PkgRadar

Package evidence

[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
172
Versions published
30
First published
Apr 2026
Publisher
pskoett

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherpskoett
Artifact bytes3,832,033
Previous version0.1.28
Published2026-06-06T20:47:13.773Z
SHA-256fd29b47cb4ea87688e8c00db0f254516011b2c6c9240e3c4fb62c11a1fb99556

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
0.1.29Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts25
  • buildbun run build:client && bun run build:json-render && bun run build:types
  • build:clientbun build src/client/index.tsx --outdir dist/canvas --minify && cp src/client/theme/global.css dist/canvas/global.css
  • build:json-renderbash scripts/build-json-render.sh
  • build:typestsc -p tsconfig.types.json
  • devbun run src/cli/index.ts
  • dev:demobun run src/cli/index.ts --demo
  • dev:portlessportless run --name pmx --app-port 4313 bun run src/cli/index.ts --no-open --port=4313
  • dev:portless:demoportless run --name pmx --app-port 4313 bun run src/cli/index.ts --no-open --port=4313 --demo
  • pack:dry-runbun pm pack --dry-run
  • prepublishOnlybun run build && bun run typecheck
  • release:checkbun run build && bun run typecheck && bun run test:all
  • release:smokebash scripts/release-smoke.sh
  • startbun run src/cli/index.ts --no-open
  • testPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun test tests/unit
  • test:allbun run test && bun run test:web-canvas
  • test:coveragebun test tests/unit --coverage --coverage-reporter=text --coverage-reporter=lcov --coverage-dir coverage
  • test:e2ebun run test:web-canvas
  • test:e2e-clibash scripts/e2e-cli-coverage.sh
  • test:e2e:headedbun run test:web-canvas:headed
  • test:install-browsersbun x playwright install chromium
  • test:unitPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun test tests/unit
  • test:web-canvasPMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun run build && PMX_CANVAS_DISABLE_BROWSER_OPEN=1 bun x playwright test
  • test:web-canvas:headedbun run build && bun x playwright test --headed
  • typechecktsc --noEmit
  • validate:agent-skillsbash scripts/validate-agent-skill-mirrors.sh
Dependencies19
  • @joplin/turndown-plugin-gfm^1.0.64
  • @json-render/core0.19.0
  • @json-render/devtools0.19.0
  • @json-render/devtools-react0.19.0
  • @json-render/directives0.19.0
  • @json-render/mcp0.19.0
  • @json-render/react0.19.0
  • @json-render/shadcn0.19.0
  • @modelcontextprotocol/ext-apps^1.3.1
  • @modelcontextprotocol/sdk^1.0.0
  • @preact/signals^2.0.0
  • @types/turndown^5.0.6
  • marked^15.0.0
  • preact^10.25.0
  • react^19.2.3
  • react-dom^19.2.3
  • recharts^3.2.1
  • turndown^7.2.4
  • zod^4.3.6