Package evidence

[email protected]

Install-time lifecycle script: postinstall="patch-package"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 57Mature · −50% score
First published: Aug 2020
Publisher: acdc_soft

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisheracdc_soft

Artifact bytes7,328,373

Previous version6.0.0-beta.1.0.1

Published2026-03-09T06:17:13.768Z

SHA-256c5da664d56b57c3dab83c50e0b86e060a3ea4f53f6270437e71f052dacf69eeb

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="patch-package"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

9h agoLast checked

reviewRisk

2Score

6.0.0-beta.1.0.2Version

Status history (1 event)

new → available9h ago · risk review · score 2 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Install-time lifecycle script	package.json	postinstall="patch-package"	5

Manifest

Package metadata

Scripts26

analyzesource-map-explorer build/static/js/main.*
buildnpm run git-info; npm-run-all build-wrappers build-protobuf link-schemas build-ts
build-dockernpm run git-info; npm-run-all build-wrappers-docker build-protobuf link-schemas build-ts
build-libs./wasm_libs/build_libs.sh
build-libs-docker./build_wasm_libs_docker.sh
build-libs-singularity./build_wasm_libs_singularity.sh
build-protobuf./protobuf/build_proto.sh
build-singularitynpm run git-info; npm-run-all build-wrappers-singularity build-protobuf link-schemas build-ts
build-tsrsbuild build --config-loader jiti
build-wrappers./wasm_src/build_wrappers.sh
build-wrappers-docker./build_wasm_wrappers_docker.sh
build-wrappers-singularity./build_wasm_wrappers_singularity.sh
check-eslinteslint ./src
checkformatnpx prettier --check ./src
fix-eslinteslint --fix ./src
git-info./git-info.sh
link-schemas./schemas/link_schemas.sh
postinstallpatch-package
prepacknpm run build-libs-docker; npm run build-docker
preparehusky
previewrsbuild preview --config-loader jiti
reformatnpx prettier --write ./src
startnpm run git-info; rsbuild dev --config-loader jiti
testjest
test:coveragejest --coverage
test:watchjest --watch

Dependencies2

patch-package^8.0.0
usehooks-ts^3.1.0

Optional dependencies12

@rspack/binding-darwin-arm64^1.5.5
@rspack/binding-darwin-x64^1.5.5
@rspack/binding-linux-arm64-gnu^1.5.5
@rspack/binding-linux-arm64-musl^1.5.5
@rspack/binding-linux-x64-gnu^1.5.5
@rspack/binding-linux-x64-musl^1.5.5
sass-embedded-darwin-arm641.97.3
sass-embedded-darwin-x641.97.3
sass-embedded-linux-arm641.97.3
sass-embedded-linux-musl-arm641.97.3
sass-embedded-linux-musl-x641.97.3
sass-embedded-linux-x641.97.3