Package evidence
[email protected]
Install-time lifecycle script: postinstall="npx grunt exec:fixCryptoApiImports && npx grunt exec:fixSnackbarMarkup"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 422Mature · −50% score
- First published
- Nov 2016
- Publisher
- n1474335
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="npx grunt exec:fixCryptoApiImports && npx grunt exec:fixSnackbarMarkup"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="npx grunt exec:fixCryptoApiImports && npx grunt exec:fixSnackbarMarkup" | 5 |
| low | Obfuscation Density | package/src/core/Utils.mjs | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts14
buildnpx grunt prodgetheapsizenode -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'lintnpx grunt lintminornode --experimental-modules --experimental-json-modules src/core/config/scripts/newMinorVersion.mjsnewopnode --experimental-modules --experimental-json-modules src/core/config/scripts/newOperation.mjsnodenpx grunt nodepostinstallnpx grunt exec:fixCryptoApiImports && npx grunt exec:fixSnackbarMarkupreplnode --experimental-modules --experimental-json-modules --experimental-specifier-resolution=node --no-experimental-fetch --no-warnings src/node/repl.mjssetheapsizeexport NODE_OPTIONS=--max_old_space_size=2048startnpx grunt devtestnpx grunt configTests && node --experimental-modules --experimental-json-modules --no-warnings --no-deprecation --openssl-legacy-provider --no-experimental-fetch tests/node/index.mjs && node --experimental-modules --experimental-json-modules --no-warnings --no-deprecation --openssl-legacy-provider --no-experimental-fetch --trace-uncaught tests/operations/index.mjstestnodeconsumernpx grunt testnodeconsumertestuinpx grunt testuitestuidevnpx nightwatch --env=dev
Dependencies87
@astronautlabs/amf^0.0.6@babel/polyfill^7.12.1@blu3r4y/lzma^2.3.3@wavesenterprise/crypto-gost-js^2.1.0-RC1@xmldom/xmldom^0.8.0argon2-browser^1.18.0arrive^2.4.1avsc^5.7.7bcryptjs^2.4.3bignumber.js^9.1.2blakejs^1.2.1bootstrap4.6.2bootstrap-colorpicker^3.4.0bootstrap-material-design^4.1.3browserify-zlib^0.2.0bson^4.7.2buffer^6.0.3cbor9.0.2chi-squared^1.1.0codepage^1.15.0crypto-api^0.8.5crypto-browserify^3.12.0crypto-js^4.2.0ctph.js0.0.5d37.8.5d3-hexbin^0.2.2diff^5.1.0es6-promisify^7.0.0escodegen^2.1.0esprima^4.0.1- …and 57 more.