Package evidence

[email protected]

Large Javascript Payload: 8617423 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 889
Versions published: 249Established · −30% score
First published: Oct 2025
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes3,563,673

Previous version0.54.0

Published2026-05-28T00:38:19.777Z

SHA-2564ad9dfb7aef857e49b11f58af0e08348ec859829273afb6e923d6f986529ca9b

Why flagged

What the scanner saw

Large Javascript Payload: 8617423 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

20d agoLast checked

reviewRisk

6Score

0.54.1Version

Status history (1 event)

new → available20d ago · risk review · score 6 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Large Javascript Payload	package/dist/index.js	8617423 bytes	10
medium	Large Javascript Payload	package/dist/chunks/loro_wasm_bg-DgxHrrrp.js	4476635 bytes	10

Manifest

Package metadata

Scripts19

bench:acp-historyvitest bench tests/acp-history.bench.ts
buildpnpm run clean && pnpm run typecheck && pnpm run build:bundle && pnpm run copy:wasm
build:bundlevite build
build:watchpnpm run build:bundle -- --watch
cleanrimraf dist
copy:wasmnode scripts/copy-loro-wasm.js
devnode dev.mjs
dev:prodLODY_AUTH_URL=https://nautical-curlew-181.convex.cloud LODY_SERVER_URL=https://api.lody.ai pnpm run dev
dev:stagingLODY_AUTH_URL=https://impressive-guineapig-165.convex.cloud LODY_AUTH_SITE_URL=https://impressive-guineapig-165.convex.site LODY_SERVER_URL=https://lody-server.zx-073.workers.dev SITE_URL=https://main.lody.pages.dev/ pnpm run dev
formatprettier --write src/**/*.ts
format:checkprettier --check src/**/*.ts
serve:devLODY_ENV=dev NODE_ENV=development pnpm run dev serve
serve:prodLODY_ENV=production NODE_ENV=production pnpm run dev serve
serve:stagingLODY_ENV=staging NODE_ENV=production pnpm run dev serve
testvitest run
test:coveragevitest run --coverage
test:e2eLODY_E2E=1 vitest run
test:watchvitest
typechecktsgo --noEmit

Optional dependencies2

acp-extension-claude0.37.0
acp-extension-codex0.15.0