Package evidence

[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 24
First published: Apr 2026
Publisher: trevormil

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publishertrevormil

Artifact bytes3,431,940

Previous version0.39.0

Published2026-05-16T01:00:17.831Z

SHA-256036258e06b25e178125e3be4c3b177a485059f26fd443a20542a6604ef7d7883

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

10h agoLast checked

reviewRisk

24Score

0.40.0Version

Status history (1 event)

new → available10h ago · risk review · score 24 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/cjs/cli/utils/docs-cache.js	matched "raw.githubusercontent.com"	12
medium	Remote Payload	package/dist/esm/cli/utils/docs-cache.js	matched "raw.githubusercontent.com"	12

Manifest

Package metadata

Scripts19

aliastsc-alias -p tsconfig.build.json && tsc-alias -p tsconfig-esm.build.json
buildrm -rf dist && tsc --build tsconfig.build.json && tsc --build tsconfig-esm.build.json && bun run alias && bun run fixup && bun run dep-check
cleantsc --build tsconfig.build.json --clean && shx rm -rf coverage *.log junit.xml dist && jest --clearCache
coveragejest --coverage
dep-checkmadge --circular ./src/index.ts --warning --ts-config ./tsconfig.json --exclude 'api-indexer/docs-types/interfaces.ts|interfaces/badges/*|interfaces/types/*'
devts-node-dev -r tsconfig-paths/register src/index.ts
fixup./scripts/fixup.sh
formatprettier --write './**/*.{js,jsx,ts,tsx,css,md,json}' --config ./.prettierrc
format-ciprettier --write './**/*.{js,jsx,ts,tsx,css,md,json}' --config ./.prettierrc-ci.json
generate-api-routesbun scripts/generate-api-routes.ts
preparets-patch install && typia patch
publish-w-docsbash ./scripts/check_and_publish.sh
routes-checkts-node ./scripts/check_routes_consistency.ts ../../../bitbadges-indexer/src/indexer.ts ./openapitypes-helpers/routes.yaml
startnode dist/index.js
testjest --setupFiles ./jest.setup.js --testPathIgnorePatterns='/dist/' --testPathIgnorePatterns='src/cli/integration/'
test:cijest --coverage --ci --reporters='jest-junit'
test:integrationjest --setupFiles ./jest.setup.js --testMatch='<rootDir>/src/cli/integration/**/*.spec.ts' --runInBand
test:unitjest --setupFiles ./jest.setup.js --testPathIgnorePatterns='/dist/' --testPathIgnorePatterns='src/cli/integration/'
test:watchjest --watch

Dependencies12

@bufbuild/protobuf^1.10.1
@modelcontextprotocol/sdk^1.0.0
axios^1.14.0
bech32^2.0.0
commander^14.0.3
crypto-addr-codec^0.1.7
ethers^6.13.4
open^10.1.0
sha3^2.1.4
typia^8.0.2
web3-validator^2.0.6
zod^3.22.0