Package evidence
[email protected]
Install-time lifecycle script: postinstall="node scripts/patch-license-webpack-plugin.js"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 4,246Niche · −30% score
- Versions published
- 42
- First published
- May 2026
- Publisher
- stellarshenson
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Install-time lifecycle script: postinstall="node scripts/patch-license-webpack-plugin.js"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Install-time lifecycle script | package.json | postinstall="node scripts/patch-license-webpack-plugin.js" | 5 |
Manifest
Package metadata
Scripts26
buildjlpm build:lib && jlpm build:labextension:devbuild:labextensionjupyter labextension build .build:labextension:devjupyter labextension build --development True .build:libtsc --sourceMapbuild:lib:prodtscbuild:prodjlpm clean && jlpm build:lib:prod && jlpm build:labextensioncleanjlpm clean:libclean:alljlpm clean:lib && jlpm clean:labextension && jlpm clean:lintcacheclean:labextensionrimraf jupyterlab_share_files_extension/labextension jupyterlab_share_files_extension/_version.pyclean:librimraf lib tsconfig.tsbuildinfoclean:lintcacherimraf .eslintcache .stylelintcacheeslintjlpm eslint:check --fixeslint:checkeslint . --cache --ext .ts,.tsxinstall:extensionjlpm buildlintjlpm stylelint && jlpm prettier && jlpm eslintlint:checkjlpm stylelint:check && jlpm prettier:check && jlpm eslint:checkpostinstallnode scripts/patch-license-webpack-plugin.jsprettierjlpm prettier:base --write --list-differentprettier:baseprettier "**/*{.ts,.tsx,.js,.jsx,.css,.json,.md}"prettier:checkjlpm prettier:base --checkstylelintjlpm stylelint:check --fixstylelint:checkstylelint --cache "style/**/*.css"testjest --coveragewatchrun-p watch:src watch:labextensionwatch:labextensionjupyter labextension watch .watch:srctsc -w --sourceMap
Dependencies12
@jupyterlab/application^4.0.0@jupyterlab/apputils^4.0.0@jupyterlab/coreutils^6.0.0@jupyterlab/docmanager^4.0.0@jupyterlab/filebrowser^4.0.0@jupyterlab/services^7.0.0@jupyterlab/ui-components^4.0.0@lumino/commands^2.0.0@lumino/coreutils^2.0.0@lumino/dragdrop^2.0.0@lumino/widgets^2.0.0qrcode-generator^2.0.4