PkgRadar

Package evidence

[email protected]

Large Javascript Payload: 2921494 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
814
Versions published
627Mature · −50% score
First published
Jul 2019
Publisher
ontotext-user

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherontotext-user
Artifact bytes20,166,461
Previous version3.4.0-RC1
Published2026-06-01T15:18:29.262Z
SHA-25672abe8087379fdd000b2047815564b438ea159a1ea09beb27ef94cae5ddb0bd8

Why flagged

What the scanner saw

Large Javascript Payload: 2921494 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
3.4.0-RC2Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowLarge Javascript Payloadpackage/dist/workbench/workbench/13.4a8db69270815b5c.js2921494 bytes0
lowLarge Javascript Payloadpackage/dist/55297.31c9e6d8afe143832003.bundle.js2928577 bytes0
lowLarge Javascript Payloadpackage/dist/legacyWorkbench.898639fc83801ce7ee64.js2039744 bytes0

Manifest

Package metadata

Scripts37
  • buildnpm run build-dev
  • build-devsh scripts/build.sh
  • build:apicd packages/api && npm run build
  • build:modulesconcurrently "npm run build:api" "npm run build:shared"
  • build:sharedcd packages/shared-components && npm run build
  • cleansh scripts/clean.sh
  • clean-installsh scripts/clean.sh && npm run install:local
  • copy-pluginssh scripts/copy-plugins.sh
  • cy:runsh scripts/cy.sh
  • dev:with-pluginsconcurrently "npm run start" "npm run watch:plugins"
  • hotdeploynode scripts/hotdeploy.js
  • install:cish scripts/install.sh && sh scripts/postinstall.sh
  • install:localsh scripts/install-local.sh && sh scripts/postinstall.sh
  • instrument:legacy-workbenchnpx nyc instrument --in-place --compact false --source-map --produce-source-map packages/legacy-workbench/src/js/angular
  • license-report-apinpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/api --out packages/api/dist/license-checker.json
  • license-report-legacy-workbenchnpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/legacy-workbench --out packages/legacy-workbench/dist/license-checker.json
  • license-report-root-confignpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/root-config -out packages/root-config/dist/license-checker.json
  • license-report-shared-componentsnpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/shared-components --out packages/shared-components/dist/license-checker.json
  • license-report-workbenchnpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/workbench --out packages/workbench/dist/license-checker.json
  • lintsh scripts/lint.sh
  • lint-stagedlint-staged
  • postbuildwebpack --env BUILD_MODE=production --config=webpack.config.prod.js
  • postbuild-devwebpack --env BUILD_MODE=development --config=webpack.config.dev.js
  • prebuildnpm run license-report-api && npm run license-report-root-config && npm run license-report-legacy-workbench && npm run license-report-shared-components && npm run license-report-workbench
  • preparehusky
  • qanpm run clean-install && npm run start
  • sonarsh scripts/sonar.sh
  • startconcurrently "npm run watch:api" "npm run watch:shared" "npm run start-workbench-api" "npm run start-workbench" "npm run start-root"
  • start-rootnodemon --watch packages/root-config/src --watch packages/shared-components/src --ext js,ts,html,css --exec "webpack serve --port 9000 --host 0.0.0.0 --env BUILD_MODE=development --config webpack.config.dev.js"
  • start-workbenchcd packages/workbench && npm run start
  • …and 7 more.
Dependencies3
  • @single-spa/import-map-injector^2.0.2
  • graphdb-workbench-plugins^0.0.1-TR32
  • import-map-overrides^6.1.0