PkgRadar

Package evidence

[email protected]

Remote Dependency Spec: devDependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
4,477Niche · −30% score
Versions published
296Mature · −50% score
First published
Mar 2022
Publisher
yanggwcn

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisheryanggwcn
Artifact bytes1,597,118
Previous version3.2.34
Published2026-05-20T08:44:32.358Z
SHA-2569aedcf6cc6dfa2e7b7543024c88db32814683d65457d1b1b1f7eae5c34388c93

Why flagged

What the scanner saw

Remote Dependency Spec: devDependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"

1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
9Score
3.2.36Version
Status history (1 event)
  1. newavailable · risk review · score 9 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"8
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Dependency Specpackage.jsondevDependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"8
lowCredential file accesspackage/lib/env-variable/npm-token.jsmatched ".npmrc"5
lowCredential file accesspackage/es/env-variable/npm-token.mjsmatched ".npmrc"5

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
devDependencies.xlsxhttps://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgzlow0no remote findings

Manifest

Package metadata

Scripts37
  • apiapi-extractor run
  • buildnpm run type-check && gulp build
  • changeloggulp changelog
  • docs:buildnpm run docs:build:new
  • docs:build:newvitepress build docs
  • docs:build:unityPUBLISH_PATH=/docs/t-comm/ npm run docs:build:new
  • docs:deploynode script/docs-jsdoc/deploy
  • docs:deploy:minenode script/docs-jsdoc/docs-mine
  • docs:deploy:pagesnode bin/cli.js deploy:pages t-comm.pages.woa.com docs/.vitepress/dist --visibility public
  • docs:deploy:unitynode script/docs-jsdoc/deploy-unity
  • docs:devvitepress dev docs
  • docs:gennpm run docs:gen:new
  • docs:gen:newnode script/docs-jsdoc/markdown
  • docs:openopen docs/index.html
  • init:envnode script/env/rainbow-env
  • linteslint --ext .js,.ts,.tsx,.jsx,.vue . --quiet
  • lint:fixeslint --fix --ext .js,.ts,.tsx,.jsx,.vue . --quiet
  • lint:jsoneslint --ext .js,.ts,.tsx,.jsx,.vue . -f json-with-metadata -o ./coverage/lint-results-meta.json
  • mbnode bin/cli.js merge-branches
  • mr:reviewnode script/trial/tgit/mr-review.js
  • npm:tokennode script/npm-token/npm-token
  • posttestnpm run test:badge
  • preparehusky install
  • releaseyarn test && yarn build && np --no-cleanup --yolo --any-branch && npm run version:tip
  • release:alphastandard-version --prerelease alpha -a
  • release:betastandard-version --prerelease beta -a
  • release:firststandard-version --first-release
  • release:majorstandard-version --release-as major -a
  • release:minorstandard-version --release-as minor -a
  • release:patchstandard-version --release-as patch -a
  • …and 7 more.
Dependencies12
  • @babel/runtime^7.17.2
  • @tdesign/uniapp^0.7.3
  • @tdesign/uniapp-chat^0.2.1
  • axios*
  • cheerio^1.0.0-rc.12
  • commander^10.0.1
  • cron-parser^4.8.1
  • jose^4.15.9
  • qs^6.11.0
  • request^2.88.2
  • semver^7.7.3
  • tar^6.1.15