Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,815Niche · −30% score
- Versions published
- 158Mature · −50% score
- First published
- Dec 2024
- Publisher
- tencent-player
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 8849678 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Large Javascript Payload | package/edgeone-dist/cli.js | 8849678 bytes | 0 |
| low | Large Javascript Payload | package/edgeone-dist/pages/dev/runner-worker.js | 5713031 bytes | 0 |
| low | Large Javascript Payload | package/edgeone-dist/studio/ui/assets/tea-Slf_ajmf.js | 4904963 bytes | 0 |
Manifest
Package metadata
Scripts17
buildnpm run clean && npm run build:pages-ai && npm run build:kv-client && npm run prepare:blob-wheel && npm run prepare:agent-toolkit-wheel && npm run bundlebuild:kv-clientnode ./scripts/build-kv-client.jsbuild:pages-ainode ./scripts/build-pages-ai.jsbundlenode -r esbuild-register ./scripts/bundle.tscleanrimraf ./edgeone-dist ./edgeone-bin ./libs-node-ai ./libs-kv-clientformatprettier --write "src/**/*.{ts,tsx,js,jsx,json,md}" "scripts/**/*.{ts,js}" "*.{json,md}"prepacknpm run build && npm run verify:publish-assetsprepare:agent-toolkit-wheelnode ./scripts/prepare-pages-agent-toolkit-wheel.jsprepare:blob-wheelnode ./scripts/prepare-pages-blob-wheel.jsprepublishOnlynpm run build && npm run verify:publish-assetstestvitest runtest:coveragevitest run --coveragetest:observabilityvitest run --config src/agent/observability/node/tests/vitest.config.ts && cd src/agent/observability/python && uv run pytest tests/ -qtest:watchvitestupload:agent-version-manifestnode ./scripts/upload-agent-version-manifest.jsverify:publish-assetsnode ./scripts/verify-publish-assets.jswatchnode -r esbuild-register ./scripts/bundle.ts watch
Dependencies33
@edgeone/framework-detect^0.0.2@edgeone/is-spa^0.0.3@edgeone/nuxt-pages1.1.0@edgeone/opennextjs-pages0.2.4@edgeone/pages-agent-toolkit^0.1.34@edgeone/pages-blob0.0.12archiver^7.0.1chokidar^4.0.1common-path-prefix^1.0.0cos-nodejs-sdk-v5^2.14.7cross-spawn^7.0.6crypto^1.0.1detect-port^2.1.0esbuild^0.19.2esbuild-plugin-polyfill-node^0.3.0esbuild-plugin-vue^0.2.4fast-glob^3.3.0fs-extra^11.3.1giget^2.0.0ink-table^3.1.0inquirer^8.2.4install^0.13.0lodash^4.17.21mime-types^3.0.1minimatch^9.0.5node-persist^4.0.3npm^10.9.1open^8.4.2p-map^5.5.0parse-gitignore^2.0.0- …and 3 more.