Package evidence

[email protected]

Large Javascript Payload: 2174555 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 40,414Mainstream · −50% score
Versions published: 214Mature · −50% score
First published: May 2017
Publisher: netil

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publishernetil

Artifact bytes3,157,379

Previous version3.18.0

Published2026-06-09T04:25:59.409Z

SHA-2568940f035ab854c4596570aed9e6f0a6e28c7c0d749ed85babe0f0761b0e7f189

Why flagged

What the scanner saw

Large Javascript Payload: 2174555 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

4d agoLast checked

lowRisk

0Score

4.0.0-next.1Version

Status history (1 event)

new → available4d ago · risk low · score 0 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Large Javascript Payload	package/dist/billboard.pkgd.js	2174555 bytes	0

Manifest

Package metadata

Scripts25

buildnpm run build:production && npm run build:packaged && npm run build:theme && npm run build:plugin && npm run build:esm && npm run build:cjs && npm run build:plugin:types
build:cjsnode ./config/cjs.js
build:devcross-env NODE_ENV=development webpack
build:esmrollup -c ./config/rollup/esm.js
build:packagedcross-env NODE_ENV=packaged webpack
build:packaged:analyzercross-env ANALYZER=true npm run build:packaged
build:plugincross-env NODE_ENV=plugin webpack && cross-env NODE_ENV=plugin MODE=min webpack && cross-env NODE_ENV=plugin MODE=pkgd webpack && cross-env NODE_ENV=plugin MODE=pkgd-min webpack
build:plugin:typesnode ./config/type.d-plugin.js
build:productioncross-env NODE_ENV=production webpack
build:production:analyzercross-env ANALYZER=true npm run build:production
build:themecross-env NODE_ENV=theme webpack
coveragevitest run
coverage:cicross-env NODE_ENV=CI npm run coverage
coverallscat ./coverage/lcov.info | ./node_modules/coveralls/bin/coveralls.js
formatdprint fmt
jsdocnode ./config/jsdoc.js
jsdoc:cmdjsdoc -c jsdoc.json
linteslint
lint-stagedlint-staged --config ./config/.lintstagedrc.json
loccloc --by-file src
preparehusky
releasesemantic-release
startwebpack serve --open
start:plugincross-env PLUGIN=true webpack-dev-server --open
testvitest

Dependencies13

@types/d3-selection^3.0.11
@types/d3-transition^3.0.9
d3-axis^3.0.0
d3-brush^3.0.0
d3-drag^3.0.0
d3-hierarchy^3.1.2
d3-interpolate^3.0.1
d3-scale^4.0.2
d3-selection^3.0.0
d3-shape^3.2.0
d3-time-format^4.1.0
d3-transition^3.0.1
d3-zoom^3.0.0