Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 150Mature · −50% score
- First published
- Apr 2025
- Publisher
- piascikj
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 4349908 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 20 · status changed
Evidence
Static findings
6 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/index.cjs | 4349908 bytes | 10 |
| medium | Large Javascript Payload | package/dist/index.min.cjs | 2245668 bytes | 10 |
Show all 6 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/index.cjs | 4349908 bytes | 10 |
| medium | Large Javascript Payload | package/dist/index.min.cjs | 2245668 bytes | 10 |
| low | Credential file access | package/dist/postinstall.cjs | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/dist/postinstall.min.cjs | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/dist/preinstall.cjs | matched "GITHUB_TOKEN" | 5 |
| low | Credential file access | package/dist/preinstall.min.cjs | matched "GITHUB_TOKEN" | 5 |
Manifest
Package metadata
Scripts16
build./build.shbuild-bundlenpm run clean && node esbuild.config.js && cp -R public/ dist/ && cp README.md dist/ && cp CHANGELOG.md dist/ && cp src/adapters/jwt-public.pem dist/build:no-backlogSKIP_TESTS=1 SKIP_BACKLOG_COPY=1 ./build.shbuild:no-testSKIP_TESTS=1 ./build.shcleanrm -rf dist/coveragevitest --run --coverageinstall:globalnpm run build:no-test && npm install -g .linknpm link ../../imdone-core ../../imdone-apipack:sharenpm run build:no-test && npm pack && node scripts/show-install-command.mjspack:share:no-backlognpm run build:no-backlog && npm pack && node scripts/show-install-command.mjsprepublishOnlynpm --prefix ../ install && npm i && npm run buildtestvitest --runtest-civitest --runversion:majornpm version major --no-git-tag-version && git -C .. add cli-package/package.json cli-package/package-lock.json && git -C .. commit -m "Update version"version:minornpm version minor --no-git-tag-version && git -C .. add cli-package/package.json cli-package/package-lock.json && git -C .. commit -m "Update version"version:patchnpm version patch --no-git-tag-version && git -C .. add cli-package/package.json cli-package/package-lock.json && git -C .. commit -m "Update version"
Dependencies15
@inquirer/prompts^7.10.1chalk^5.4.1commander^13.1.0dotenv16.4.5execa^9.5.3find-up-simple^1.0.1imdone-core^2.1.11js-yaml^4.1.0jsonwebtoken^9.0.2markdownlint^0.38.0open^9.1.0ora^8.2.0semver^7.7.2simple-git^3.27.0yaml^2.8.1