PkgRadar

Package evidence

[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
19
Versions published
62
First published
Mar 2026
Publisher
melcanz85

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishermelcanz85
Artifact bytes381,876
Previous version2.1.39
Published2026-05-08T11:23:03.967Z
SHA-2567daa4096927a13e4e5c39e1b060a9a64128e359674fe01e3b0d4d120a20d769d

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
50Score
2.2.0Version
Status history (1 event)
  1. newavailable · risk review · score 50 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/dist/cli/index.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/compiler/index.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/index.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/dist/plugins/vite.jsmatched "raw.githubusercontent.com"12
mediumRemote Payloadpackage/src/compiler/btt.tsmatched "raw.githubusercontent.com"12

Manifest

Package metadata

Scripts17
  • buildnpm run build:clean && npm run build:types && npm run build:core && npm run build:cli && npm run build:plugins && npm run build:runtime && npm run build:browser && npm run build:compiler
  • build:browseresbuild src/browser.ts --bundle --platform=browser --format=esm --outfile=dist/browser.js --external:react --external:react-dom --external:vue --external:svelte --external:url
  • build:cleanrm -rf dist
  • build:cliesbuild src/cli/index.ts --bundle --platform=node --format=esm --outfile=dist/cli/index.js --packages=external && chmod +x dist/cli/index.js
  • build:compileresbuild src/compiler/index.ts --bundle --platform=node --format=esm --outfile=dist/compiler/index.js --packages=external
  • build:coreesbuild src/index.ts --bundle --platform=node --format=esm --outfile=dist/index.js --packages=external
  • build:pluginsesbuild src/plugins/vite.ts --bundle --platform=node --format=esm --outfile=dist/plugins/vite.js --packages=external && esbuild src/plugins/webpack.ts --bundle --platform=node --format=esm --outfile=dist/plugins/webpack.js --packages=external
  • build:runtimeesbuild src/runtime/index.ts --bundle --platform=browser --format=esm --outfile=dist/runtime/index.js --external:react --external:react-dom --external:vue --external:svelte --external:url
  • build:typestsc -p tsconfig.build.json
  • devtsc -w
  • prepublishOnlynpm run build
  • testvitest run
  • test:coveragevitest run --coverage
  • test:integrationvitest run __tests__/integration
  • test:unitvitest run __tests__/unit
  • test:verboseCHAINCSS_TEST_VERBOSE=1 vitest run
  • test:watchvitest
Dependencies5
  • browserslist^4.28.2
  • chalk^5.6.2
  • chokidar^5.0.0
  • commander^14.0.3
  • glob^13.0.6