PkgRadar

Package evidence

[email protected]

Install Lifecycle Remote Or Exec: postinstall="/bin/bash -c 'if [ -d node_modules/@fastify/deepmerge ]; then patch-package; fi'"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
4,308Niche · −30% score
Versions published
1,564Mature · −50% score
First published
Sep 2015
Publisher
mycozycloud

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishermycozycloud
Artifact bytes2,150,951
Previous version139.1.0
Published2026-06-09T06:44:59.839Z
SHA-256626207e8db52f7959ac532a1a52c144d1933d070e21c4cc69e25a3220a8d2d70

Why flagged

What the scanner saw

Install Lifecycle Remote Or Exec: postinstall="/bin/bash -c 'if [ -d node_modules/@fastify/deepmerge ]; then patch-package; fi'"

2 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
16Score
139.2.0Version
Status history (1 event)
  1. newavailable · risk review · score 16 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="/bin/bash -c 'if [ -d node_modules/@fastify/deepmerge ]; then patch-package; fi'"30
highRemote Dependency Specpackage.jsondependencies.mui-bottom-sheet="https://github.com/cozy/mui-bottom-sheet.git#v1.0.9"12
mediumRemote Dependency Specpackage.jsondevDependencies.michelangelo="https://github.com/cozy/michelangelo.git"8
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
highInstall Lifecycle Remote Or Execpackage.jsonpostinstall="/bin/bash -c 'if [ -d node_modules/@fastify/deepmerge ]; then patch-package; fi'"30
highRemote Dependency Specpackage.jsondependencies.mui-bottom-sheet="https://github.com/cozy/mui-bottom-sheet.git#v1.0.9"12
mediumRemote Dependency Specpackage.jsondevDependencies.michelangelo="https://github.com/cozy/michelangelo.git"8
lowInstall-time lifecycle scriptpackage.jsonpostinstall="/bin/bash -c 'if [ -d node_modules/@fastify/deepmerge ]; then patch-package; fi'"5

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
dependencies.mui-bottom-sheethttps://github.com/cozy/mui-bottom-sheet.git#v1.0.9error0invalid gzip header
devDependencies.michelangelohttps://github.com/cozy/michelangelo.giterror0invalid gzip header

Manifest

Package metadata

Scripts44
  • argos:uploadargos upload
  • buildyarn build:types && yarn build:js
  • build:allyarn makeSpriteAndPalette && yarn build && yarn build:css:all && yarn build:doc
  • build:cssenv CSSMODULES=false yarn run stylus-build -o dist/cozy-ui.min.css stylus/cozy-ui/build.styl
  • build:css:allyarn build:css && yarn build:css:utils && yarn run removeEmptyCss
  • build:css:kssenv CSSMODULES=false yarn run stylus-build -o build/styleguide/app.css stylus/cozy-ui/build.styl
  • build:css:utilsenv CSSMODULES=false yarn run stylus-build -o dist/cozy-ui.utils.min.css stylus/cozy-ui/utils.styl
  • build:docnpm-run-all 'build:doc:*'
  • build:doc:configcopyfiles -u 1 docs/*.md docs/_config.yml build
  • build:doc:kssNODE_OPTIONS=--openssl-legacy-provider kss --destination build/styleguide --title 'Cozy-UI Styleguide' --source stylus --builder node_modules/michelangelo/kss_styleguide/custom-template --homepage stylus/styleguide.md --css app.css
  • build:doc:reactNODE_OPTIONS=--openssl-legacy-provider styleguidist build --config docs/styleguide.config.js
  • build:doc:skillnode scripts/generate-skill.js
  • build:jsenv BABEL_ENV=transpilation babel --extensions .ts,.tsx,.js,.jsx,.md,.styl,.json,.snap react/ --out-dir transpiled/react --copy-files --no-copy-ignored --verbose
  • build:typestsc -p tsconfig-build.json
  • clean:doc:kssrm -rf build/styleguide
  • deploy:docgit-directory-deploy --directory build/ --branch gh-pages
  • lintnpm-run-all 'lint:*'
  • lint:jseslint 'react/**/*.jsx' 'react/**/*.js' 'react/**/*.ts' 'react/**/*.tsx' 'docs/styleguide.config.js'
  • lint:mdremark . -o -S
  • lint:stylusstylint stylus --config .stylintrc
  • makeSpriteAndPalettenpm-run-all --parallel sprite palette
  • makeSvgrscripts/generate-svgr-icon.sh
  • optimizeIconssvgo -r --folder assets/icons
  • palettescripts/make-palette.sh
  • postbuildpostcss transpiled/react/stylesheet.css --replace
  • postinstall/bin/bash -c 'if [ -d node_modules/@fastify/deepmerge ]; then patch-package; fi'
  • prebuild:cssmkdir -p dist/ && stylus -C node_modules/normalize.css/normalize.css node_modules/normalize.css/normalize.styl
  • prebuild:css:kssmkdir -p build/styleguide && stylus -C node_modules/normalize.css/normalize.css node_modules/normalize.css/normalize.styl
  • prebuild:css:utilsmkdir -p dist/
  • prebuild:doc:kssrun-s clean:doc:kss build:css:kss
  • …and 14 more.
Dependencies22
  • @babel/runtime^7.3.4
  • @date-io/date-fns1
  • @material-ui/core4.12.3
  • @material-ui/lab^4.0.0-alpha.61
  • @material-ui/pickers3.3.11
  • @popperjs/core^2.4.4
  • classnames^2.2.5
  • date-fns2.30.0
  • hammerjs^2.0.8
  • intersection-observer0.11.0
  • mui-bottom-sheethttps://github.com/cozy/mui-bottom-sheet.git#v1.0.9
  • node-polyglot^2.5.0
  • normalize.css^8.0.0
  • patch-package^8.0.0
  • pdf-lib1.17.1
  • react-markdown^4.0.8
  • react-popper^2.2.3
  • react-remove-scroll^2.4.0
  • react-select^4.3.0
  • react-swipeable-views^0.13.3
  • react-virtuoso^4.13.0
  • rooks7.14.1