Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "raw.githubusercontent.com"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 174 · status changed
Evidence
Static findings
16 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/lib/dashboards/anomaly-detection.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/coalition-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/coalition-loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/committees-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/cia/csv-utils.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/cia/data-loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/shared/data-loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/election-cycle.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/ministry-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/party-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/politician-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/pre-election.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/risk-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/seasonal-patterns.js | matched "raw.githubusercontent.com" | 12 |
Show all 16 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/lib/dashboards/anomaly-detection.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/coalition-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/coalition-loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/committees-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/cia/csv-utils.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/cia/data-loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/shared/data-loader.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/election-cycle.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/ministry-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/party-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/politician-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/pre-election.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/risk-dashboard.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/dist/lib/dashboards/seasonal-patterns.js | matched "raw.githubusercontent.com" | 12 |
| low | Obfuscation | package/dist/lib/dashboards/committees-dashboard.js | matched "\\u26a0" | 3 |
| low | Obfuscation | package/dist/lib/dashboards/politician-dashboard.js | matched "\\uFEFF" | 3 |
Manifest
Package metadata
Scripts59
aggregate-analysisnpx tsx scripts/aggregate-analysis.ts --allbackfill-metadatatsx scripts/backfill-article-metadata.tsbuildvite buildbuild:csv-contracts-fixturenpx tsx scripts/build-csv-contracts-fixture.tsbuild:libtsc -p tsconfig.lib.json && tsc -p tsconfig.npm-scripts.jsonbuild:test-reportsmkdir -p docs/test-results docs/cypress docs/coverage && ([ -d builds/coverage ] && [ -n "$(ls -A builds/coverage 2>/dev/null)" ] && cp -r builds/coverage/* docs/coverage/ || echo 'No coverage directory to copy') && ([ -d builds/test-results ] && [ -n "$(ls -A builds/test-results 2>/dev/null)" ] && cp -r builds/test-results/* docs/test-results/ || echo 'No test-results directory to copy') && ([ -d builds/cypress ] && [ -n "$(ls -A builds/cypress 2>/dev/null)" ] && cp -r builds/cypress/* docs/cypress/ || echo 'No cypress directory to copy') && echo 'Test reports copied to docs/'check-updatesnpx tsx scripts/check-cia-schema-updates.tscheck:analysis-languagetsx scripts/check-analysis-language.tscheck:docsnpx tsx scripts/generate-article-types-doc.ts && git diff --exit-code Article-Generation.mdcopy-vendornpx tsx scripts/copy-vendor-mermaid.tscoveragevitest run --coveragecypress:opencypress opencypress:runcypress run --config video=falsecypress:run:criticalcypress run --spec 'cypress/e2e/homepage.cy.js,cypress/e2e/accessibility.cy.js' --config video=falsecypress:run:fastcypress run --config video=false --quiet --browser chromedevvitedocs:dependenciesmkdir -p docs/dependencies && (npm list --all --json > docs/dependencies/dependency-tree.json 2> docs/dependencies/dependency-tree.log || true) && (npm list --all > docs/dependencies/dependency-tree.txt 2>> docs/dependencies/dependency-tree.log || true)docs:diagramsecho 'Architecture diagrams generation placeholder - implement with graphviz if needed'docs:sitemaptsx scripts/generate-sitemap.tsdownload-datanpx tsx scripts/download-parliamentary-data.tsdownload-data:todaynpx tsx scripts/download-parliamentary-data.ts --date todaydownload-data:weeklynpx tsx scripts/download-parliamentary-data.ts --aggregate weeklye2enpm run build && start-server-and-test preview http://localhost:4173 cypress:rune2e:fastnpm run build && start-server-and-test preview http://localhost:4173 cypress:run:fastgenerate-newsnpx tsx scripts/render-articles.ts --all --lang allgenerate-news-indexesnode scripts/generate-news-indexes.tsgenerate-political-intelligencenpx tsx scripts/generate-political-intelligence.tsgenerate-rssnpx tsx scripts/generate-rss.tsgenerate-sitemaptsx scripts/generate-sitemap.tsgenerate-sitemap-htmlnpx tsx scripts/generate-sitemap-html.ts- …and 29 more.
Optional dependencies1
cypress15.15.0