PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: postinstall="node scripts/check-expo-version.js"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
357Mature · −50% score
First published
Feb 2016
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes1,919,927
Previous version10.40.0-beta.2
Published2026-04-24T07:01:13.147Z
SHA-256b81316319e784dbe34440020138fedfef2326e974e5a28ae968e623684c8dc28

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="node scripts/check-expo-version.js"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
1Score
10.40.0Version
Status history (1 event)
  1. newavailable · risk review · score 1 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/check-expo-version.js"5

Manifest

Package metadata

Scripts24
  • build:android-debugcd Example/e2etest && bun && detox build --configuration android.emu.debug
  • build:android-releasecd Example/e2etest && bun && detox build --configuration android.emu.release
  • build:harmony-harnode scripts/build-harmony-har.js
  • build:ios-debugcd Example/e2etest && bun && detox build --configuration ios.sim.debug
  • build:ios-releasecd Example/e2etest && bun && detox build --configuration ios.sim.release
  • build:sobun submodule && $ANDROID_HOME/ndk/28.2.13676358/ndk-build NDK_PROJECT_PATH=android APP_BUILD_SCRIPT=android/jni/Android.mk NDK_APPLICATION_MK=android/jni/Application.mk NDK_LIBS_OUT=android/lib
  • e2e:androidbun build:android-release && bun test:android-release
  • e2e:iosbun build:ios-release && bun test:ios-release
  • linteslint "src/*.@(ts|tsx|js|jsx)" && tsc --noEmit
  • postinstallnode scripts/check-expo-version.js
  • prepackbun submodule && bun lint
  • prepublishOnlyNODE_ENV=production bun scripts/prepublish.ts
  • publish:localSKIP_NATIVE_BUILD=1 npm publish
  • submodulegit submodule update --init --recursive
  • testbun test src/__tests__
  • test:android-debugcd Example/e2etest && E2E_PLATFORM=android detox test --configuration android.emu.debug --headless --record-logs all
  • test:android-releasecd Example/e2etest && E2E_PLATFORM=android bun detox test --configuration android.emu.release --headless --record-logs all
  • test:ios-debugcd Example/e2etest && E2E_PLATFORM=ios detox test --configuration ios.sim.debug
  • test:ios-releasecd Example/e2etest && E2E_PLATFORM=ios bun detox test --configuration ios.sim.release
  • test:patch-core./scripts/test-patch-core.sh
  • tests:emulator:preparecd .github/workflows/scripts/functions && bun && bun build
  • tests:emulator:start-cibun tests:emulator:prepare && cd ./.github/workflows/scripts && ./start-firebase-emulator.sh
  • tests:ios:pod:installcd Example/e2etest && bun && bun pod-install
  • tests:packager:jet-cicd Example/e2etest && cross-env TMPDIR=$HOME/.metro REACT_DEBUGGER="echo nope" node_modules/.bin/react-native start --no-interactive
Dependencies2
  • nanoid^3.3.3
  • react-native-url-polyfill^3.0.0