Package evidence

[email protected]

Remote Dependency Spec: devDependencies.@changesets/changelog-github="https://pkg.pr.new/changesets/changesets/@changesets/changelog-github@bd27256"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 9
First published: Aug 2024
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

PublisherGitHub Actions

Artifact bytes6,956

Previous version1.2.1

Published2026-05-27T14:03:48.887Z

SHA-2563a17bd509a0f25c34181e7c63a6614d59c402ad365dfb22f2010cfb4f758c764

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.@changesets/changelog-github="https://pkg.pr.new/changesets/changesets/@changesets/changelog-github@bd27256"

4 candidate cluster(s) currently reference this release. 2 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

15h agoLast checked

highRisk

164Score

2.0.0Version

Status history (2 events)

available → available15h ago · risk high · score 164 · status available -> available, risk high -> high, score 218 -> 164
new → available7d ago · risk high · score 218 · status changed

Related candidates

Linked campaigns and clusters

Shared remote URLactive

https://pkg.pr.new/changesets/changesets/@changesets/cli@bd27256

2 members · evidence strength 77

Shared payload hashactive

43010cfe83f290afd5b2898f02e48fb0162717168a61d2d9445b6c8ea95c2e9c

2 members · evidence strength 82

Shared payload hashactive

d97bd447ec58643cece5490c2b3e89ca1b80289104df20f6b68f6edee6bd92b4

2 members · evidence strength 68

Shared remote URLactive

https://pkg.pr.new/changesets/changesets/@changesets/changelog-github@bd27256

2 members · evidence strength 63

Shared remote URLcandidate

https://pkg.pr.new/changesets/changesets/@changesets/cli@bd27256

2 members · max score 100

Shared payload hashcandidate

43010cfe83f290afd5b2898f02e48fb0162717168a61d2d9445b6c8ea95c2e9c

2 members · max score 100

Shared remote URLcandidate

https://pkg.pr.new/changesets/changesets/@changesets/changelog-github@bd27256

2 members · max score 32

Shared payload hashcandidate

d97bd447ec58643cece5490c2b3e89ca1b80289104df20f6b68f6edee6bd92b4

2 members · max score 32

Evidence

Static findings

2 static · 2 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Dependency Spec	package.json	devDependencies.@changesets/changelog-github="https://pkg.pr.new/changesets/changesets/@changesets/changelog-github@bd27256"	8
medium	Remote Dependency Spec	package.json	devDependencies.@changesets/cli="https://pkg.pr.new/changesets/changesets/@changesets/cli@bd27256"	8
medium	Dependency Changed To Remote Vs Previous	package.json	devDependencies.@changesets/changelog-github changed to remote spec in 2.0.0 vs 1.2.1: "https://pkg.pr.new/changesets/changesets/@changesets/changelog-github@bd27256"	8
medium	Dependency Changed To Remote Vs Previous	package.json	devDependencies.@changesets/cli changed to remote spec in 2.0.0 vs 1.2.1: "https://pkg.pr.new/changesets/changesets/@changesets/cli@bd27256"	8

Remote payloads

Followed remote artifacts

Source	URL	Risk	Score	Summary
devDependencies.@changesets/changelog-github	https://pkg.pr.new/changesets/changesets/@changesets/changelog-github@bd27256	high	32	remote_dependency_spec: dependencies.@changesets/get-github-info="https://pkg.pr.new/changesets/changesets/@changesets/get-github-info@bd2725600fb88769263072a89d200f365cf61cb9"
devDependencies.@changesets/cli	https://pkg.pr.new/changesets/changesets/@changesets/cli@bd27256	high	100	remote_dependency_spec: dependencies.@changesets/apply-release-plan="https://pkg.pr.new/changesets/changesets/@changesets/apply-release-plan@bd2725600fb88769263072a89d200f365cf61cb9"

Manifest

Package metadata

Scripts4

buildtsdown
linteslint --flag unstable_native_nodejs_ts_config
testvitest
typechecktsc --noEmit

Dependencies1

binary-util~2.0.5