PkgRadar

Package evidence

[email protected]

Install-time lifecycle script: postinstall="husky"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
245,331Ubiquitous · −70% score
Versions published
563Mature · −50% score
First published
Jan 2019
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'
PublisherGitHub Actions
Artifact bytes6,079,261
Previous version14.3.0
Published2026-06-05T15:14:05.568Z
SHA-25602809aec8bff7e846f1a707e9db0c0fa8278712aad2a52d3193907bb997aae96

Why flagged

What the scanner saw

New Lifecycle Script Vs Previous: postinstall added in 14.4.0 vs 14.3.0: "husky"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high
Last checked
highRisk
45Score
14.4.0Version
Status history (1 event)
  1. newavailable · risk high · score 45 · status changed

Evidence

Static findings

1 static · 1 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 14.4.0 vs 14.3.0: "husky"40
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highNew Lifecycle Script Vs Previouspackage.jsonpostinstall added in 14.4.0 vs 14.3.0: "husky"40
lowInstall-time lifecycle scriptpackage.jsonpostinstall="husky"5

Manifest

Package metadata

Scripts27
  • buildyarn clean && concurrently 'yarn build-translations' 'vite build' 'tsc --project tsconfig.lib.json' 'yarn build-styling'
  • build-stylingsass src/styling/index.scss:dist/css/index.css src/styling/_emoji-replacement.scss:dist/css/emoji-replacement.css src/plugins/Emojis/styling/index.scss:dist/css/emoji-picker.css; cp -r src/styling/assets dist/css/assets
  • build-translationsi18next-cli extract
  • build:allyarn workspaces foreach -A -tpv run build
  • cleanrm -rf dist
  • coveragevitest run --coverage
  • eslinteslint --max-warnings 0
  • eslint-fixeslint --fix
  • examples:buildyarn workspaces foreach -A --include '@stream-io/stream-chat-react-*' run build
  • fix-stagedlint-staged --config .lintstagedrc.fix.json --concurrent 1
  • lintyarn prettier --list-different && yarn eslint && yarn validate-translations
  • lint-fixyarn prettier-fix && yarn eslint-fix
  • postinstallhusky
  • prepackyarn build
  • prettierprettier '**/*.{js,mjs,ts,mts,jsx,tsx,md,json,yml,scss}'
  • prettier-fixyarn prettier --write
  • semantic-releasesemantic-release
  • starttsc -p tsconfig.lib.json -w
  • start:cssnode scripts/watch-styling.mjs
  • start:tutorialyarn workspace @stream-io/stream-chat-react-tutorial dev
  • start:viteyarn workspace @stream-io/stream-chat-react-vite dev
  • testvitest run
  • test:watchvitest
  • typestsc --emitDeclarationOnly false --noEmit
  • types:teststsc --project tsconfig.test.json --noEmit
  • validate-cjsconcurrently 'node scripts/validate-cjs-node-bundle.cjs' 'node scripts/validate-cjs-browser-bundle.cjs'
  • validate-translationsnode scripts/validate-translations.js
Dependencies25
  • @braintree/sanitize-url^7.1.2
  • @floating-ui/react^0.27.19
  • @react-aria/focus^3.22.0
  • clsx^2.1.1
  • dayjs^1.11.20
  • emoji-regex^9.2.2
  • fix-webm-duration^1.0.6
  • hast-util-find-and-replace^5.0.1
  • i18next^25.10.10
  • linkifyjs^4.3.3
  • lodash.debounce^4.0.8
  • lodash.mergewith^4.6.2
  • lodash.throttle^4.1.1
  • lodash.uniqby^4.7.0
  • nanoid^3.3.12
  • react-dropzone^14.4.1
  • react-fast-compare^3.2.2
  • react-markdown^9.1.0
  • react-player2.10.1
  • react-textarea-autosize^8.5.9
  • react-virtuoso^2.19.1
  • remark-gfm^4.0.1
  • unist-builder^4.0.0
  • unist-util-visit^5.1.0
  • use-sync-external-store^1.6.0
Optional dependencies1
  • @stream-io/transliterate^1.5.5