Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,819,435Ubiquitous · −70% score
- Versions published
- 280Mature · −50% score
- First published
- Oct 2014
- Publisher
- mbx-npm-04-production
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 19536522 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Large Javascript Payload | package/dist/mapbox-gl-dev.js | 19536522 bytes | 0 |
Manifest
Package metadata
Scripts56
build-allrun-p build-umd build-esm-dev build-esm-prod build-esm-prod-cdn build-cspbuild-csprollup -c rollup.config.csp.tsbuild-csspostcss -o dist/mapbox-gl.css src/css/mapbox-gl.cssbuild-devrollup -c --environment BUILD:devbuild-dtsdts-bundle-generator --no-banner --export-referenced-types=false --umd-module-name=mapboxgl --project ./tsconfig.browser.json -o ./dist/mapbox-gl.d.ts ./src/index.tsbuild-dts-esmdts-bundle-generator --no-banner --export-referenced-types=false --project ./tsconfig.browser.json -o ./dist/esm/mapbox-gl.d.ts ./src/index.esm.tsbuild-esm-devrollup -c rollup.config.esm.ts --environment BUILD:devbuild-esm-prodrollup -c rollup.config.esm.ts --environment BUILD:production,MINIFY:truebuild-esm-prod-cdnESM_TARGET=cdn rollup -c rollup.config.esm.ts --environment BUILD:production,MINIFY:truebuild-prodrollup -c --environment BUILD:production,MINIFY:truebuild-style-specnpm run build --workspace src/style-spec && mkdir -p dist/style-spec && cp src/style-spec/dist/* dist/style-specbuild-tokennode build/generate-access-token-script.jsbuild-umdrun-s build-dev build-prodbump-version./build/bump-version.tscodegentsx ./build/generate-style-code.ts && tsx ./build/generate-struct-arrays.ts && tsx ./build/generate-typed-style-spec.tslinteslint --cache .lint-cssstylelint 'src/css/mapbox-gl.css'prepare-release-pagesln -sfn $PWD/dist test/release/dist && ln -sfn $PWD/debug test/release/debug && cp debug/access_token_generated.js test/release/prepublishOnlyrun-s build-all build-css build-style-spec build-dts build-dts-esmpretest-rendernpm run build-devpretest-render-cspnpm run build-csppretest-render-prodnpm run build-prodprint-release-urlnode build/print-release-url.jspublish-alpha./build/publish-alpha.tspublish-cdn./build/publish-cdn.tspublish-release./build/publish.tssizesize-limitstartrun-p build-token watch-css watch-esm start-serverstart-allrun-p build-token watch-css watch-dev watch-esm start-serverstart-releaserun-s build-token build-all build-css print-release-url prepare-release-pages start-server- …and 26 more.