Package evidence
[email protected]
New Account With Lifecycle Hook: package first published 62 day(s) ago, 8 total version(s), has lifecycle hook
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 347
- Versions published
- 8
- First published
- Apr 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
New Lifecycle Script Vs Previous: install added in 0.1.0 vs 0.0.4: "node-gyp rebuild"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk high · score 90 · status available -> available, risk high -> high, score 120 -> 90
- new → available · risk high · score 120 · status changed
Evidence
Static findings
3 static · 2 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | install added in 0.1.0 vs 0.0.4: "node-gyp rebuild" | 40 |
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 0.1.0 vs 0.0.4: "node scripts/save-node-path.js" | 40 |
| medium | New Account With Lifecycle Hook | package.json | package first published 62 day(s) ago, 8 total version(s), has lifecycle hook | 10 |
Show all 5 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | New Lifecycle Script Vs Previous | package.json | install added in 0.1.0 vs 0.0.4: "node-gyp rebuild" | 40 |
| high | New Lifecycle Script Vs Previous | package.json | postinstall added in 0.1.0 vs 0.0.4: "node scripts/save-node-path.js" | 40 |
| medium | New Account With Lifecycle Hook | package.json | package first published 62 day(s) ago, 8 total version(s), has lifecycle hook | 10 |
| low | Install-time lifecycle script | package.json | install="node-gyp rebuild" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node scripts/save-node-path.js" | 5 |
Manifest
Package metadata
Scripts8
buildyarn build-report-shell && tsc && node scripts/copy-assets.mjsbuild-report-shellvite build --config report-shell/vite.config.tsdev-report-shellvite --config report-shell/vite.config.tsinstallnode-gyp rebuildpostinstallnode scripts/save-node-path.jsprepublishOnlyyarn buildtestjesttypechecktsc --noEmit
Dependencies42
@mirzazeyrek/node-resemble-js^1.2.1chalk^4.1.2chrome-launcher^0.15.1commander^13.1.0d3-array~2.12.1d3-hierarchy^3.0.1d3-scale~3.3.0debug^4.3.1diff^5.2.0diverged^0.1.3dotenv^16.0.0fs-extra^11.2.0handlebars^4.7.7html-minifier-terser^7.0.0ignore^5.3.0ink^6.0.0jpeg-js^0.4.4json5^2.2.0jstat^1.9.5jump.js^1.0.2junit-report-builder^3.1.0lighthouse13.0.3lodash^4.17.21node-gyp^12.1.0object-hash3.0.0opn^6.0.0os^0.1.2p-map^4.0.0pixelmatch^5.3.0playwright^1.40.1- …and 12 more.