Package evidence

[email protected]

Remote Payload: matched "raw.githubusercontent.com"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 3,605,231Ubiquitous · −70% score
Versions published: 1,981Mature · −50% score
First published: Mar 2012
Publisher: lusayaa

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherlusayaa

Artifact bytes3,430,477

Previous version13.2.0

Published2026-05-07T20:35:01.941Z

SHA-2568c3ce939baa7e8703e89b860aff6bc0e43fed249f0f4e3135b52af6d4c1f2f8d

Why flagged

What the scanner saw

Remote Payload: matched "raw.githubusercontent.com"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

2d agoLast checked

reviewRisk

3Score

13.3.0Version

Status history (1 event)

new → available2d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/third-party/chromium-synchronization/inspector-issueAdded-types-test.js	matched "raw.githubusercontent.com"	12

Manifest

Package metadata

Scripts86

build-allyarn build-report && yarn build-cdt-strings && yarn build-devtools && concurrently 'yarn build-extension' 'yarn build-lr' 'yarn build-viewer' 'yarn build-treemap' 'yarn build-smokehouse-bundle' 'yarn build-legacy-javascript' 'yarn build-devtools-mcp' && yarn build-pack
build-cdt-libnode ./build/build-cdt-lib.js
build-cdt-stringsnode ./build/build-cdt-strings.js
build-devtoolsyarn reset-link && node ./build/build-bundle.js clients/devtools/devtools-entry.js dist/lighthouse-dt-bundle.js && node ./build/build-dt-report-resources.js
build-devtools-mcpnode ./build/build-bundle-mcp.js clients/devtools-mcp/devtools-mcp-entry.js dist/lighthouse-devtools-mcp-bundle.js
build-extensionyarn build-extension-chrome && yarn build-extension-firefox
build-extension-chromenode ./build/build-extension.js chrome
build-extension-firefoxnode ./build/build-extension.js firefox
build-legacy-javascriptnode ./build/build-legacy-javascript.js
build-lryarn reset-link && node --max-old-space-size=4096 ./build/build-lightrider-bundles.js
build-packbash build/build-pack.sh
build-proto-roundtripmkdir -p .tmp && python3 proto/scripts/json_roundtrip_via_proto.py
build-reportnode build/build-report-components.js && node build/build-report.js
build-sample-reportsyarn build-report && node build/build-sample-reports.js
build-smokehouse-bundlenode ./build/build-smokehouse-bundle.js
build-treemapnode ./build/build-treemap.js
build-typesyarn type-check && rsync -a .tmp/tsbuildinfo/ ./ --include='*.d.ts' --include='*.d.cts' --exclude='*.map' --exclude='*.tsbuildinfo'
build-viewernode ./build/build-viewer.js
c8bash core/scripts/c8.sh
changelogconventional-changelog --config ./build/changelog-generator/index.cjs --infile changelog.md --same-file
chromenode core/scripts/manual-chrome-launcher.js
cleanrm -r dist proto/scripts/*.json proto/scripts/*_pb2.* proto/scripts/*_pb.* proto/scripts/__pycache__ proto/scripts/*.pyc *.report.html *.report.dom.html *.report.json *.devtoolslog.json *.trace.json shared/localization/locales/*.ctc.json || true
clean-typesgit clean -xfq '*.d.ts' '*.d.cts' -e 'node_modules/' -e 'dist/' -e '.tmp/' -e '**/types/'
cli-unityarn unit-cli
compile-protoprotoc --python_out=./ ./proto/lighthouse-result.proto && mv ./proto/*_pb2.py ./proto/scripts || (echo "❌ Install protobuf = 3.20.x to compile the proto file." && false)
computeBenchmarkIndex./core/scripts/benchmark.js
core-unityarn unit-core
coverageyarn unit:cicoverage && c8 report --reporter html
coverage:smokeyarn c8 yarn smoke -j=1 && c8 report --reporter html
debugnode --inspect-brk ./cli/index.js
…and 56 more.

Dependencies26

@paulirish/trace_engine0.0.64
@sentry/node^9.28.1
axe-core^4.11.4
chrome-launcher^1.2.1
configstore^7.0.0
csp_evaluator1.1.5
devtools-protocol0.0.1625959
enquirer^2.3.6
http-link-header^1.1.1
intl-messageformat^10.5.3
jpeg-js^0.4.4
js-library-detector^6.7.0
lighthouse-logger^2.0.2
lighthouse-stack-packs1.12.3
lodash-es^4.17.21
lookup-closest-locale6.2.0
open^8.4.0
puppeteer-core^24.43.0
robots-parser^3.0.1
speedline-core^1.4.3
third-party-web^0.29.0
tldts-icann^7.0.30
web-features^3.26.0
ws^7.0.0
yargs^17.3.1
yargs-parser^21.0.0