Package evidence
[email protected]
Remote Dependency Spec: devDependencies.coolicons="github:krystonschwarze/coolicons#v4.1"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,796Niche · −30% score
- Versions published
- 97Mature · −50% score
- First published
- Sep 2021
- Publisher
- hawkeye64
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Remote Dependency Spec: devDependencies.coolicons="github:krystonschwarze/coolicons#v4.1"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 4 · status changed
Evidence
Static findings
17 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | devDependencies.coolicons="github:krystonschwarze/coolicons#v4.1" | 8 |
Show all 17 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Dependency Spec | package.json | devDependencies.coolicons="github:krystonschwarze/coolicons#v4.1" | 8 |
| low | Large Javascript Payload | package/carbon-pictograms-v12/index.mjs | 2544138 bytes | 0 |
| low | Large Javascript Payload | package/coreui-icons-v3/index.mjs | 4592351 bytes | 0 |
| low | Large Javascript Payload | package/coreui-icons/index.mjs | 5384764 bytes | 0 |
| low | Large Javascript Payload | package/dev-icons-v2/index.mjs | 3118351 bytes | 0 |
| low | Large Javascript Payload | package/fluentui-system-icons/index.mjs | 10445071 bytes | 0 |
| low | Large Javascript Payload | package/glyphs-core-icons/index.mjs | 9740572 bytes | 0 |
| low | Large Javascript Payload | package/health-icons-v1/index.mjs | 4150746 bytes | 0 |
| low | Large Javascript Payload | package/health-icons-v2/index.mjs | 3405697 bytes | 0 |
| low | Large Javascript Payload | package/openmoji-icons-v16/index.mjs | 12056790 bytes | 0 |
| low | Large Javascript Payload | package/openmoji-icons-v17/index.mjs | 12784666 bytes | 0 |
| low | Large Javascript Payload | package/phosphor-icons-v2/index.mjs | 4484029 bytes | 0 |
| low | Large Javascript Payload | package/phosphor-icons/index.mjs | 2862476 bytes | 0 |
| low | Large Javascript Payload | package/simple-icons-v15/index.mjs | 4608243 bytes | 0 |
| low | Large Javascript Payload | package/simple-icons-v16/index.mjs | 4688841 bytes | 0 |
| low | Large Javascript Payload | package/tabler-icons-v2/index.mjs | 3315982 bytes | 0 |
| low | Large Javascript Payload | package/tabler-icons-v3/index.mjs | 4069113 bytes | 0 |
Manifest
Package metadata
Scripts9
buildtsx build/index.tsformatoxfmt build package.jsonformat:checkoxfmt --check build package.jsonlintoxlint buildlint:fixoxlint --fix buildtest:smokenode test-d/runtime-consumer.mjstypecheckpnpm run typecheck:build && pnpm run typecheck:exportstypecheck:buildtsc -p tsconfig.build.json --noEmit --pretty falsetypecheck:exportstsc -p test-d/tsconfig.json --noEmit --pretty false