PkgRadar

Package evidence

[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
172
Versions published
26
First published
Apr 2026
Publisher
pskoett

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherpskoett
Artifact bytes2,085,428
Previous version0.1.24
Published2026-06-03T13:00:19.661Z
SHA-256ce9fb974dcf0244daa407bf0c0affc4a34f277f8bfa9523e6e3e061cfe85c4d5

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
0.1.25Version
Status history (2 events)
  1. newavailable · risk low · score 0 · status changed
  2. newavailable · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts25
  • buildbun run build:client && bun run build:json-render && bun run build:types
  • build:clientbun build src/client/index.tsx --outdir dist/canvas --minify && cp src/client/theme/global.css dist/canvas/global.css
  • build:json-renderbash scripts/build-json-render.sh
  • build:typestsc -p tsconfig.types.json
  • devbun run src/cli/index.ts
  • dev:demobun run src/cli/index.ts --demo
  • dev:portlessportless run --name pmx --app-port 4313 bun run src/cli/index.ts --no-open --port=4313
  • dev:portless:demoportless run --name pmx --app-port 4313 bun run src/cli/index.ts --no-open --port=4313 --demo
  • pack:dry-runbun pm pack --dry-run
  • prepublishOnlybun run build && bun run typecheck
  • release:checkbun run build && bun run typecheck && bun run test:all
  • release:smokebash scripts/release-smoke.sh
  • startbun run src/cli/index.ts --no-open
  • testPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun test tests/unit
  • test:allbun run test && bun run test:web-canvas
  • test:coveragebun test tests/unit --coverage --coverage-reporter=text --coverage-reporter=lcov --coverage-dir coverage
  • test:e2ebun run test:web-canvas
  • test:e2e-clibash scripts/e2e-cli-coverage.sh
  • test:e2e:headedbun run test:web-canvas:headed
  • test:install-browsersbun x playwright install chromium
  • test:unitPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun test tests/unit
  • test:web-canvasPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun run build && PMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun x playwright test
  • test:web-canvas:headedbun run build && bun x playwright test --headed
  • typechecktsc --noEmit
  • validate:agent-skillsbash scripts/validate-agent-skill-mirrors.sh
Dependencies16
  • @joplin/turndown-plugin-gfm^1.0.64
  • @json-render/core^0.14.1
  • @json-render/mcp^0.14.1
  • @json-render/react^0.14.1
  • @json-render/shadcn^0.14.1
  • @modelcontextprotocol/ext-apps^1.3.1
  • @modelcontextprotocol/sdk^1.0.0
  • @preact/signals^2.0.0
  • @types/turndown^5.0.6
  • marked^15.0.0
  • preact^10.25.0
  • react^19.2.0
  • react-dom^19.2.0
  • recharts^3.2.1
  • turndown^7.2.4
  • zod^4.3.6