Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 14,240Mainstream · −50% score
- Versions published
- 275Mature · −50% score
- First published
- Dec 2019
- Publisher
- microsoft1es
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 8124882 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 4 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/directlinespeech.development.js | 8124882 bytes | 10 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/directlinespeech.development.js | 8124882 bytes | 10 |
| low | Credential file access | package/dist/directlinespeech.production.min.js | matched ".azure" | 5 |
Manifest
Package metadata
Scripts20
buildnpm run --if-present build:pre && npm run build:run && npm run --if-present build:postbuild:prenpm run build:pre:local-dependencies && npm run build:pre:watchbuild:pre:local-dependencies../../scripts/npm/build-local-dependencies.shbuild:pre:watch../../scripts/npm/build-watch.shbuild:runnpm run build:run:tsup && npm run build:run:babel && npm run build:run:webpackbuild:run:babelcross-env build_tool=babel module_format=commonjs babel src --ignore **/*.spec.js,**/*.test.js,__tests__/**/*.js --out-dir lib --verbosebuild:run:tsuptsupbuild:run:webpacknpm run build:run:webpack:development && npm run build:run:webpack:productionbuild:run:webpack:developmentcross-env node_env=development webpack-clibuild:run:webpack:productioncross-env node_env=production webpack-clibumpvg bump prod && vg bump dev && (npm audit fix || exit 0)eslintnpm run precommitpostversion../../scripts/npm/postversion.shprecommitnpm run precommit:eslint -- srcprecommit:eslinteslint --report-unused-disable-directives --max-warnings 0prettierprettier --check src/**/*.{js,ts}preversion../../scripts/npm/preversion.shstart../../scripts/npm/notify-build.sh "src"start:serveservetestjest --watch
Dependencies10
@babel/runtime7.29.2abort-controller3.0.0base64-arraybuffer1.0.2core-js3.49.0core-js-pure3.49.0event-as-promise2.0.1event-target-shim6.0.2math-random2.0.1microsoft-cognitiveservices-speech-sdk1.17.0web-speech-cognitive-services8.1.4