PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: install="node-gyp-build"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
10
Versions published
7
First published
Oct 2025
Publisher
grml

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishergrml
Artifact bytes350,771
Previous version1.0.6
Published2026-06-01T17:17:35.585Z
SHA-2569ded74a7e630e3086e6c30883c9dfaa2652798bb55d9c216a77fc25dc1016d9a

Why flagged

What the scanner saw

Install-time lifecycle script: install="node-gyp-build"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
1.0.7Version
Status history (2 events)
  1. newavailable · risk review · score 5 · status changed
  2. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsoninstall="node-gyp-build"5

Manifest

Package metadata

Scripts14
  • benchmarktsx benchmarks/benchmark.ts
  • benchmark:filestreamtsx benchmarks/filestream.ts
  • buildnode-gyp rebuild && tsc
  • build:debugnode-gyp rebuild --debug
  • cleannode-gyp clean
  • devnpm run build && nodemon lib/index.ts
  • formatfind . \( -name "*.cc" -o -name "*.cpp" -o -name "*.h" \) -exec clang-format -i {} \; && eslint . --fix
  • format:allfind . \( -name "*.cc" -o -name "*.cpp" -o -name "*.h" \) -exec clang-format -i {} \;
  • format:ccfind . -name "*.cc" -exec clang-format -i {} \;
  • installnode-gyp-build
  • prebuildifyprebuildify --napi --strip
  • prepacktsc
  • setupTextFilesmkdir textfiles && cd textfiles && wget https://norvig.com/ngrams/enable1.txt && wget https://raw.githubusercontent.com/ScriptSmith/topwords/master/words.txt && wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/badwordslist/badwords.txt && wget https://raw.githubusercontent.com/grMLEqomlkkU5Eeinz4brIrOVCUCkJuN/terms.txt/refs/heads/master/terms.txt
  • testjest
Dependencies2
  • node-addon-api^8.7.0
  • node-gyp-build^4.8.4