Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 545
- Versions published
- 162Mature · −50% score
- First published
- Feb 2023
- Publisher
- dongshuai
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="patch-package"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 2 · status changed
Evidence
Static findings
6 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 6 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="patch-package" | 5 |
| low | Large Javascript Payload | package/lib/115.js | 4237299 bytes | 0 |
| low | Large Javascript Payload | package/lib/118.js | 5105399 bytes | 0 |
| low | Large Javascript Payload | package/lib/4.js | 3528074 bytes | 0 |
| low | Obfuscation Density | package/lib/components/report.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/lib/report.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts12
buildcross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service build --mode=devbuild:componentcross-env NODE_OPTIONS=--openssl-legacy-provider webpack --config build/webpack.component.js && cross-env NODE_OPTIONS=--openssl-legacy-provider webpack --config build/webpack.common.jsbuild:framecross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service build --target lib --inline-vue --name frame --dest lib src/main.jsbuild:libcross-env NODE_OPTIONS=--openssl-legacy-provider webpackbuild:localcross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service build --mode=localizebuild:ppecross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service build --mode=ppebuild:prdcross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service build --mode=prdbuild:precross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service build --mode=prelintcross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service lintpostinstallpatch-packageservecross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service serveserve:localcross-env NODE_OPTIONS=--openssl-legacy-provider vue-cli-service serve --mode=localize
Dependencies42
@antv/x6^2.18.1@antv/x6-plugin-export^2.1.6@babel/core^7.19.6@babel/plugin-proposal-nullish-coalescing-operator^7.18.6@babel/plugin-proposal-optional-chaining^7.21.0@babel/standalone^7.19.6@hufe921/canvas-editor^0.9.100@hufe921/canvas-editor-plugin-docx^0.0.5@hufe921/canvas-editor-plugin-floating-toolbar^0.0.4@microsoft/fetch-event-source^2.0.1async-validator^3.4.0axios^0.19.2bpmn-js^6.5.1cache-loader^4.1.0camunda-bpmn-moddle^4.4.0codemirror5.65.12crypto-js^4.2.0default-passive-events^2.0.0element-ui^2.15.14epx-bpmn-js-properties-panel^0.33.6highlight.js^11.11.1html2canvas^1.4.1js-cookie^3.0.5jsencrypt^3.1.0jshint^2.13.6jslint^0.12.1jspdf^2.5.2markdown-it^14.1.0moment^2.29.1recorder-core^1.2.23070100- …and 12 more.