Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 5,158Niche · −30% score
- Versions published
- 405Mature · −50% score
- First published
- Aug 2019
- Publisher
- GitLab CI/CD
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 2128756 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 9 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/esm/charting-BNYmzAlx.js | 2128756 bytes | 10 |
| medium | Large Javascript Payload | package/dist/cjs/charting-BqHKRVua.js | 2132697 bytes | 10 |
| medium | Large Javascript Payload | package/dist/components/charting.js | 2128738 bytes | 10 |
Manifest
Package metadata
Scripts28
buildstencil build --debug && node ../../build/create-theme-files.jsbuild:devstencil build --debug && node ../../build/create-theme-files.jsbuild:docs-jsonstencil build --docs-json dist/docs.jsonbuild:elementsstencil buildbuild:linkedstencil build --watch --servebuild:localstencil build --dev --watch --servebuild:networkstencil build --dev --watch --serve --host 0.0.0.0build:prereleasestencil build --debug && node ../../build/create-theme-files.jsbuild:prodstencil build --debug && node ../../build/create-theme-files.jsbuild:watchstencil build --dev --watch --servecleanrm -rf dist tmpeslinteslint --config eslint.config.cli.mjs .eslint:fixeslint --fix --config eslint.config.cli.mjs .generate:phone-formatsnode scripts/generatePhoneFormats.jslintpnpm eslint && pnpm stylelint:fixpnpm eslint:fix && pnpm style:fixnomrm -rf node_modulesproblemstsc --noEmitstylenode scripts/runApplyStyleGuide.jsstyle:fixnode scripts/runApplyStyleGuide.js --fixteststencil test --spec --e2e --silent --maxWorkers=0 --runInBandtest:accessibility-reportstencil test --e2e --silent --maxWorkers=0 --runInBand --testNamePattern=ridiculousonpurpose -- --json --outputFile=../docs/src/data/accessibility-report.jsontest:cistencil test --spec --e2e --silent --maxWorkers=0 --runInBandtest:coveragerm -rf .stencil .nyc_output && COVERAGE=true stencil test --spec --e2e --silent --coverage --maxWorkers=0 --runInBandtest:devstencil test --spec --e2e --maxWorkers=0 --runInBand --watchAlltest:fast-e2estencil test --e2e --silent --maxWorkers=1test:fast-specstencil test --spec --silent --maxWorkers=100%test:newstencil test --spec --e2e --silent --maxWorkers=0 --runInBand -- --json --outputFile=./test-reports-band-1.json
Dependencies3
@stencil/core~4.32.0q2-tecton-common1.67.2swiper^12.1.2