PkgRadar

Package evidence

@zkp2p/[email protected]

Remote Dependency Spec: dependencies.@reclaimprotocol/tls="github:reclaimprotocol/tls"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
21
Versions published
18Established · −30% score
First published
Aug 2024
Publisher
richardliang

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@zkp2p/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@zkp2p/[email protected]"],"fail_on":"review"}'
Publisherrichardliang
Artifact bytes390,823
Previous version4.0.4-reclaim
Published2025-07-25T13:51:15.645Z
SHA-256966a82bf9586c6e5f845a23fbe768c6554f492af12f6063eec0b163c605c0091

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.@reclaimprotocol/tls="github:reclaimprotocol/tls"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
14Score
4.0.5-reclaimVersion
Status history (1 event)
  1. newavailable · risk review · score 14 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondependencies.@reclaimprotocol/tls="github:reclaimprotocol/tls"12
mediumRemote Dependency Specpackage.jsondevDependencies.@adiwajshing/eslint-config="github:adiwajshing/eslint-config"8

Manifest

Package metadata

Scripts28
  • buildtsc -p tsconfig.build.json && tsc-alias
  • build-contractscd avs/contracts && forge build
  • build:browsersh ./src/scripts/build-browser.sh
  • check:avs-registrationnpm run run:tsc -- src/scripts/check-avs-registration.ts
  • commitlintcommitlint --edit
  • create:claimnpm run run:tsc -- src/scripts/generate-receipt.ts
  • deploy:contractssh avs/utils/anvil/deploy-all-to-anvil-and-save-state.sh
  • deploy:contracts-to-chainsh avs/utils/anvil/deploy-to-chain.sh
  • download:zk-filesnode node_modules/@reclaimprotocol/zk-symmetric-crypto/lib/scripts/download-files
  • generate:avstypechain -- --target ethers-v5 --out-dir src/avs/contracts avs/contracts/out/ReclaimServiceManager.sol/*.json
  • generate:contracts-datash ./src/scripts/contract-data-gen.sh
  • generate:protosh ./src/scripts/generate-proto.sh
  • generate:provider-typesnpm run run:tsc -- src/scripts/generate-provider-types.ts
  • generate:toprf-keysnpm run run:tsc -- src/scripts/generate-toprf-keys.ts
  • linteslint ./ --ext .js,.ts,.jsx,.tsx
  • lint:fixeslint ./ --fix --ext .js,.ts,.jsx,.tsx
  • preparesh ./src/scripts/prepare.sh
  • publish:pkgnpm publish --access public
  • register:avs-operatornpm run run:tsc -- src/scripts/register-avs-operator.ts
  • run:tscSWC_NODE_IGNORE_DYNAMIC=true node -r @swc-node/register
  • startnode lib/scripts/start-server
  • start:chainbash ./avs/utils/anvil/start-anvil-chain-with-el-and-avs-deployed.sh
  • start:tscnpm run run:tsc -- src/scripts/start-server
  • testNODE_ENV=test TZ=utc jest --verbose --forceExit --detectOpenHandles
  • test:avsNODE_ENV=test TZ=utc jest --verbose --forceExit --detectOpenHandles --test-match **/src/avs/tests/test.*.ts
  • update:avs-metadatanpm run run:tsc -- src/scripts/update-avs-metadata.ts
  • verify:root-canpm run run:tsc -- src/scripts/verify-root-ca.ts
  • whitelist:operatornpm run run:tsc -- src/scripts/whitelist-operator.ts
Dependencies22
  • @bufbuild/protobuf^2.2.2
  • @commitlint/cli^17.8.1
  • @commitlint/config-conventional^17.8.1
  • @reclaimprotocol/tlsgithub:reclaimprotocol/tls
  • @reclaimprotocol/zk-symmetric-crypto^3.0.5
  • ajv^8.17.1
  • canonicalize^2.0.0
  • dotenv^16.4.6
  • elastic-apm-node^4.8.1
  • esprima-next^5.8.4
  • ethers^5.7.2
  • https-proxy-agent^7.0.5
  • ip-cidr^3.0.0
  • jsdom^24.1.3
  • jsonpath-plus^10.2.0
  • p-queue^6.6.2
  • pino^9.5.0
  • protobufjs^7.4.0
  • re2^1.21.4
  • serve-static^1.16.2
  • snarkjs^0.7.5
  • ws^8.18.0
Optional dependencies1
  • koffi^2.9.2