Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 5117265 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/.yarn/releases/yarn-1.22.22.cjs | 5117265 bytes | 10 |
Manifest
Package metadata
Dependencies32
axios^0.21.1bluebird^3.7.2body-parser^1.18.3codemirror^5.46.0consola^2.11.1cookie^0.4.1cookie-session^2.0.0-beta.3cors^2.8.4crypto-random-string^3.0.1error-to-html^0.1.0exe^1.0.2express^4.16.3express-mount-files^0.1.0fs-extra^8.1.0image-size^0.8.3jimp^0.9.3jsonwebtoken^8.5.1md5^2.2.1mongodb^3.6.4multer^1.3.0multiparty^4.2.1nodemailer^6.4.2portal-vue^2.1.7rename^1.0.4sharp^0.27.1slug^1.1.0tiptap^1.32.1tiptap-extensions^1.35.1vue-click-outside^1.0.7vue-color^2.4.6- …and 2 more.