint/parser8.53.1
  • @vitest/eslint-plugin1.6.9
  • @wisemen/eslint-plugin-vue0.1.1
  • eslint9.39.4
  • eslint-flat-config-utils3.0.0
  • eslint-plugin-better-tailwindcss4.3.2
  • eslint-plugin-check-file3.3.1
  • eslint-plugin-format1.3.1
  • eslint-plugin-import-newlines1.4.0
  • eslint-plugin-newline-destructuring1.2.2
  • eslint-plugin-path2.0.3
  • eslint-plugin-perfectionist5.4.0
  • eslint-plugin-project-structure3.14.2
  • eslint-plugin-require-explicit-generics1.0.0
  • eslint-plugin-simple-import-sort12.1.1
  • eslint-plugin-unused-imports4.4.1
  • eslint-plugin-vuejs-accessibility2.4.1
  • eslint-typegen2.3.0
  • globals17.3.0