Package evidence

[email protected]

Large Javascript Payload: 8220840 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 7,971,379Ubiquitous · −70% score
Versions published: 1,237Mature · −50% score
First published: Sep 2021
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes17,884,932

Previous version1.0.0-rc.3-3009504

Published2026-05-22T09:51:39.929Z

SHA-256a655bf37619d81fc6c766f45c35eeebe91870eb8876d794b286de262a1015d6f

Why flagged

What the scanner saw

Large Javascript Payload: 8220840 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

21d agoLast checked

reviewRisk

27Score

1.0.0-rc.3-abc2ef6Version

Status history (1 event)

new → available21d ago · risk review · score 27 · status changed

Evidence

Static findings

9 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/api-mysql.js	8220840 bytes	10
medium	Large Javascript Payload	package/api-postgres.js	8554684 bytes	10
medium	Large Javascript Payload	package/bin.cjs	9284528 bytes	10
medium	Large Javascript Payload	package/index.mjs	9233138 bytes	10
medium	Large Javascript Payload	package/api-sqlite.js	8220807 bytes	10
medium	Large Javascript Payload	package/api-sqlite.mjs	8218548 bytes	10
medium	Large Javascript Payload	package/api-mysql.mjs	8218577 bytes	10
medium	Large Javascript Payload	package/index.js	9241996 bytes	10
medium	Large Javascript Payload	package/api-postgres.mjs	8550225 bytes	10

Manifest

Package metadata

Scripts18

apitsx ./dev/api.ts
buildbun --bun run scripts/build.ts
build:artifactpnpm run build
build:clirm -rf ./dist && tsx build.cli.ts && cp package.json dist/
build:devrm -rf ./dist && tsx build.dev.ts && tsc -p tsconfig.cli-types.json && chmod +x ./dist/index.cjs
build:extrm -rf ./dist && vitest run bin.test && vitest run ./tests/postgres/ && vitest run ./tests/sqlite && vitest run ./tests/mysql && tsx build.ext.ts
clitsx ./src/cli/index.ts
migrate:olddrizzle-kit generate:mysql
packcp package.json README.md dist/ && (cd dist && npm pack --pack-destination ..) && rm -f package.tgz && mv *.tgz package.tgz
pack:artifactpnpm run pack
publishnpm publish package.tgz
testTEST_CONFIG_PATH_PREFIX=./tests/cli/ vitest run
test:cockroachvitest run ./cockroach
test:mssqlvitest run ./mssql
test:othervitest run ./mysql/ ./sqlite/ ./other
test:postgresvitest run ./postgres/
test:singlestorevitest run ./singlestore
test:typespnpm tsc -p ./tsconfig.typetest.json

Dependencies5

@drizzle-team/brocli^0.12.0
@js-temporal/polyfill^0.5.1
esbuild^0.25.10
get-tsconfig^4.13.6
jiti^2.6.1