Package evidence

[email protected]

Large Javascript Payload: 3114592 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 41
Versions published: 22Established · −30% score
First published: Sep 2025
Publisher: novita_ai

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publishernovita_ai

Artifact bytes3,071,415

Previous version2.0.0

Published2026-06-09T14:10:43.725Z

SHA-2561b91daea32406745462b6baa003a2fc088815512391ca06b112230ffc6c0af65

Why flagged

What the scanner saw

Large Javascript Payload: 3114592 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

4d agoLast checked

lowRisk

0Score

2.0.1Version

Status history (1 event)

new → available4d ago · risk low · score 0 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Large Javascript Payload	package/dist/index.js	3114592 bytes	0

Manifest

Package metadata

Scripts12

buildtsc --noEmit --skipLibCheck && tsup --minify
check-depsknip
devtsup --watch
formatprettier --write src
generate-ref./scripts/generate_sdk_ref.sh
linteslint src
testvitest run
test:coveragevitest run --coverage
test:interactivepnpm build && ./dist/index.js
test:watchvitest watch
typechecktsc --noEmit --skipLibCheck
update-depsncu -u && pnpm i

Dependencies25

@iarna/toml^2.2.5
@inquirer/prompts^7.9.0
@npmcli/package-json^5.2.1
@types/fs-extra^11.0.4
async-listen^3.0.1
boxen^7.1.1
chalk^5.3.0
cli-highlight^2.1.11
command-exists^1.2.9
commander^11.1.0
console-table-printer^2.11.2
dockerfile-ast^0.6.1
fs-extra^11.3.2
handlebars^4.7.9
inquirer^12.10.0
novita-sandbox2.0.1
open^9.1.0
simple-update-notifier^2.0.0
statuses^2.0.1
strip-ansi^7.1.0
update-notifier^6.0.2
winston^3.17.0
winston-transport^4.9.0
yaml^2.8.1
yup^1.3.2