PkgRadar

Package evidence

[email protected]

Large Javascript Payload: 2136653 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
653
Versions published
401Mature · −50% score
First published
Feb 2024
Publisher
purecloud

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherpurecloud
Artifact bytes1,382,459
Previous version4.244.0
Published2026-05-28T02:41:06.592Z
SHA-25603edb87b2dfde5e95eadb756a2b2e93ff806b5e1c32dbda42d9c57bc0553d8a3

Why flagged

What the scanner saw

Large Javascript Payload: 2136653 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
4.245.0Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/cjs/gux-visualization-beta.cjs.entry.js2136653 bytes10
mediumLarge Javascript Payloadpackage/dist/esm/gux-visualization-beta.entry.js2136686 bytes10

Manifest

Package metadata

Scripts28
  • buildnpm run clean && npm run i18n && npm run stencil && npm run build-wrapper
  • build-i18n./scripts/build-i18n.js
  • build-wrapper./scripts/wrap-stencil.js
  • check-a11ynode ./scripts/check-a11y.mjs
  • check-readmes./scripts/check-readmes.sh
  • cleanrm -r ./dist ./build || true
  • devnpm run stencil.dev
  • eslinteslint . --fix
  • i18nnpm run update-en-i18n && npm run build-i18n
  • lint-allnpm-run-all "stylelint" "eslint" "prettier-package-json"
  • lint-stagedlint-staged --concurrent false
  • list-checked-a11y-componentsnode scripts/list-checked-a11y-components.js
  • list-component-tracking./scripts/list-component-tracking.js
  • list-i18n-files./scripts/list-i18n-files.js
  • predevnpm run i18n
  • predev.publicnpm run predev
  • preparenpm run i18n
  • prettier-package-jsonprettier-package-json --write ./package.json
  • stencilstencil build --prod
  • stencil.devstencil build --dev --watch --serve --no-open
  • stylelintstylelint --fix "**/*.{css,html,scss}"
  • testnpm run test.spec
  • test.cinpm run test.spec
  • test.specLANG='C.UTF-8' LC_ALL='C.UTF-8' TZ=UTC jest
  • test.update-snapshotnpm run test -- -- --updateSnapshot
  • test.watchnpm run test -- -- --watch
  • update-en-i18n./scripts/update-en-i18n.js
  • version-syncnpm version --no-git-tag-version --allow-same-version
Dependencies3
  • vega6.2.0
  • vega-embed7.1.0
  • vega-lite6.4.3