Package evidence

@ytsaurus/[email protected]

Large Javascript Payload: 3839339 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 414
Versions published: 229Mature · −50% score
First published: Mar 2023
Publisher: robot-ytsaurus-npm

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@ytsaurus/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@ytsaurus/[email protected]"],"fail_on":"review"}'

Publisherrobot-ytsaurus-npm

Artifact bytes18,971,251

Previous version3.12.1

Published2026-05-20T16:35:30.324Z

SHA-2561668283e6407e08babd3dcb9dca723c474513f450ba38dfd6a2e41cbb56535a8

Why flagged

What the scanner saw

Large Javascript Payload: 3839339 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

20d agoLast checked

reviewRisk

5Score

3.12.2Version

Status history (1 event)

new → available20d ago · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/dist/public/build/js/9647.6b347863.chunk.js	3839339 bytes	10

Manifest

Package metadata

Scripts60

buildnpm run copy:icons && NODE_OPTIONS="--max-old-space-size=4096" NODE_ENV=production app-builder build --config ./build.app.config.ts
build:analyzeANALYZE_BUNDLE=statoscope npm run build
build:diffstatoscope validate -i dist/public/build/input.json -r dist/public/build/reference.json
build:storybookstorybook build
cleanrm -rf dist/*
copy:iconsmkdir -p dist/public && cp src/ui/assets/img/favicon*.png dist/public
cut:versionnode -e "const json=require('${npm_config_file}'); delete json.version; console.log(JSON.stringify(json, null, 2))"
debugnpm run copy:icons && NODE_OPTIONS="--max-http-header-size=204800 ${NODE_OPTIONS}" app-builder dev --inspect --config ./build.app.config.ts
deps:buildnpm run build
deps:installnpm ci
deps:truncatenpm prune --omit=dev
devnpm run dev:app
dev:app./scripts/check-start-files.sh && npm run copy:icons && USE_RSPACK=1 APP_ENV=${APP_ENV:-development} APP_DEV_MODE=1 NODE_OPTIONS="--max-http-header-size=204800 ${NODE_OPTIONS}" app-builder dev --config ./build.app.config.ts
dev:localmodebash -c '. scripts/dev.localmode-env.sh && TVM_DISABLED=true npm run dev:app'
dev:localmode:clusterAPP_INSTALLATION=${APP_INSTALLATION:-e2e} . scripts/dev.localmode-env.sh
dev:localmode:e2eAPP_INSTALLATION=${APP_INSTALLATION:-e2e} npm run dev:localmode
dev:ossAPP_INSTALLATION=oss npm run dev
docker:builddocker build . -t ${npm_package_config_docker_image}:${npm_config_dockertag}
docker:pushdocker push ${npm_package_config_docker_image}:${npm_config_dockertag}
e2e:cicd tests; npm ci
e2e:localmode:initYT_PROXY=${YT_PROXY:-$(hostname):8000} tests/init-cluster-e2e.sh
e2e:localmode:monitoring:initYT_PROXY=${YT_PROXY:-$(hostname):8000} tests/init-monitoring-e2e.sh
e2e:localmode:passwdE2E_MATCH=.passwd-e2e. E2E_TEST_DIR=./passwd CLUSTER=ui E2E_DIR=//tmp npm run e2e:start
e2e:localmode:passwd:authcd tests; LOGIN=${LOGIN:-user} PASSWORD=${PASSWORD:-user} CLUSTER=ui BASE_URL=${BASE_URL:-http://$(hostname):8001} npm run auth
e2e:localmode:remoteCLUSTER=`hostname`:8000 CLUSTER_TITLE='Local as remote' npm run e2e:start
e2e:localmode:screenshotsCLUSTER=ui CLUSTER_TITLE=Local npm run e2e:screenshots
e2e:localmode:screenshots:updatePW_OPTIONS=--update-snapshots npm run e2e:localmode:screenshots
e2e:localmode:uiCLUSTER=ui CLUSTER_TITLE=Local npm run e2e:start
e2e:noticeecho "\n\n!!!!!! Do not forget to run 'npm run e2e:localmode:init' !!!!!!\n\n"
e2e:screenshotsnpm run e2e:notice; cd tests; echo $(cat ../e2e-env.tmp) BASE_URL=${BASE_URL:-http://$(hostname):8001} npm run screenshots | bash
…and 30 more.

Dependencies21

@diplodoc/transform^4.72.0
@gravity-ui/app-layout^1.8.0
@gravity-ui/expresskit^2.11.1
@gravity-ui/i18n^1.8.0
@gravity-ui/nodekit^2.10.0
@ytsaurus/interface-helpers^1.1.1
@ytsaurus/javascript-wrapper^0.17.0
axios^1.8.4
cacheable-lookup^6.1.0
cookie-parser1.4.6
dayjs^1.11.10
highlight.js^11.10.0
js-cookie^2.2.0
lodash^4.17.23
object-hash^3.0.0
opentracing^0.14.7
qs^6.11.2
source-map-support0.5.21
type-is1.6.18
utility-types^3.11.0
zod^3.21.4