PkgRadar

Package evidence

[email protected]

Install Lifecycle Remote Or Exec: postinstall="node -e \"console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');\""

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
5,371Niche · −30% score
Versions published
698Mature · −50% score
First published
Mar 2018
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes287,418
Previous version1.6.3-beta.3
Published2026-06-17T09:26:44.586Z
SHA-256c0c096d0a19f2cb50c1646a33b7ef2fdb34428e8173306ec0c0e559f52cff175

Why flagged

What the scanner saw

Install Lifecycle Remote Or Exec: postinstall="node -e \"console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');\""

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
14Score
1.6.3-beta.4Version
Status history (1 event)
  1. newavailable · risk review · score 14 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');\""30
mediumRemote Payloadpackage/dist/_register-DTarVRWq.jsmatched "raw.githubusercontent.com"12
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="node -e \"console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');\""30
mediumRemote Payloadpackage/dist/_register-DTarVRWq.jsmatched "raw.githubusercontent.com"12
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node -e \"console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');\""5

Manifest

Package metadata

Scripts18
  • buildpnpm run clean && tsc && tsdown
  • build-bundlesbun run scripts/build-cli-bundles.ts
  • cleanrimraf dist
  • dev:actortsx ./src/entrypoints/actor.ts
  • dev:apifytsx ./src/entrypoints/apify.ts
  • formatoxfmt --check
  • format:fixoxfmt
  • insert-cli-metadatatsx scripts/insert-cli-metadata.ts
  • lintoxlint --type-aware
  • lint:fixoxlint --type-aware --fix
  • postinstallnode -e "console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');"
  • test:allpnpm run test:local && pnpm run test:api
  • test:apivitest run --testNamePattern "^(?=.*\[api\])(?!.*\[e2e\]).*$" --exclude ./test/e2e
  • test:e2evitest run --testNamePattern "\[e2e\]" --exclude ./test/api
  • test:e2e:localvitest run --testNamePattern "^(?=.*\[e2e\])(?!.*\[api\]).*$" --exclude ./test/api
  • test:localvitest run --testNamePattern "^((?!\[api]).)*$" --exclude ./test/api --exclude ./test/e2e
  • test:pythonvitest run --testNamePattern "\[python\]"
  • update-docstsx scripts/generate-cli-docs.ts
Dependencies52
  • @apify/actor-memory-expression^0.1.12
  • @apify/actor-templates^0.1.5
  • @apify/consts^2.53.0
  • @apify/input_schema^3.27.1
  • @apify/json_schemas^0.16.0
  • @apify/utilities^2.25.6
  • @crawlee/memory-storage^3.16.0
  • @inquirer/core^11.1.7
  • @inquirer/input^5.0.10
  • @inquirer/password^5.0.10
  • @inquirer/select^5.1.2
  • @napi-rs/keyring^1.3.0
  • @root/walk~1.1.0
  • @sapphire/duration^1.2.0
  • @sapphire/result^2.8.0
  • @sapphire/timestamp^1.0.5
  • @skyra/jaro-winkler^1.1.1
  • adm-zip~0.5.17
  • ajv~8.20.0
  • apify-client^2.23.3
  • archiver~7.0.1
  • axios^1.15.0
  • chalk~5.6.2
  • ci-info~4.4.0
  • cli-table3^0.6.5
  • computer-name~0.1.0
  • configparser~0.3.10
  • cors~2.8.6
  • detect-indent~7.0.2
  • es-toolkit^1.45.1
  • …and 22 more.