Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 364
- Versions published
- 177Established · −30% score
- First published
- Dec 2025
- Publisher
- linluanchun
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Payload: matched "cURL "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 50 · status changed
Evidence
Static findings
48 static · 0 from release diff · showing high-signal first.
Showing 30 of 48 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/es/chunks/index.0OIIavvN.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.6kaY82cw.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.B8zx-_Uc.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BASIDkY2.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BBDgrejZ.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BFP26prA.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.Bix-gvgL.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.BL4NbKts.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BnVup5Jt.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BPXnruXc.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BXR6lB7w.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BZ1D-tb2.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.BZTj1ePO.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.C-i2X1AX.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.C4A1P0Fg.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.CAQqw3f3.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.Ccny2zKA.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.CcTRmu85.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.CGf36e17.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.Ckdst9-h.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.CmOs5kPr.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.CmZ2hmGg.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.CP0k8NFH.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.CRvWgl4x.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.CrwNEywm.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.D1Ttl4Z5.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.D3SrAj50.js | matched "cURL " | 12 |
| medium | Remote Payload | package/es/chunks/index.DdGFnB0W.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.DffK5iWi.js | matched "cURL " | 12 |
| medium | Remote Payload | package/lib/chunks/index.DjoMVx_C.js | matched "cURL " | 12 |
Manifest
Package metadata
Scripts9
buildvite build && pnpm run postbuildbuild:cleanrimraf lib esdevvite --config ./play/vite.config.jslinteslint . && stylelint "**/*.{css,less,scss}"lint:fixprettier --write . && eslint --fix . && stylelint --fix "**/*.{css,less,scss}"postbuildnode -e "const fs = require('fs'); const path = require('path'); const src = path.join(__dirname, 'es', 'assets', 'index.css'); const dest = path.join(__dirname, 'index.css'); if (fs.existsSync(src)) { fs.copyFileSync(src, dest); console.log('组件库样式文件已复制到根目录'); } else { console.log('警告: 组件库样式文件不存在'); }"releasenode ../../scripts/publish-package.js china-mobile-international-custom-componentsrelease:patchnode ../../scripts/publish-package.js china-mobile-international-custom-components --patchversionbumpp --no-tag --no-commit
Dependencies33
@codemirror/lang-json^6.0.2@codemirror/language^6.11.3@codemirror/lint^6.9.2@codemirror/state^6.5.3@codemirror/theme-one-dark^6.1.3@codemirror/view^6.38.6@logicflow/core2.1.11@logicflow/extension2.1.15@logicflow/vue-node-registry1.1.12@vueuse/core^14.0.0copy-to-clipboard^3.3.3crypto-js^4.2.0dayjs^1.11.18echarts^6.0.0element-plus^2.14.0element-tree-line^0.2.1js-cookie^3.0.5lodash.debounce^4.0.8lottie-web^5.13.0md-editor-v3^5.8.4mitt^3.0.0moment^2.30.1pinia^3.0.4qs^6.14.0unplugin-vue^7.1.0uuid^13.0.0v-viewer^3.0.22viewerjs^1.11.7vue-codemirror^6.1.1vue-draggable-plus^0.6.0- …and 3 more.
Optional dependencies2
@ast-grep/napi-linux-x64-musl^0.39.6@rollup/rollup-linux-x64-musl^4.52.5