PkgRadar

Package evidence

[email protected]

Large Javascript Payload: 2921491 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,120Niche · −30% score
Versions published
630Mature · −50% score
First published
Jul 2019
Publisher
ontotext-user

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherontotext-user
Artifact bytes22,055,837
Previous version3.5.0-reactodia-poc
Published2026-06-11T08:45:04.708Z
SHA-25697d973c3489dc0397c66c1a9299b4ac201cbc6b8d6ed91d7d29c8dad4df32240

Why flagged

What the scanner saw

Large Javascript Payload: 2921491 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
3.5.0-reactodia-poc-TR2Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowLarge Javascript Payloadpackage/dist/workbench/workbench/110.5c3fc73cec57037d.js2921491 bytes0
lowLarge Javascript Payloadpackage/dist/55297.31c9e6d8afe143832003.bundle.js2928577 bytes0
lowLarge Javascript Payloadpackage/dist/legacyWorkbench.aefe0788c7231f8746ab.js2039800 bytes0

Manifest

Package metadata

Scripts36
  • buildnpm run build-dev
  • build-devsh scripts/build.sh
  • build:apicd packages/api && npm run build
  • build:modulesconcurrently "npm run build:api" "npm run build:shared"
  • build:sharedcd packages/shared-components && npm run build
  • cleansh scripts/clean.sh
  • clean-installsh scripts/clean.sh && npm run install:local
  • copy-pluginssh scripts/copy-plugins.sh
  • dev:with-pluginsconcurrently "npm run start" "npm run watch:plugins"
  • hotdeploynode scripts/hotdeploy.js
  • install:cish scripts/install.sh && sh scripts/postinstall.sh
  • install:localsh scripts/install-local.sh && sh scripts/postinstall.sh
  • instrument:legacy-workbenchnpx nyc instrument --in-place --compact false --source-map --produce-source-map packages/legacy-workbench/src/js/angular
  • license-report-apinpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/api --out packages/api/dist/license-checker.json
  • license-report-legacy-workbenchnpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/legacy-workbench --out packages/legacy-workbench/dist/license-checker.json
  • license-report-root-confignpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/root-config -out packages/root-config/dist/license-checker.json
  • license-report-shared-componentsnpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/shared-components --out packages/shared-components/dist/license-checker.json
  • license-report-workbenchnpx license-checker --production --json --customPath license-checker/license-checker-format.json --start packages/workbench --out packages/workbench/dist/license-checker.json
  • lintsh scripts/lint.sh
  • lint-stagedlint-staged
  • postbuildwebpack --env BUILD_MODE=production --config=webpack.config.prod.js
  • postbuild-devwebpack --env BUILD_MODE=development --config=webpack.config.dev.js
  • prebuildnpm run license-report-api && npm run license-report-root-config && npm run license-report-legacy-workbench && npm run license-report-shared-components && npm run license-report-workbench
  • preparehusky
  • qanpm run clean-install && npm run start
  • sonarsh scripts/sonar.sh
  • startconcurrently "npm run watch:api" "npm run watch:shared" "npm run start-workbench-api" "npm run start-workbench" "npm run start-root"
  • start-rootnodemon --watch packages/root-config/src --watch packages/shared-components/src --ext js,ts,html,css --exec "webpack serve --port 9000 --host 0.0.0.0 --env BUILD_MODE=development --config webpack.config.dev.js"
  • start-workbenchcd packages/workbench && npm run start
  • start-workbench-apicd packages/api && npm run start
  • …and 6 more.
Dependencies3
  • @single-spa/import-map-injector^2.0.2
  • graphdb-workbench-plugins^0.0.1-TR32
  • import-map-overrides^6.1.0