Package evidence
[email protected]
Remote Dependency Spec: dependencies.@geckojs/blurt-rpc-nodes-checker-2="git+https://gitlab.com/geckojs/blurt-rpc-nodes-checker-2.git"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 114Mature · −50% score
- First published
- Jun 2024
- Publisher
- agorise.ltd
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: dependencies.@geckojs/blurt-rpc-nodes-checker-2="git+https://gitlab.com/geckojs/blurt-rpc-nodes-checker-2.git"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (3 events)
- available → available · risk review · score 24 · status available -> available, risk high -> review, score 47 -> 24
- available → available · risk high · score 47 · status available -> available, risk high -> high, score 57 -> 47
- new → available · risk high · score 57 · status changed
Evidence
Static findings
2 static · 1 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | dependencies.@geckojs/blurt-rpc-nodes-checker-2="git+https://gitlab.com/geckojs/blurt-rpc-nodes-checker-2.git" | 12 |
| medium | New Remote Dependency Vs Previous | package.json | dependencies.@geckojs/blurt-rpc-nodes-checker-2 added in 9.23.0 vs 9.22.8: "git+https://gitlab.com/geckojs/blurt-rpc-nodes-checker-2.git" | 12 |
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | dependencies.@geckojs/blurt-rpc-nodes-checker-2="git+https://gitlab.com/geckojs/blurt-rpc-nodes-checker-2.git" | 12 |
| medium | New Remote Dependency Vs Previous | package.json | dependencies.@geckojs/blurt-rpc-nodes-checker-2 added in 9.23.0 vs 9.22.8: "git+https://gitlab.com/geckojs/blurt-rpc-nodes-checker-2.git" | 12 |
| low | Large Javascript Payload | package/dist/common-client-plugin.js | 2070817 bytes | 0 |
Manifest
Package metadata
Scripts1
buildwebpack --mode=production
Dependencies46
@blurtfoundation/blurtjs^1.0.0@geckojs/blurt-rpc-nodes-checker-2git+https://gitlab.com/geckojs/blurt-rpc-nodes-checker-2.git@hiveio/hive-js^2.0.4@iconfu/svg-inject^1.2.3@tensorflow/tfjs-node^4.22.0animate-css-grid^1.4.3assert^2.0.0axios^0.27.2cheerio^1.0.0-rc.12client-oauth2^4.3.3config^3.0.0crypto-browserify^3.12.0date-fns^2.28.0dompurify^2.3.6fast-xml-parser^4.0.12fluent-ffmpeg^2.1.0form-data^4.0.0fs-extra^10.1.0helmet^4.6.0hivesigner^3.2.1hpp^0.2.3insertion-query^1.1.0jimp^0.16.1js-yaml^4.0.0languagedetect^2.0.0m3u8-parser^7.2.0marked^2.0.0moment^2.29.1nodemailer^6.7.7nsfwjs^4.2.1- …and 16 more.