Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,233,669Ubiquitous · −70% score
- Versions published
- 1,343Mature · −50% score
- First published
- Mar 2021
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/cli/add/index.js | matched ".npmrc" | 5 |
Manifest
Package metadata
Scripts14
buildpnpm run prebuild && astro-scripts build "src/**/*.{ts,js}" --copy-wasm && tsc -b && astro-check -- -- --root ./componentsbuild:cipnpm run prebuild && astro-scripts build "src/**/*.{ts,js}" --copy-wasmdevastro-scripts dev --copy-wasm --prebuild "src/runtime/server/astro-island.ts" --prebuild "src/runtime/client/{idle,load,media,only,visible}.ts" "src/**/*.{ts,js}"prebuildastro-scripts prebuild --to-string "src/runtime/server/astro-island.ts" "src/runtime/client/{idle,load,media,only,visible}.ts"testpnpm run test:unit && pnpm run test:integration && pnpm run test:typestest:cliastro-scripts test "test/**/cli.test.ts"test:e2epnpm test:e2e:chrome && pnpm test:e2e:firefoxtest:e2e:chromeplaywright testtest:e2e:firefoxplaywright test --config playwright.firefox.config.jstest:e2e:matchplaywright test -gtest:integrationastro-scripts test "test/*.test.ts" --parallel --strip-typestest:matchastro-scripts test "test/**/*.test.ts" --matchtest:typestsc --build test/types/tsconfig.jsontest:unitastro-scripts test "test/units/**/*.test.ts" --strip-types --teardown ./test/units/teardown.ts
Dependencies56
@astrojs/compiler-rs^0.1.10@astrojs/internal-helpers0.10.0@astrojs/markdown-satteri0.3.1-beta.1@astrojs/telemetry3.3.2@capsizecss/unpack^4.0.0@clack/prompts^1.1.0@oslojs/encoding^1.1.0@rollup/pluginutils^5.3.0am-i-vibing^0.3.0aria-query^5.3.2axobject-query^4.1.0ci-info^4.4.0clsx^2.1.1common-ancestor-path^2.0.0cookie^1.1.1devalue^5.8.1diff^8.0.3dset^3.1.4es-module-lexer^2.0.0esbuild^0.28.0flattie^1.1.1fontace~0.4.1get-tsconfig5.0.0-beta.4github-slugger^2.0.0html-escaper3.0.3http-cache-semantics^4.2.0js-yaml^4.1.1jsonc-parser^3.3.1magic-string^0.30.21magicast^0.5.2- …and 26 more.
Optional dependencies1
sharp^0.34.0