PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: preinstall="echo {} > package-lock.json"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
614
Versions published
594Mature · −50% score
First published
Aug 2020
Publisher
nnynhi

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
Publishernnynhi
Artifact bytes4,743,912
Previous version1.4.64
Published2026-06-03T03:45:55.832Z
SHA-2560529e2a7415e0719067bfb6330a702a2fa548c1d3e9c106726c074265c23b854

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: preinstall added in 1.4.65-beta.1 vs 1.4.64: "echo {} > package-lock.json"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
45Score
1.4.65-beta.1Version
Status history (1 event)
  1. newavailable · risk high · score 45 · status changed

Evidence

Static findings

1 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpreinstall added in 1.4.65-beta.1 vs 1.4.64: "echo {} > package-lock.json"40
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpreinstall added in 1.4.65-beta.1 vs 1.4.64: "echo {} > package-lock.json"40
lowInstall-time lifecycle scriptpackage.jsonpreinstall="echo {} > package-lock.json"5

Manifest

Package metadata

Scripts22
  • betanpm run build && cp *.md dist/ && cp package.json dist/ && cd dist && npm publish --tag beta
  • buildrun-script-os
  • build-storybookbuild-storybook -c .storybook -s src
  • build:darwin:linux:defaultrm -rf dist && npm run compile && sass --style=compressed src/scss:dist/css && cp -rf src/assets dist/assets
  • build:windowsrimraf dist && mkdirp dist/components && npm run compile && sass --style=compressed src/scss:dist/css && xcopy src\\assets dist\\assets\ /e /y
  • compilebabel src --out-dir dist --ignore **/*.stories.js
  • eslint-testonchange "src/**/*.{js,jsx,json}" -- eslint . --fix
  • freshtallnpm cache clean --force && rm -rf node_modules && rm -f package-lock.json && npm install
  • linteslint --fix --config .eslintrc.js "**/*.js"
  • packnpm run build && cp *.md dist/ && npm run version:bump --silent && npm run version:add --silent && cd dist && npm pack
  • preinstallecho {} > package-lock.json
  • productionnpm run build && cp *.md dist/ && npm run version:bump --silent && npm run version:add --silent && cd dist && npm publish
  • production-keep-versionnpm run build && cp *.md dist/ && cp package.json dist/ && cd dist && npm publish
  • startnpm-run-all --parallel start-sb eslint-test
  • start-sbstart-storybook -p 9050
  • testecho "Error: no test specified" && exit 1
  • test-storybooktest-storybook --url http://localhost:9050
  • version:addrun-script-os
  • version:add:darwin:linux:defaultVERSION=$(npm run version:extract --silent) && cat package.json.tmp | sed "s/0.0.0/${VERSION}/g" > dist/package.json
  • version:add:windowscat package.json.tmp | sed "s/0.0.0/%npm_package_version%/g" > dist/package.json
  • version:bumpnpm version patch --no-git-tag-version --silent
  • version:extractcat package.json | grep version | head -1 | awk -F: '{ print $2 }' | sed 's/[",]//g' | tr -d '[[:space:]]'
Dependencies6
  • @emotion/core^10.0.35
  • @emotion/css^11.11.0
  • @emotion/react^11.10.6
  • babel-plugin-module-resolver^4.1.0
  • date-fns^2.30.0
  • prop-types^15.7.2