PkgRadar

Package evidence

[email protected]

Install Lifecycle Suppresses Failure: postinstall="node scripts/postinstall.cjs || true"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
115Established · −30% score
First published
Oct 2025
Publisher
ruvnet

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publisherruvnet
Artifact bytes890,426
Previous version3.0.0-alpha.14
Published2026-05-29T22:54:59.531Z
SHA-256d0d5ad09d1eef9d0704e1c00e52463fce71c3b500a3305f2e80d88b7914de9fa

Why flagged

What the scanner saw

Install Lifecycle Suppresses Failure: postinstall="node scripts/postinstall.cjs || true"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
17Score
3.0.0-alpha.15Version
Status history (2 events)
  1. availableavailable · risk high · score 17 · status available -> available, risk review -> high, score 7 -> 17
  2. newavailable · risk review · score 7 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="node scripts/postinstall.cjs || true"20
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Suppresses Failurepackage.jsonpostinstall="node scripts/postinstall.cjs || true"20
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall.cjs || true"5

Manifest

Package metadata

Scripts29
  • benchmarktsx benchmarks/simple-benchmark.ts
  • benchmark:adr072vitest run tests/benchmarks/adr-072-phase1-benchmark.test.ts --reporter=verbose
  • benchmark:adr072:fastvitest run tests/benchmarks/validate-adr072.test.ts
  • benchmark:allnpm run benchmark:attention && npm run benchmark:backends && npm run benchmark:profile && npm run benchmark:ruvector
  • benchmark:attentiontsx benchmarks/attention-performance.ts
  • benchmark:backendstsx benchmarks/compare-backends.ts
  • benchmark:buildcd benchmarks && tsc
  • benchmark:fulltsx benchmarks/benchmark-runner.ts
  • benchmark:profiletsx scripts/profile-hot-paths.ts
  • benchmark:ruvectortsx benchmarks/ruvector-benchmark.ts
  • buildnpm run build:ts && npm run copy:schemas && npm run build:browser
  • build:browsernode scripts/build-browser.js && node scripts/build-browser-v2.js
  • build:edgenode scripts/build-browser.config.js
  • build:modelnode scripts/build-model-rvf.mjs
  • build:napibash scripts/optimize-napi.sh
  • build:optimizednpm run build:napi && npm run build:wasm && npm run build
  • build:tstsc
  • build:wasmbash scripts/optimize-wasm.sh
  • clinode dist/src/cli/agentdb-cli.js
  • copy:schemasmkdir -p dist/schemas && cp src/schemas/*.sql dist/schemas/
  • devtsx src/cli/agentdb-cli.ts
  • docker:testdocker build -f docs/SQLITE-FIX-DOCKER-TEST.Dockerfile -t agentdb-test . && docker run --rm agentdb-test
  • postinstallnode scripts/postinstall.cjs || true
  • prebuildnode scripts/inline-schemas.mjs
  • testvitest
  • test:browservitest browser-bundle-unit.test.js --run
  • test:cinpm run test:unit && npm run test:browser && npm run build && npm run verify:bundle
  • test:unitvitest --run
  • verify:bundlenode scripts/verify-bundle.js
Dependencies6
  • @modelcontextprotocol/sdk^1.20.1
  • @opentelemetry/api^1.9.0
  • @ruvector/graph-transformer^2.0.4
  • ajv^8.18.0
  • jsonwebtoken^9.0.2
  • sql.js^1.13.0
Optional dependencies23
  • @opentelemetry/resources^1.25.0
  • @opentelemetry/sdk-node^0.218.0
  • @opentelemetry/semantic-conventions^1.25.0
  • @ruvector/attention^0.1.2
  • @ruvector/gnn^0.1.23
  • @ruvector/graph-node^2.0.2
  • @ruvector/router^0.1.15
  • @ruvector/ruvllm^2.5.1
  • @ruvector/rvf^0.1.9
  • @ruvector/rvf-node^0.1.7
  • @ruvector/rvf-solver^0.1.7
  • @ruvector/rvf-wasm^0.1.6
  • @ruvector/sona^0.1.4
  • @xenova/transformers^2.17.2
  • argon2^0.44.0
  • better-sqlite3^11.8.1
  • chalk^5.3.0
  • commander^12.1.0
  • hnswlib-node^3.0.0
  • inquirer^9.3.8
  • ruvector^0.1.30
  • ruvector-attention-wasm^0.1.32
  • ruvector-graph-transformer-wasm^2.0.4