PkgRadar

Package evidence

[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,120Niche · −30% score
Versions published
39
First published
Apr 2026
Publisher
bitkyc08

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherbitkyc08
Artifact bytes1,447,855
Previous version1.1.23
Published2026-06-02T02:00:51.562Z
SHA-25668da42bc3546104069f35d7cb92bf685cff9448fd32810bdda0336aebd79a38b

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
1.1.24-preview.20260602110035Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts22
  • buildnpm run ui:build
  • build:clitsc -p tsconfig.bin.json && node scripts/fix-shebangs.mjs
  • build:servertsc -p tsconfig.build.json
  • devnode scripts/dev.mjs
  • dev:servertsx watch server.ts
  • lint:pkgnode -e "const p=require('./package.json'); const req=['name','version','bin']; for(const k of req){if(!p[k])throw new Error('missing '+k)} const mustInclude=['bin/**/*.js','lib/**/*.js','routes/**/*.js','skills/','integrations/comfyui/ima2_gen_bridge/__init__.py','integrations/comfyui/ima2_gen_bridge/nodes.py','integrations/comfyui/ima2_gen_bridge/README.md','assets/card-news/templates/','vendor/','server.js','LICENSE']; for(const f of mustInclude){if(!p.files.includes(f))throw new Error('files[] must include '+f)}"
  • prepacknpm run ui:build && npm run build:server && npm run build:cli
  • prepublishOnlynpm run typecheck && npm run typecheck:tests && npm run test:inventory && npm run ui:build && npm run build:server && npm run build:cli && npm run lint:pkg && npm run test:package-install
  • publish:dry-runnode scripts/publish-dry-run.mjs
  • release:majornpm version major && npm publish && git push origin main --tags
  • release:minornpm version minor && npm publish && git push origin main --tags
  • release:patchnpm version patch && npm publish && git push origin main --tags
  • setupnode bin/ima2.js setup
  • startnode bin/ima2.js serve
  • testnode scripts/run-tests.mjs
  • test:inventorynode scripts/classify-tests.mjs --check --fail-js-runtime
  • test:package-installnode --test tests/package-install-smoke.mjs
  • typechecktsc --noEmit -p tsconfig.json
  • typecheck:teststsc --noEmit -p tsconfig.tests.json
  • ui:buildcd ui && npm run build
  • ui:devcd ui && npm run dev
  • ui:installcd ui && npm install
Dependencies9
  • better-sqlite3^12.9.0
  • dotenv^17.4.2
  • express^5.1.0
  • openai^5.8.2
  • openai-oauth^1.0.2
  • progrokfile:vendor/progrok-0.2.0.tgz
  • sharp^0.34.5
  • trash^10.1.1
  • ulid^3.0.2