Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 2,331Niche · −30% score
- Versions published
- 335Mature · −50% score
- First published
- Jan 2015
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Known Indicator Filename: package/admin/plugins/bundle.js
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 25 · status changed
Evidence
Static findings
5 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/admin/plugins/bundle.js | package/admin/plugins/bundle.js | 45 |
| medium | Large Javascript Payload | package/admin/plugins/bundle.js | 2833590 bytes | 10 |
| medium | Large Javascript Payload | package/admin/vs/editor/editor.main.js | 2917518 bytes | 10 |
| medium | Large Javascript Payload | package/admin/custom/assets/index-C0RmLaAj.js | 3868930 bytes | 10 |
| medium | Large Javascript Payload | package/admin/vs/language/typescript/tsWorker.js | 4727185 bytes | 10 |
Manifest
Package metadata
Scripts29
//postinstallnode ./install/installTypings.js0-cleannode tasks.js --0-clean1-npmnode tasks.js --1-npm2-buildnode tasks.js --2-build3-copynode tasks.js --3-copy4-patchnode tasks.js --4-patchadmin-0-cleannode tasks.js --admin-0-cleanadmin-1-npmnode tasks.js --admin-1-npmadmin-2-compilenode tasks.js --admin-2-compileadmin-3-copynode tasks.js --admin-3-copyadmin-buildnode tasks.js --admin-buildblocklyJson2wordsnode tasks.js --blocklyJson2wordsblocklyWords2jsonnode tasks.js --blocklyWords2jsonbuildnpm run build-backend && node tasksbuild-backendtsc -p tsconfig.build.json && node tasks --copy-typesbuild-editornode tasks.js --buildlinteslint -c eslint.config.mjslint-alleslint -c eslint.config.mjs && cd src-editor && eslint -c eslint.config.mjs && cd ../src-admin && eslint -c eslint.config.mjsmonaco-typescriptnode tasks.js --monaco-typescriptmonaco-updatenode tasks.js --monaco-updatenpmnpm i && cd src-editor && npm i -f && cd ../src-admin && npm ireleaserelease-script --noPush -y --alltestnpm run test:declarations && npm run test:integrationtest:declarationstsc -p test/lib/TS/tsconfig.json && tsc -p test/lib/JS/tsconfig.jsontest:integrationmocha --exittest:packagemocha test/testPackageFiles.js --exittest:schedulermocha test/testScheduler.js --exittranslatetranslate-adapterupdate-packagesnpx -y npm-check-updates --upgrade && cd src-editor && npx -y npm-check-updates --upgrade && cd ../src-admin && npx -y npm-check-updates --upgrade
Dependencies16
@iobroker/adapter-core^3.3.2@iobroker/types^7.1.1@types/node^25.6.0axios^1.15.0jsonata^2.1.0jszip^3.10.1node-inspect^2.0.0node-schedule2.1.1nodemailer^8.0.5prettier^3.8.2promisify-child-process^5.0.1semver^7.7.4suncalc2^1.8.1typescript5.9.3virtual-tsc^0.6.2wake_on_lan^1.0.0