PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: preinstall="node ./lib/configure.js"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
longest_fauna_1w

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherlongest_fauna_1w
Artifact bytes17,977
Previous versionnone
Published2026-06-02T05:25:17.685Z
SHA-25627255d466c06fd9f351b86f2541b9ca90d0b7020aa4ae72047bfd0823e49a17f

Why flagged

What the scanner saw

Install-time lifecycle script: preinstall="node ./lib/configure.js"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
10.0.1Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpreinstall="node ./lib/configure.js"5

Manifest

Package metadata

Scripts1
  • preinstallnode ./lib/configure.js
Dependencies29
  • accepts^2.0.0
  • body-parser^2.2.1
  • content-disposition^1.0.0
  • content-type^1.0.5
  • cookie^0.7.1
  • cookie-signature^1.2.1
  • debug^4.4.0
  • depd^2.0.0
  • encodeurl^2.0.0
  • escape-html^1.0.3
  • etag^1.8.1
  • finalhandler^2.1.0
  • fresh^2.0.0
  • http-errors^2.0.0
  • merge-descriptors^2.0.0
  • mime-types^3.0.0
  • on-finished^2.4.1
  • once^1.4.0
  • parseurl^1.3.3
  • proxy-addr^2.0.7
  • qs^6.14.2
  • range-parser^1.2.1
  • router^2.2.0
  • send^1.1.0
  • serve-static^2.2.0
  • statuses^2.0.1
  • type-is^2.0.1
  • vary^1.1.2
  • vortnode^1.2.0