Package evidence

[email protected]

Remote Dependency Spec: dependencies.lottie-react-web="github:chrisvogt/lottie-react-web#codex/modernize-tooling-and-ci"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 290
Versions published: 74Established · −30% score
First published: Jul 2025
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes4,635,917

Previous version0.91.7

Published2026-05-15T05:44:50.724Z

SHA-2564bb5931e9d551947b1a11bb0c849a24e7672e4b1acd868e8005306aaf56ba299

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.lottie-react-web="github:chrisvogt/lottie-react-web#codex/modernize-tooling-and-ci"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

13d agoLast checked

reviewRisk

3Score

0.91.8Version

Status history (1 event)

new → available13d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	dependencies.lottie-react-web="github:chrisvogt/lottie-react-web#codex/modernize-tooling-and-ci"	12

Manifest

Package metadata

Scripts7

buildnode -e "process.exit(0)"
cleangatsby clean
developgatsby develop
testjest
test:codecovJEST_JUNIT_CLASSNAME="{filepath}" jest --reporters=jest-junit
test:coveragejest --coverage --colors
test:watchjest --watch

Dependencies60

@chronogrove/ui0.85.5
@emotion/cache^11.14.0
@emotion/react^11.14.0
@emotion/server^11.11.0
@emotion/styled^11.14.1
@fortawesome/fontawesome-svg-core^7.2.0
@fortawesome/free-brands-svg-icons^7.2.0
@fortawesome/free-regular-svg-icons^7.2.0
@fortawesome/free-solid-svg-icons^7.2.0
@fortawesome/react-fontawesome^3.3.1
@gatsbyjs/reach-router^2.0.1
@loadable/component^5.16.7
@mdx-js/loader^3.1.1
@mdx-js/mdx^3.1.1
@mdx-js/react^3.1.1
@tanstack/react-query^5.100.9
@theme-toggles/react^4.1.0
@theme-ui/color^0.17.4
@theme-ui/components^0.17.4
@theme-ui/css^0.17.4
@theme-ui/mdx^0.17.4
@theme-ui/presets^0.17.4
@theme-ui/prism^0.17.4
boxen^8.0.1
classnames^2.5.1
gatsby-plugin-emotion^8.16.0
gatsby-plugin-feed^5.16.0
gatsby-plugin-manifest^5.16.0
gatsby-plugin-mdx^5.16.0
gatsby-plugin-sharp^5.16.0
…and 30 more.