Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 645
- Versions published
- 19Established · −30% score
- First published
- Aug 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 9450363 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 13 · status changed
Evidence
Static findings
6 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.esm.js | 9450363 bytes | 10 |
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.esm.min.js | 3988206 bytes | 10 |
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.umd.js | 9696445 bytes | 10 |
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.umd.min.js | 3988440 bytes | 10 |
Show all 6 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.esm.js | 9450363 bytes | 10 |
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.esm.min.js | 3988206 bytes | 10 |
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.umd.js | 9696445 bytes | 10 |
| medium | Large Javascript Payload | package/dist/quikdown_edit_standalone.umd.min.js | 3988440 bytes | 10 |
| low | Obfuscation | package/dist/quikdown_edit.esm.min.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/quikdown_edit.umd.min.js | matched "\\x3c" | 3 |
Manifest
Package metadata
Scripts42
buildnpm run lint && npm run updateVersion && rollup -c && npm run css && npm run sizes && npm run updateBadges && npm run buildSitebuild:airgapnode tools/buildAirgapZip.cjsbuild:allnpm run build && npm run build:standalonebuild:coveragerollup -c rollup.config.coverage.jsbuild:cssnode tools/generateThemeCSS.jsbuild:standalonerollup -c rollup.config.standalone.jsbuildSitenode ./tools/buildSite.jscleannode tools/clean.cjscoverage:fullnpm run build:coverage && npm run test:e2e:coverage && npm test && npm run coverage:mergecoverage:mergenode tools/mergeCoverage.cjscssnpm run build:css && npm run minify:cssdevnpx bwcli serve . -p 6811docs:apinpx jsdoc src/quikdown.js -d docs/apifeaturebash ./tools/feature.shlinteslint src/minify:cssnode tools/minifyThemeCSS.jspreparehuskyreleasebash ./tools/release.shrelease:legacynode ./tools/createRelease.jsservenpx bwcli serve . -p 6811sizesnode tools/printSizes.cjstag./tools/createTag.shtestNODE_NO_WARNINGS=1 jest --coverage && node tools/updateBadges.jstest:allNODE_NO_WARNINGS=1 jest tests/quikdown.test.js tests/quikdown_bd.test.js tests/quikdown_edit_esm.test.js --coveragetest:astNODE_NO_WARNINGS=1 jest --testPathPattern='quikdown_ast|quikdown_json|quikdown_yaml|quikdown_ast_html' --coveragetest:bdNODE_NO_WARNINGS=1 jest tests/quikdown_bd.test.js --coveragetest:coverageNODE_NO_WARNINGS=1 jest tests/quikdown.test.js tests/quikdown_bd.test.js tests/quikdown_edit_esm.test.js --coverage --coverageReporters=text-summarytest:e2enpx playwright test --config=playwright.config.cjs --grep-invert @coveragetest:e2e:coveragenpx playwright test --grep @coverage --config=playwright.config.cjs --project=chromiumtest:e2e:fullnpx playwright test --config=playwright.config.cjs --grep-invert @coverage- …and 12 more.