Package evidence

[email protected]

Large Javascript Payload: 9631328 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 131
Versions published: 146Established · −30% score
First published: Nov 2025
Publisher: sliftist

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publishersliftist

Artifact bytes4,641,549

Previous version1.2.24

Published2026-05-16T23:45:12.743Z

SHA-256dc882f3723f27399aee1eaff23b4d430fa87da9096c2dbde4c832998b48932d5

Why flagged

What the scanner saw

Large Javascript Payload: 9631328 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

7d agoLast checked

lowRisk

0Score

1.2.25Version

Status history (1 event)

new → available7d ago · risk low · score 0 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Large Javascript Payload	package/build-nodejs/server.js	9631328 bytes	0
low	Large Javascript Payload	package/build-web/browser.js	10089605 bytes	0

Manifest

Package metadata

Scripts19

build-electronnode ./builders/electronBuildRun.js
build-extensionnode ./builders/extensionBuildRun.js
build-nodejsnode ./builders/nodeJSBuildRun.js
build-webnode ./builders/webBuildRun.js
emit-dtsyarn tsc --project tsconfig.declarations.json || true
generate-index-dtstypenode ./builders/generateIndexDts.ts
notesmobx, preact, socket-function, typenode SHOULD be peerDependencies. But we want to use yarn (better dependency deduplication), so we can't use peerDependencies (as they aren't installed by default, which makes them a nightmare to use). If you want to override the versions, feel free to use overrides/resolutions.
prepublishOnlyyarn update-types
run-electronnode ./node_modules/electron/cli.js ./build-electron/electronMain.js
run-nodejsnode ./build-nodejs/server.js
run-nodejs-devtypenode ./nodejs/server.ts --npminstall
run-webnode ./builders/webRun.js
testtypenode ./test.ts
typeyarn tsc --noEmit
update-typesyarn emit-dts && yarn generate-index-dts
watch-electronnode ./builders/watchRun.js --port 9879 "electron/*.ts" "electron/*.tsx" "yarn build-electron"
watch-extensionnode ./builders/watchRun.js --port 9878 "extension/*.ts" "extension/*.tsx" "yarn build-extension"
watch-nodejsnode ./builders/watchRun.js --port 9876 "nodejs/*.ts" "nodejs/*.tsx" "yarn build-nodejs"
watch-webnode ./builders/watchRun.js --port 9877 "web/*.ts" "web/*.tsx" "yarn build-web"

Dependencies13

@types/chrome^0.0.237
@types/node-forge^1.3.11
@types/shell-quote^1.7.5
acme-client^5.0.0
js-sha256^0.11.1
mobx^6.13.3
preact-old-types^10.28.1
shell-quote^1.8.3
socket-function^1.1.30
typenode*
typesafecss*
ws^8.18.3
yargs15.4.1