Package evidence

[email protected]

no findings

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 1,901,180Ubiquitous · −70% score
Versions published: 230Mature · −50% score
First published: Jan 2016
Publisher: romanhotsiy

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherromanhotsiy

Artifact bytes857,766

Previous version2.5.3

Published2025-10-24T15:42:16.455Z

SHA-256ce74bf294fca8bbf148529381ffc5a6eacdeb5996526398958912dafd67bce17

Why flagged

What the scanner saw

No high-signal static finding in the saved report.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

17d agoLast checked

lowRisk

0Score

3.0.0-rc.0Version

Status history (1 event)

new → available17d ago · risk low · score 0 · status changed

Evidence

Static findings

No findings stored for this release.

Manifest

Package metadata

Scripts27

buildnpm run clean && npm run ts:check && npm run build:lib && npm run build:standalone && npm run minify
build:e2evite build --mode standalone-e2e
build:libvite build && npm run ts:dts
build:standalonevite build --mode standalone
changesetnpx @changesets/cli --
cleanrimraf bin bundle lib
clear:cachescripts/clear-cache.sh
e2enpm run e2e:prepare && npx playwright test
e2e:preparenpm run build:e2e && cp -r ./bundle ./playwright/
e2e:uiplaywright test --ui
license:checknpx license-checker --production --onlyAllow 'MIT;ISC;Apache-2.0;BSD;BSD-2-Clause;BSD-3-Clause;CC-BY-4.0;CC0-1.0;Python-2.0 ' --summary
lintNODE_OPTIONS="--max-old-space-size=5120" eslint . --max-warnings=0
lint:fixNODE_OPTIONS="--max-old-space-size=5120" eslint . --fix
list:licensesnode ./scripts/list-licenses.js
minifynode scripts/minify.js bundle
pack:sourcemapsrimraf redoc.sourcemaps.tag.gz && find lib -name "*.js.map" | xargs tar -czvf redoc.sourcemaps.tar.gz
publish-cdnscripts/publish-cdn.sh
releasenpm run build && npm run changeset publish
startvite
testnpm run lint && npm run unit && npm run e2e
ts:checktsc --noEmit --skipLibCheck
ts:dtstsc -p tsconfig.json --emitDeclarationOnly && api-extractor run --local --verbose
unitjest -w 2
unit:coveragejest --coverage
unit:coverage:htmljest --coverage --coverageReporters html
unit:updatejest -u
unit:watchjest --watch

Dependencies20

@markdoc/markdoc0.5.2
@redocly/config^0.36.2
@redocly/openapi-core2.7.0
@redocly/redoc-opentelemetry0.0.4
@redocly/theme^0.59.0-next.8
deepmerge^4.2.2
dompurify3.2.7
fast-deep-equal^3.1.3
flexsearch^0.8.2
htmlparser2^10.0.0
jotai^2.12.5
json-pointer^0.6.2
openapi-sampler^1.6.2
prismjs1.30
react-router-dom^6.21.1
slugify^1.4.4
stringify-object^3.3.0
swagger2openapi^7.0.8
url-template^2.0.8
web-vitals^5.1.0