Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "curl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 60 · status changed
Related candidates
Linked campaigns and clusters
foodismai
3 members · evidence strength 66Evidence
Static findings
11 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/cli/index.mjs | matched "curl " | 12 |
| medium | Remote Payload | package/dist/passkey-config-AX4sjpQ4.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/storage/s3.mjs | matched "cUrl\n\t" | 12 |
Show all 11 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/cli/index.mjs | matched "curl " | 12 |
| medium | Remote Payload | package/dist/passkey-config-AX4sjpQ4.mjs | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/storage/s3.mjs | matched "cUrl\n\t" | 12 |
| low | Obfuscation | package/dist/base64-C1Q9yr0B.mjs | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/astro/index.mjs | matched "\\x1b" | 3 |
| low | Obfuscation | package/dist/cli/index.mjs | matched "\\u0300" | 3 |
| low | Obfuscation | package/dist/preview-5HuX6fjF.mjs | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/astro/middleware/request-context.mjs | matched "\\u2026" | 3 |
| low | Obfuscation | package/dist/seo-contributions-C0LXoWw3.mjs | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/ui/server-runtime.mjs | matched "\\u0000" | 3 |
| low | Obfuscation | package/dist/slugify-BzGxlOFx.mjs | matched "\\u0300" | 3 |
Manifest
Package metadata
Scripts7
buildtsdown && node scripts/copy-route-assets.mjscheckpublint && attw --pack --ignore-rules=cjs-resolves-to-esm --ignore-rules=no-resolution --ignore-rules=internal-resolution-errordevtsdown --watchtestvitesttest:integrationvitest run --config vitest.integration.config.tstest:smokevitest run --config vitest.smoke.config.tstypechecktsgo --noEmit
Dependencies38
@cloudflare/kumo^1.16.0@dineway-ai/admin^0.1.15@dineway-ai/auth^0.1.15@dineway-ai/gutenberg-to-portable-text^0.1.13@floating-ui/react^0.27.16@modelcontextprotocol/sdk^1.26.0@portabletext/toolkit^5.0.1@tiptap/core^3.20.0@tiptap/extension-focus^3.20.0@tiptap/extension-image^3.20.0@tiptap/extension-link^3.20.0@tiptap/extension-placeholder^3.20.0@tiptap/extension-text-align^3.20.0@tiptap/extension-typography^3.20.0@tiptap/extension-underline^3.20.0@tiptap/react^3.20.0@tiptap/starter-kit^3.20.0@tiptap/suggestion^3.20.0@unpic/placeholder^0.1.2arctic^3.7.0astro-portabletext^0.11.0better-sqlite3^12.8.0blurhash^2.0.5citty^0.1.6consola^3.4.2croner^10.0.1image-size^2.0.2jose^6.1.3jpeg-js^0.4.4kysely^0.27.0- …and 8 more.
Optional dependencies4
@aws-sdk/client-s3^3.1049.0@aws-sdk/s3-request-presigner^3.1049.0@libsql/kysely-libsql^0.4.0pg^8.0.0