Package evidence

raspalib==3.1.0

Py Import Time Subprocess: subprocess call — process spawning.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 6
First published: May 2026
Publisher: Drs. Youri Ran, University of Amsterdam, Drs. Shrinjay Sharma, Delft University of Technology, Drs. Zhao Li, Northwestern University, Prof. Sofia Calero, Eindhoven University of Technology, Prof. Thijs Vlugt, Delft University of Technology, Prof. Randall Q. Snurr, Northwestern University

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["raspalib==3.1.0"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["raspalib==3.1.0"],"fail_on":"review"}'

PublisherDrs. Youri Ran, University of Amsterdam, Drs. Shrinjay Sharma, Delft University of Technology, Drs. Zhao Li, Northwestern University, Prof. Sofia Calero, Eindhoven University of Technology, Prof. Thijs Vlugt, Delft University of Technology, Prof. Randall Q. Snurr, Northwestern University

Artifact bytes9,209,116

Previous versionnone

Published2026-06-06T19:39:12

SHA-256d78b23e71b5a825f782c2a7d5687426695569653808778ea4d2f1e3bb6226fd7

Why flagged

What the scanner saw

Py Import Time Subprocess: subprocess call — process spawning.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

6h agoLast checked

reviewRisk

96Score

3.1.0Version

Status history (1 event)

new → available6h ago · risk review · score 96 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Py Import Time Subprocess	raspalib/__init__.py	subprocess call — process spawning.	32
medium	Py Import Time Ctypes Load	raspalib/__init__.py	ctypes.CDLL/cdll.LoadLibrary — loads native code into the process.	24
medium	Large Native Blob	raspalib/raspalib_base.cpython-310-darwin.so	5821728 bytes	10
medium	Large Native Blob	raspalib/raspalib_avx2.cpython-310-darwin.so	5966208 bytes	10
medium	Large Native Blob	raspalib/raspalib_avx.cpython-310-darwin.so	5842368 bytes	10
medium	Large Native Blob	raspalib/raspalib_avx512.cpython-310-darwin.so	6069424 bytes	10