Package evidence
[email protected]
Install Lifecycle Suppresses Failure: preinstall="node scripts/preinstall.cjs || true"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,058Niche · −30% score
- Versions published
- 213Established · −30% score
- First published
- Oct 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install Lifecycle Suppresses Failure: preinstall="node scripts/preinstall.cjs || true"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 19 · status changed
Evidence
Static findings
11 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | preinstall="node scripts/preinstall.cjs || true" | 20 |
Show all 11 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Install Lifecycle Suppresses Failure | package.json | preinstall="node scripts/preinstall.cjs || true" | 20 |
| low | Credential file access | package/dist/shared/llm/providers/bedrock.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/chunks/chunk-CW7JQVXV.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/chunks/chunk-RJBCIN2G.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/shared/llm/router/config-store.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/chunks/llm-router-2MX5LUAB.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/commands/llm-router.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/domains/security-compliance/services/scanners/security-patterns.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Install-time lifecycle script | package.json | preinstall="node scripts/preinstall.cjs || true" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/postinstall.cjs" | 5 |
| low | Large Javascript Payload | package/dist/mcp/bundle.js | 3705923 bytes | 0 |
Manifest
Package metadata
Scripts68
aqetsx src/cli/index.tsbenchmark:rabitqtsx scripts/benchmark-rabitq.tsbenchmark:self-learningtsx scripts/benchmark-self-learning.tsbenchmark:token-reductionvitest bench tests/benchmarks/code-intelligence-token-reduction.bench.tsbuildtsc && npm run build:cli && npm run build:mcpbuild:clinode scripts/build-cli.mjsbuild:mcpnode scripts/build-mcp.mjscleannode -e "const fs=require('fs');try{fs.rmSync('dist',{recursive:true,force:true})}catch{}"clitsx src/cli/index.tsdevnode dist/cli/bundle.jslinteslint src --ext .tsmcptsx src/mcp/entry.tsmcp:paritynode scripts/audit-mcp-tool-parity.mjsmcp:reportecho 'MCP Report: uses vitest for test reporting' && exit 0mcp:validatenode scripts/smoke-mcp-protocol.mjsperformance:gatenpx tsx src/performance/run-gates.tsplugin:smokebash plugins/agentic-qe-fleet/scripts/smoke.shpostinstallnode scripts/postinstall.cjspreinstallnode scripts/preinstall.cjs || trueprepublishOnlynode scripts/sync-agents.cjs && node scripts/prepare-assets.cjspretrain:historytsx scripts/pretrain-from-history.tsskills:update-badgesnpx tsx scripts/update-skill-manifest.ts --generate-badgesskills:update-manifestnpx tsx scripts/update-skill-manifest.tsskills:validate-tier3node scripts/validate-tier3.cjsstartnode dist/cli/bundle.jssync:agentsnode scripts/sync-agents.cjssync:agents:checknode scripts/sync-agents-check.cjssync:cloudtsx src/cli/index.ts syncsync:cloud:configtsx src/cli/index.ts sync config --sourcessync:cloud:fulltsx src/cli/index.ts sync --full- …and 38 more.
Dependencies23
@huggingface/transformers^4.2.0@ruvector/attention0.1.3@ruvector/gnn0.1.25@ruvector/learning-wasm^0.1.29@ruvector/router^0.1.28@ruvector/rvf-node^0.1.7@ruvector/sona^0.1.7axe-core^4.11.1better-sqlite3^12.5.0chalk^5.6.2cli-progress^3.12.0commander^14.0.3fast-glob^3.3.3fast-json-patch^3.1.1jose^6.1.3ora^9.0.0pg^8.17.2prime-radiant-advanced-wasm^0.1.3secure-json-parse^4.1.0uuid^14.0.0vibium^0.1.2web-tree-sitter~0.26.8yaml^2.8.2
Optional dependencies15
@ruvector/attention-darwin-arm640.1.3@ruvector/attention-darwin-x640.1.3@ruvector/attention-linux-arm64-gnu0.1.3@ruvector/attention-linux-arm64-muslnpm:@ruvector/[email protected]@ruvector/attention-linux-x64-gnu0.1.3@ruvector/attention-linux-x64-muslnpm:@ruvector/[email protected]@ruvector/gnn-darwin-arm640.1.25@ruvector/gnn-darwin-x640.1.25@ruvector/gnn-linux-arm64-gnu0.1.25@ruvector/gnn-linux-arm64-muslnpm:@ruvector/[email protected]@ruvector/gnn-linux-x64-gnu0.1.25@ruvector/gnn-linux-x64-muslnpm:@ruvector/[email protected]@ruvector/tiny-dancer-linux-arm64-gnu^0.1.17hnswlib-node^3.0.0rvlite^0.2.4