PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: preinstall="node scripts/preinstall.js"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
7,430,262Ubiquitous · −70% score
Versions published
696Mature · −50% score
First published
Feb 2018
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes1,235,132
Previous version5.102.0
Published2026-05-13T22:01:30.330Z
SHA-256897ad826c728973487a83240ba38c5cdec5d1160dfb4ceeed6b8ba7a78176d95

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="node scripts/preinstall.js"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
2Score
5.103.0Version
Status history (1 event)
  1. newavailable · risk review · score 2 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpreinstall="node scripts/preinstall.js"5
lowCredential file accesspackage/packages/dd-trace/src/appsec/recommended.jsonmatched ".aws/"3

Manifest

Package metadata

Scripts101
  • benchnode benchmark/index.js
  • bench:e2e:test-optimizationnode benchmark/e2e-test-optimization/benchmark-run.js
  • dependencies:dedupeyarn-deduplicate yarn.lock
  • envbash ./plugin-env
  • generate:config:typesnode scripts/generate-config-types.js
  • generate:supported-integrationsnode scripts/generate-supported-integrations.js
  • lintnode scripts/check_licenses.js && node scripts/check-no-coverage-artifacts.js && node scripts/check-no-mcr-images.js && node scripts/check-docker-image-shas.js && eslint . --concurrency=auto --max-warnings 0
  • lint:codeownerscodeowners-audit
  • lint:codeowners:cicodeowners-audit --glob='**/*.spec.js' --glob='benchmark/sirun/**'
  • lint:fixnode scripts/check_licenses.js && node scripts/check-no-coverage-artifacts.js && node scripts/check-no-mcr-images.js && node scripts/check-docker-image-shas.js && eslint . --concurrency=auto --max-warnings 0 --fix
  • lint:inspectnpx @eslint/config-inspector@latest
  • preinstallnode scripts/preinstall.js
  • prepacknode scripts/release/swap-v5-types.js
  • preparecd vendor && npm ci --include=dev
  • release:proposalnode scripts/release/proposal
  • servicesnode ./scripts/install_plugin_modules && node packages/dd-trace/test/setup/services
  • testecho ' Error: The root "npm test" command is intentionally disabled. Instead, run specific test suites: - npm run test:trace:core - npm run test:appsec - etc. Or run individual test files: npx mocha path/to/test.spec.js See CONTRIBUTING.md (Testing section) for more details. ' && exit 1
  • test:aiguardmocha "packages/dd-trace/test/aiguard/**/*.spec.js"
  • test:aiguard:cinyc --silent node init && nyc -- npm run test:aiguard
  • test:appsecmocha --exclude "packages/dd-trace/test/appsec/**/*.plugin.spec.js" "packages/dd-trace/test/appsec/**/*.spec.js"
  • test:appsec:cinyc --silent node init && nyc -- npm run test:appsec
  • test:appsec:pluginsmocha "packages/dd-trace/test/appsec/**/*.@(${PLUGINS}).plugin.spec.js"
  • test:appsec:plugins:ciyarn services && nyc --silent node init && nyc -- npm run test:appsec:plugins
  • test:code-originmocha "packages/datadog-code-origin/test/**/*.spec.js"
  • test:code-origin:cinyc --silent node init && nyc -- npm run test:code-origin
  • test:corenode scripts/mocha-parallel-files.js --expose-gc --timeout 30000 -- "packages/datadog-core/test/**/*.spec.js"
  • test:core:cinyc --silent node init && nyc -- npm run test:core
  • test:debuggermocha "packages/dd-trace/test/debugger/**/*.spec.js"
  • test:debugger:cinyc --silent node init && nyc -- npm run test:debugger
  • test:esbuildmocha "packages/datadog-esbuild/test/**/*.spec.js"
  • …and 71 more.
Dependencies2
  • dc-polyfill^0.1.11
  • import-in-the-middle^3.0.1
Optional dependencies10
  • @datadog/libdatadog0.9.3
  • @datadog/native-appsec11.0.1
  • @datadog/native-iast-taint-tracking4.1.0
  • @datadog/native-metrics3.1.2
  • @datadog/openfeature-node-server1.1.2
  • @datadog/pprof5.14.1
  • @datadog/wasm-js-rewriter5.0.1
  • @opentelemetry/api>=1.0.0 <1.10.0
  • @opentelemetry/api-logs<1.0.0
  • oxc-parser^0.129.0