Package evidence

[email protected]

Large Javascript Payload: 14903405 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 417
Versions published: 4
First published: May 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes4,407,023

Previous version1.0.1

Published2026-05-21T03:10:41.008Z

SHA-256cb241472e5cdaf0cd58aec30bc7f564ab5e16758529ca490c0cc1d30f2e21bec

Why flagged

What the scanner saw

Large Javascript Payload: 14903405 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

21d agoLast checked

reviewRisk

6Score

1.0.2Version

Status history (1 event)

new → available21d ago · risk review · score 6 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/dist/action/index.cjs	14903405 bytes	10
medium	Large Javascript Payload	package/dist/cli/index.cjs	11560112 bytes	10

Manifest

Package metadata

Scripts29

benchmarkvitest bench --run
buildnode scripts/build.mjs
coveragepnpm run build && vitest run --coverage tests/unit tests/action tests/property tests/snapshot
docsnode scripts/generate-rule-docs.mjs && node scripts/update-action-inputs-docs.mjs && node scripts/docs-build.mjs
docs:servemkdocs serve
fmtbiome format --write .
formatbiome format --write .
gcnode scripts/gc.mjs
knipknip
lintbiome check .
lint:fixbiome check --write .
mutationstryker run
preparenode scripts/prepare.mjs
sbomnode scripts/generate-sbom.mjs
securitypnpm audit --audit-level moderate
testvitest run
test:actionpnpm run build && vitest run tests/action
test:benchvitest bench
test:intvitest run tests/integration
test:propertyvitest run tests/property
test:snapshotvitest run tests/snapshot
test:unitvitest run tests/unit
typechecktsc --noEmit -p tsconfig.json
verifypnpm run lint && pnpm run typecheck && pnpm run knip && pnpm run build && pnpm run verify:dist && pnpm run verify:version && pnpm run test:unit && pnpm run test:property && pnpm run test:snapshot && pnpm run test:action && pnpm run coverage && pnpm run verify:structure && pnpm run gc && pnpm run docs && pnpm audit --audit-level moderate
verify:clean-treenode scripts/verify-clean-tree.mjs
verify:distnode scripts/verify-dist.mjs
verify:structurenode scripts/verify-structure.mjs
verify:versionnode scripts/verify-version.mjs
watchnode scripts/watch.mjs