Package evidence
[email protected]
Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,107Niche · −30% score
- Versions published
- 868Mature · −50% score
- First published
- Feb 2016
- Publisher
- manueldelapenna
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz"
1 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Remote Dependency Spec | package.json | dependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz" | 12 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| dependencies.xlsx | https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz | low | 0 | no remote findings |
Manifest
Package metadata
Scripts14
example-4testnode examples/4test/server/server-4test.jsexample-fichasnode examples/fichero/server/server-fichas.jsexample-punode test/puppeteer/first-step.jsexample-tablesnode examples/tables/server/server-tables.js --dir-x examples/tablesprepublish(tsc -p tsconfig-server.json || echo "continue w/error") && (tsc -p tsconfig-client.json || echo "continue w/error")server-testnode test/run-simple-backend.jstestecho testear SiPer que usa la mayoría de la funcionalidad de Backend-Plustest-ci(npm run prepublish || echo "continue w/error") && mocha --reporter spec --bail test/test*.jstest-goodmocha --reporter spec --bail --check-leaks test/test*.jstest-karma(npm run prepublish || echo "continue w/error") && mocha --reporter spec --bail test/test-k*.jstest-punode ./test/download_puppeteer && mocha --reporter spec --bail --check-leaks --globals cptable --globals QUOTE --globals __core-js_shared__ test/test-pu.jstest-servermocha --reporter spec --single-run --bail test/test.jstest-ui(npm run prepublish || echo "continue w/error") && mocha --reporter spec --single-run --bail test/test-*.jstest-whynode --expose-internals ./node_modules/mocha/bin/_mocha --reporter spec --bail test/test*.js
Dependencies46
@upgraded/locate-path^6.0.0-alfa.1ajax-best-promise^0.4.3backend-skins^0.1.34best-globals^2.1.0big.js^7.0.1body-parser^2.2.2cast-error^0.1.3castellano^0.1.5connect-pg-simple^10.0.0cookie-parser^1.4.7cors^2.8.6dialog-promise^0.10.5discrepances^0.2.14express^5.2.1express-session^1.19.0express-useragent^2.1.0fs-extra^11.3.4js-to-html^1.3.5js-yaml^4.1.1json4all^1.4.2lazy-some^0.1.0like-ar^0.5.2login-plus^1.8.1memorystore^1.6.8mini-tools^1.13.5moment^2.30.1multiparty^4.2.3nodemailer^8.0.7numeral^2.0.6pg-promise-strict^1.4.5- …and 16 more.