Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 481
- Versions published
- 534Mature · −50% score
- First published
- Apr 2014
- Publisher
- piascikj
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
1 remote tarball(s) were followed statically.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 36 · status changed
Evidence
Static findings
3 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/lib/plugins/plugin-registry.js | matched "raw.githubusercontent.com" | 12 |
| high | Remote Dependency Spec | package.json | dependencies.monquery="https://github.com/imdone/node-monquery/archive/refs/tags/0.2.2.tar.gz" | 12 |
| high | Dependency Changed To Remote Vs Previous | package.json | dependencies.monquery changed to remote spec in 2.3.1 vs 2.3.0: "https://github.com/imdone/node-monquery/archive/refs/tags/0.2.2.tar.gz" | 12 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/lib/plugins/plugin-registry.js | matched "raw.githubusercontent.com" | 12 |
| high | Remote Dependency Spec | package.json | dependencies.monquery="https://github.com/imdone/node-monquery/archive/refs/tags/0.2.2.tar.gz" | 12 |
| high | Dependency Changed To Remote Vs Previous | package.json | dependencies.monquery changed to remote spec in 2.3.1 vs 2.3.0: "https://github.com/imdone/node-monquery/archive/refs/tags/0.2.2.tar.gz" | 12 |
| low | Obfuscation Density | package/lib/task.js | high encoded/escaped-token density | 0 |
Remote payloads
Followed remote artifacts
| Source | URL | Risk | Score | Summary |
|---|---|---|---|---|
| dependencies.monquery | https://github.com/imdone/node-monquery/archive/refs/tags/0.2.2.tar.gz | error | 0 | unexpected end of file |
Manifest
Package metadata
Scripts13
buildnpm run pre-commit && npm run coveragebuild:docsdoctoc --github --notitle README.mdbuild:docs:indexnode scripts/index-markdown.jsbuild:indexnode scripts/generate-index.jsbuild:typestsc --noEmit falsecoveragevitest --run --coveragelinknpm link ../imdone-apipre-commitnpm run build:docs && npm run build:docs:index && npm run build:index && npm run build:typespreparehuskyprepublishOnlynode scripts/prepublish-only.jsservenpx docsify-cli servetestnpm run coveragetest-civitest --run
Dependencies54
adm-zip^0.5.16async^3.2.6async-es^3.2.6chalk^5.4.1chokidar^4.0.3chrono-node~2.7.8commander^13.1.0debug>=4.3.4eol^0.9.1escape-string-regexp^1.0.5eta^3.5.0fast-sort^3.4.1find-up-simple^1.0.1gray-matter^4.0.2ignore^5.2.0imdone-api^2.0.4isbinaryfile^5.0.4js-yaml^3.14.1json-fns^1.0.0lodash.assign^4.2.0lodash.debounce^4.0.8lodash.groupby^4.6.0lodash.isempty^4.4.0lodash.isfunction^3.0.9lodash.isnumber^3.0.3lodash.isobject^3.0.2lodash.isstring^4.0.1lodash.isundefined^3.0.1lodash.noop^3.0.1lodash.reject^4.6.0- …and 24 more.