Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 367
- Versions published
- 165
- First published
- Dec 2025
- Publisher
- anneschuth
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 3322985 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/index.js | 3322985 bytes | 10 |
Manifest
Package metadata
Scripts21
buildbun build src/index.ts --outdir dist --target node && bun build src/mcp/mcp-server.ts --outdir dist/mcp --target node && bun build src/statusline/writer.ts --outdir dist/statusline --target nodedevbun --watch src/index.tsknipnpx kniplinteslint src/lint:fixeslint src/ --fixpreparehuskystartbun dist/index.jstestbun test src/test:coveragebun test src/ --coveragetest:integrationbun run test:integration:setup && bun run test:integration:runtest:integration:allbun run test:integration:setup && bun run tests/integration/fixtures/slack/mock-server.ts & sleep 2 && TEST_PLATFORMS=mattermost,slack INTEGRATION_TEST=1 bun test tests/integration/suites --timeout 120000; bun run test:integration:slack:teardowntest:integration:cleanbun run tests/integration/setup/teardown.tstest:integration:runINTEGRATION_TEST=1 bun test tests/integration/suites --timeout 120000test:integration:setupdocker compose -f tests/integration/docker/docker-compose.yml up -d && bun run tests/integration/setup/wait-for-mattermost.ts && bun run tests/integration/setup/setup-mattermost.tstest:integration:slackbun run test:integration:slack:teardown; bun run tests/integration/fixtures/slack/mock-server.ts & sleep 2 && TEST_PLATFORMS=slack INTEGRATION_TEST=1 bun test tests/integration/suites --timeout 120000; bun run test:integration:slack:teardowntest:integration:slack:runTEST_PLATFORMS=slack INTEGRATION_TEST=1 bun test tests/integration/suites --timeout 120000test:integration:slack:setupbun run tests/integration/fixtures/slack/mock-server.ts &test:integration:slack:teardownpkill -f 'mock-server.ts' || truetest:integration:teardowndocker compose -f tests/integration/docker/docker-compose.yml down -vtest:watchbun test src/ --watchtypechecktsc --noEmit
Dependencies18
@hono/node-server^2.0.0@inkjs/ui^2.0.0@modelcontextprotocol/sdk^1.26.0@redactpii/node^1.0.16cli-spinners^3.3.0commander^14.0.2diff^8.0.3express-rate-limit^8.3.0hono^4.12.18ink^6.6.0ink-scroll-view^0.3.5js-yaml^4.1.1prompts^2.4.2react^19.2.3semver^7.7.3update-notifier^7.3.1ws^8.18.0zod^4.3.6