Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 93
- First published
- Feb 2026
- Publisher
- danan-sidenet
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".ssh/"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
8 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 8 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/ssh-config-De4c6Kil.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/ssh-config-DP-hNVbF.js | matched ".ssh/" | 5 |
| low | Obfuscation Density | package/dist/chunk-4TB4RGXK-B5xM6IO9.js | high encoded/escaped-token density | 0 |
| low | Obfuscation Density | package/dist/chunk-4TB4RGXK-CAWEml0t.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/mermaid-VLURNSYL-CO-ele46.js | 6283732 bytes | 0 |
| low | Large Javascript Payload | package/dist/sdk-entry-Qb9OFsne.js | 4169073 bytes | 0 |
| low | Large Javascript Payload | package/dist/sidenetai-sdk.standalone.umd.js | 25474385 bytes | 0 |
| low | Large Javascript Payload | package/dist/sidenetai-sdk.umd.js | 24012733 bytes | 0 |
Manifest
Package metadata
Scripts9
buildnpm run build:lightweight && npm run build:standalonebuild:lightweighttsc -b && vite build --mode productionbuild:standalonevite build --mode production --config vite.config.standalone.tscleanrm -rf dist node_modules/.vite tsconfig.tsbuildinfodevvitelinteslint .previewvite previewrebuildpnpm clean && pnpm buildworktree./scripts/init-worktree.sh
Dependencies31
@assistant-ui/react^0.12.25@assistant-ui/react-ai-sdk^1.3.19@assistant-ui/react-markdown^0.12.9@assistant-ui/react-streamdown^0.1.10@emotion/is-prop-valid^1.4.0@fontsource-variable/geist^5.2.8@pierre/diffs^1.1.16@radix-ui/react-collapsible^1.1.12@radix-ui/react-select^2.2.6@radix-ui/react-use-controllable-state^1.2.2@remixicon/react^4.9.0@streamdown/cjk^1.0.3@streamdown/code^1.1.1@streamdown/math^1.0.2@streamdown/mermaid^1.0.2ai-elements^1.9.0cmdk^1.1.1install^0.13.0katex^0.16.45motion^12.38.0nanoid^5.1.9npm^11.12.1radix-ui^1.4.3recharts2.15.4shadcn^4.4.0shiki^4.0.2tailwind-variants^3.2.2tw-animate-css^1.4.0use-stick-to-bottom^1.1.3zod^3.25.76- …and 1 more.