PkgRadar

Package evidence

[email protected]

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 14 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,195Niche · −30% score
Versions published
85Mature · −50% score
First published
Mar 2024
Publisher
ndonfris

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherndonfris
Artifact bytes723,217
Previous version1.1.3
Published2026-06-03T05:25:37.096Z
SHA-25699d58561d851eb6c10a759829182c473d1e1df8f99598dde3b6e1c7007d6017b

Why flagged

What the scanner saw

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 14 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
7Score
1.1.4-next.0Version
Status history (1 event)
  1. newavailable · risk review · score 7 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumManifest Codeless Dependency Stubpackage.jsonpackage ships no JS/TS source but declares 14 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape15

Manifest

Package metadata

Scripts56
  • all-contributorsnpx -s -y all-contributors-cli -c .all-contributorsrc
  • buildrun-s -sn build:all sh:relink sh:build-completions
  • build:alltsx scripts/esbuild/index.ts --all
  • build:npmtsx scripts/esbuild/index.ts --npm
  • build:npm:nosourcemapstsx scripts/esbuild/index.ts --npm --sourcemaps=none
  • build:typestsx scripts/esbuild/index.ts --types
  • build:watchrun-s watch
  • chore:upgraderun-s -s chore:upgrade:deps chore:upgrade:docs
  • chore:upgrade:depsfish ./scripts/upgrade-dependencies
  • chore:upgrade:docsrun-s lint:fix build:npm update-changelog generate:man update-codeblocks-in-docs "show:version --is-not-published"
  • cleanrimraf out dist lib man bin node_modules *.tgz .tsbuildinfo coverage .bun
  • clean:allrimraf out lib dist bin .tsbuildinfo node_modules tree-sitter-fish.wasm logs.txt coverage .bun
  • clean:buildrimraf out lib dist bin .tsbuildinfo
  • clean:dev-completionsfish ./scripts/dev-complete.fish --uninstall
  • clean:packsrimraf *.tgz .tsbuildinfo
  • create:man:dirmkdir -p ./man
  • devtsx scripts/esbuild/index.ts
  • generate:commandstsx ./scripts/fish-commands-scrapper.ts --write-to-snippets || true
  • generate:commands:checktsx ./scripts/fish-commands-scrapper.ts
  • generate:manrun-s create:man:dir generate:man:actual
  • generate:man:actualyarn run --silent generate:man:cat > ./man/fish-lsp.1
  • generate:man:catnpx marked-man --date "$(date)" --manual fish-lsp --section 1 -i ./docs/MAN_FILE.md -o ./man/fish-lsp.1 2>/dev/null
  • generate:man:cpcp ./man/fish-lsp.1 ~/.local/share/man/man1/fish-lsp.1
  • generate:man:diffyarn run --silent generate:man:cat | diff --color=always --unified ./man/fish-lsp.1 - && echo 'NO CHANGES TO man/fish-lsp.1' || echo 'CHANGES IN man/fish-lsp.1'
  • generate:man:write-globalrun-s generate:man generate:man:cp
  • generate:snippetstsx ./scripts/fish-commands-scrapper.ts
  • lint:checkeslint .
  • lint:check-fixeslint . --fix-dry-run
  • lint:fixeslint . --fix
  • packageyarn pack --filename fish-lsp.tgz
  • …and 26 more.
Dependencies14
  • @esdmr/tree-sitter-fish^3.7.0
  • chalk^5.6.2
  • commander^12.1.0
  • fast-glob^3.3.3
  • fs-extra^11.3.5
  • husky^9.1.7
  • memfs4.38.1
  • source-map-support^0.5.21
  • vscode-languageserver^9.0.1
  • vscode-languageserver-protocol^3.17.5
  • vscode-languageserver-textdocument^1.0.13
  • vscode-uri^3.1.0
  • web-tree-sitter^0.23.0
  • zod^3.25.76