PkgRadar

Package evidence

[email protected]

Large Javascript Payload: 2594879 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
11,032Mainstream · −50% score
Versions published
127Mature · −50% score
First published
Jan 2020
Publisher
wechat-miniprogram

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherwechat-miniprogram
Artifact bytes3,156,859
Previous version2.1.37
Published2026-05-22T14:19:30.553Z
SHA-2569fc5091644a09cf8e35f5071fca84f5bdfcbddd1644712c5eaec49d2e85ea7ed

Why flagged

What the scanner saw

Large Javascript Payload: 2594879 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
2.1.38Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/common/code-analyse/index.js2594879 bytes10

Manifest

Package metadata

Scripts30
  • bbnpm run init && gulp inc-version && gulp tsc && gulp build && node ./task/afterbuild.js
  • bbwingulp inc-version && gulp tsc && gulp build && node ./task/afterbuild.js
  • betanpm run init && rm -rf dist && tsc && gulp copy && node ./task/afterbuild.js && npm run test
  • buildrm -rf dist && npm run eslint -- --fix && npm run bb
  • build-cirm -rf dist && rm -rf ci-src && npm run build && gulp pre-build-ci && rm -rf dist && gulp removeForCi && npm run ci-tsc && gulp build-ci && npm run genCiDist
  • build-json-schemanode ./src/schema/task/build.js && gulp copy-schema
  • buildandroidtoolkitcd src/ci/android-miniapp-toolkit && npm install && npm run build
  • ci-tscgulp ci-tsc
  • ci-tsc-devgulp ci-tsc-dev
  • copyNodeModulesgulp copy-miniprogram-builder-node-modules-to-dist-for-buildcloud
  • devrm -rf dist && gulp copy && gulp tsc-w
  • devCodeAnalysegulp copy-code-analyse
  • devcloudrm -rf dist && gulp copy && tsc -p './tsconfigForCloudBuild.json' -w
  • eslinteslint --ext .ts,.tsx,.js,.jsx ./src
  • genCiDistnode ./task/genCiDist.js
  • initgit submodule init && git submodule update
  • jestjest
  • mochamocha --reporter mochawesome --exit --timeout 5000 || true
  • mochalinuxmocha --reporter mochawesome --reporter-options reportFilename=result_linux --exit || true
  • mochamacmocha --reporter mochawesome --reporter-options reportFilename=result_mac --exit || true
  • mochawinmocha --reporter mochawesome --reporter-options reportFilename=result_win --exit || exit /b 0
  • prebuild-cinpm run buildandroidtoolkit
  • reportnyc --reporter=html npm run mocha && npm run jest
  • submodulegit submodule init && git submodule update
  • testnyc --reporter=text npm run mocha && npm run jest
  • text-webnode ./example/webCompile/test.js
  • tscrm -rf dist && gulp copy && gulp tsc
  • watchgulp watch
  • webnode ./example/webCompile/test.js
  • webdevnode --inspect-brk=9221 ./example/webCompile/test.js
Dependencies182
  • @babel/code-frame7.22.10
  • @babel/compat-data7.22.9
  • @babel/core7.21.4
  • @babel/eslint-parser7.22.10
  • @babel/generator7.21.4
  • @babel/helper-annotate-as-pure7.22.5
  • @babel/helper-builder-binary-assignment-operator-visitor7.22.10
  • @babel/helper-compilation-targets7.22.10
  • @babel/helper-create-class-features-plugin7.22.10
  • @babel/helper-create-regexp-features-plugin7.22.9
  • @babel/helper-define-polyfill-provider0.3.3
  • @babel/helper-environment-visitor7.22.5
  • @babel/helper-function-name7.22.5
  • @babel/helper-hoist-variables7.22.5
  • @babel/helper-member-expression-to-functions7.22.5
  • @babel/helper-module-imports7.21.4
  • @babel/helper-module-transforms7.22.9
  • @babel/helper-optimise-call-expression7.22.5
  • @babel/helper-plugin-utils7.24.6
  • @babel/helper-remap-async-to-generator7.22.9
  • @babel/helper-replace-supers7.22.9
  • @babel/helper-simple-access7.22.5
  • @babel/helper-skip-transparent-expression-wrappers7.24.6
  • @babel/helper-split-export-declaration7.22.6
  • @babel/helper-string-parser7.24.6
  • @babel/helper-validator-identifier7.24.6
  • @babel/helper-validator-option7.22.5
  • @babel/helper-wrap-function7.22.10
  • @babel/helpers7.21.0
  • @babel/highlight7.22.10
  • …and 152 more.