Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 7,096Niche · −30% score
Versions published: 3,087Mature · −50% score
First published: Jun 2021
Publisher: neilguan

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherneilguan

Artifact bytes2,659,062

Previous version2.0.58

Published2022-02-09T01:22:16.552Z

SHA-256864d6b16f1338463aa359a68cb096c7cabaf0d4473d5d606b4bc557583c21a0b

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

18h agoLast checked

reviewRisk

12Score

2.0.59Version

Status history (1 event)

new → available18h ago · risk review · score 12 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/node_modules/@aws-cdk/cfnspec/build-tools/update-cfnlint.sh	matched "curl "	12
medium	Remote Payload	package/node_modules/@aws-cdk/cfnspec/build-tools/update.sh	matched "curl "	12

Manifest

Package metadata

Scripts25

buildnpx projen build
bumpnpx projen bump
clobbernpx projen clobber
compatnpx projen compat
compilenpx projen compile
defaultnpx projen default
docgennpx projen docgen
ejectnpx projen eject
eslintnpx projen eslint
packagenpx projen package
package-allnpx projen package-all
package:jsnpx projen package:js
package:pythonnpx projen package:python
post-compilenpx projen post-compile
post-upgradenpx projen post-upgrade
pre-compilenpx projen pre-compile
projennpx projen
releasenpx projen release
release:cdkv1npx projen release:cdkv1
testnpx projen test
test:updatenpx projen test:update
test:watchnpx projen test:watch
unbumpnpx projen unbump
upgradenpx projen upgrade
watchnpx projen watch

Dependencies1

@aws-cdk/assert^2.11.0