Package evidence

@zextras/[email protected]

Remote Dependency Spec: devDependencies.@zextras/carbonio-search-ui="github:zextras/carbonio-search-ui#v0.0.9"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 43Mature · −50% score
First published: Jun 2025
Publisher: zx_bot

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@zextras/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@zextras/[email protected]"],"fail_on":"review"}'

Publisherzx_bot

Artifact bytes118,332

Previous version2.3.3

Published2026-05-26T04:39:43.926Z

SHA-25670a33da4aa8198bba3e1e4aad5802445a25fc80593827240d855b2440302253b

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.@zextras/carbonio-search-ui="github:zextras/carbonio-search-ui#v0.0.9"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

18d agoLast checked

reviewRisk

5Score

2.3.4Version

Status history (1 event)

new → available18d ago · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	devDependencies.@zextras/carbonio-search-ui="github:zextras/carbonio-search-ui#v0.0.9"	8

Manifest

Package metadata

Scripts21

buildpnpm run build:lib
build:devpnpm run build:lib
build:libtsc -p tsconfig.lib.json
bump-versionsemantic-release
coveragevitest run --coverage
deploy-on-modulepnpm pack && rm -rf $PKG_PATH/node_modules/@zextras/carbonio-ui-commons/* && tar -xf zextras-carbonio-ui-commons-$npm_package_version.tgz -C $PKG_PATH/node_modules/@zextras/carbonio-ui-commons/ --strip-components 1
linteslint --ext .js,.jsx,.ts,.tsx --resolve-plugins-relative-to node_modules/@zextras/carbonio-ui-configs src
lint-checkpnpm run lint-errors; pnpm run type-check
lint-errorseslint --ext .js,.jsx,.ts,.tsx --quiet --resolve-plugins-relative-to node_modules/@zextras/carbonio-ui-configs src
lint-fixeslint --fix --ext .js,.jsx,.ts,.tsx --quiet --resolve-plugins-relative-to node_modules/@zextras/carbonio-ui-configs
lint-statseslint --ext .js,.jsx,.ts,.tsx --format node_modules/eslint-stats/byErrorAndWarningStacked --resolve-plugins-relative-to node_modules/@zextras/carbonio-ui-configs src
packTopnpm pack --pack-destination $PKG_PATH && cd $PKG_PATH && pnpm add ./zextras-carbonio-ui-commons-$npm_package_version.tgz
prebuild:librm -rf lib
prepackpnpm run build:lib
prestartpnpm run prebuild:pkg
prettify:checkprettier --check .
startsdk watch
testvitest run
test:watchvitest
type-checktsc --noEmit
type-check:watchpnpm run type-check -- --watch

Dependencies6

core-js3.47.0
i18next22.5.1
immer9.0.21
redux4.2.1
uuid11.1.1
zustand4.5.7