PkgRadar

Package evidence

[email protected]

Remote Payload: matched "github.com/FiloSottile/mkcert/releases/download"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
20
First published
May 2026
Publisher
f3rnox

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherf3rnox
Artifact bytes4,225,300
Previous version0.1.22
Published2026-06-09T15:49:58.972Z
SHA-256931769c0fefaad5e3ed5323c11afa379e20f196cfd9104c91d6c6b8268249bae

Why flagged

What the scanner saw

Remote Payload: matched "github.com/FiloSottile/mkcert/releases/download"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
12Score
0.1.24Version
Status history (1 event)
  1. newavailable · risk review · score 12 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/.next/standalone/node_modules/.pnpm/[email protected]_@[email protected]_754d8bd234a6ccb3d51b56086707f007/node_modules/next/dist/lib/mkcert.jsmatched "github.com/FiloSottile/mkcert/releases/download"12

Manifest

Package metadata

Scripts24
  • buildnext build && node scripts/prepare-standalone-build.js
  • build:docstypedoc --out ./docs ./src && cp LICENSE.md docs/LICENSE.md && cp CHANGELOG.md docs/CHANGELOG.md
  • build:tsNODE_PATH=./src tsc -p tsconfig.json
  • devnext dev
  • formatpnpm format:prettier
  • format:checkpnpm format:prettier:check
  • format:prettierprettier --write .
  • format:prettier:checkprettier --check .
  • lintpnpm lint:markdownlint && pnpm lint:eslint
  • lint:eslinteslint package.json src/**/*
  • lint:eslint:fixeslint package.json src/**/*
  • lint:fixpnpm lint:markdownlint:fix && pnpm lint:eslint:fix
  • lint:markdownlintmarkdownlint README.md
  • lint:markdownlint:fixmarkdownlint --fix README.md
  • preparehusky
  • prepare-releasepnpm build && git add docs
  • prepublishOnlypnpm build
  • releasepnpm prepare-release && pnpm update-version && git push --follow-tags origin main
  • serve:coveragehttp-server ./coverage
  • serve:docshttp-server ./docs
  • startnext start
  • testNODE_PATH=./src NODE_ENV=test vitest run
  • update-depsupdates -u -g -c
  • update-versionstandard-version -a
Dependencies6
  • browser-id3-writer^6.3.1
  • music-metadata^11.13.0
  • next16.2.7
  • react19.2.7
  • react-dom19.2.7
  • yt-dlp-wrap^2.3.12