PkgRadar

Package evidence

[email protected]

Large Javascript Payload: 2560610 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
309
Versions published
9
First published
Apr 2026
Publisher
matthew-dean

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishermatthew-dean
Artifact bytes2,131,078
Previous version0.8.0
Published2026-05-31T19:49:00.990Z
SHA-2562e4c1d97296298888926eaeb2cd4cdaa9a400a6a6a71156d172cae44366a872f

Why flagged

What the scanner saw

Large Javascript Payload: 2560610 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
0.9.0Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowLarge Javascript Payloadpackage/dist/web/app.js2560610 bytes0
lowLarge Javascript Payloadpackage/dist/cli.js2689436 bytes0

Manifest

Package metadata

Scripts37
  • benchmarks:compare:hermespnpm build && node dist/cli.js benchmarks compare hermes --hermes-root .guildhall/dev-tools/hermes-agent
  • benchmarks:compare:hermes-app-explicitpnpm build && node scripts/compare-hermes-quality.mjs --mode app-explicit
  • benchmarks:compare:hermes-app-inferpnpm build && node scripts/compare-hermes-quality.mjs --mode app-infer
  • benchmarks:compare:hermes-qualitypnpm build && node scripts/compare-hermes-quality.mjs
  • benchmarks:smokepnpm build && node dist/cli.js benchmarks run lifecycle --fixture-set smoke --automation fully-automated && node dist/cli.js benchmarks run tblite --subset smoke --automation fully-automated && node dist/cli.js benchmarks run swe-local --subset smoke --automation fully-automated
  • buildpnpm build:ui && node ./build.mjs
  • build:macos-packagenode ./scripts/build-macos-package.mjs
  • build:uipnpm --filter @guildhall/ui build
  • cleanrm -rf dist
  • devnode ./build.mjs --watch
  • dev:hermes:installnode ./scripts/install-hermes-dev.mjs
  • dev:installnode ./scripts/dev-install.mjs
  • dev:uninstallnode ./scripts/dev-uninstall.mjs
  • docs:buildnpm run docs:check-copy && npm run docs:extract-help && vitepress build docs
  • docs:check-copynode scripts/check-public-copy-voice.mjs
  • docs:check-help-syncnode scripts/check-help-sync.mjs
  • docs:devnpm run docs:extract-help && vitepress dev docs
  • docs:extract-helppnpm docs:prepare-versions && node scripts/extract-help-topics.mjs
  • docs:prepare-versionsnode scripts/prepare-versioned-docs.mjs
  • docs:previewvitepress preview docs
  • lint:depsdepcruise src
  • memory:migratenode scripts/migrations/0.8.0-project-state.mjs
  • model:bakeoffnode scripts/model-bakeoff.mjs
  • releasenode scripts/publish.mjs
  • release:drynode scripts/publish.mjs 0.9.0 --dry-run --allow-branch
  • runtime:image:buildpodman build -f runtime/Containerfile -t ghcr.io/matthew-dean/guildhall-runtime-debian:0.9.0-trixie-node22-python313-playwright -t ghcr.io/matthew-dean/guildhall-runtime-debian:0.9-trixie-node22-python313-playwright .
  • runtime:image:smokenode scripts/runtime-image-smoke.mjs
  • service:installnode ./scripts/install-launch-agent.mjs
  • service:uninstallnode ./scripts/uninstall-launch-agent.mjs
  • smoke:releasenode scripts/release-smoke.mjs
  • …and 7 more.
Dependencies9
  • @hono/node-server^1.14.1
  • @inquirer/prompts^7.4.0
  • @modelcontextprotocol/sdk^1.19.0
  • hono^4.7.7
  • js-yaml^4.1.0
  • lucide-svelte~1.0.1
  • marked~18.0.2
  • yaml^2.6.1
  • zod^3.24.1