Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 118
- Versions published
- 203Mature · −50% score
- First published
- Sep 2024
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 5396257 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 6 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/bin/backend.bun.js | 5396257 bytes | 10 |
| medium | Large Javascript Payload | package/app/assets/index-BzVz2XXq.js | 2001936 bytes | 10 |
Manifest
Package metadata
Scripts26
buildrm -rf ./bin && ([ $PREVIEW ] && bun run env:pre || bun run env:prod) && concurrently "bun:build:*"build:bun./build.bun.tsbuild:vite[ $PREVIEW ] && vite build --mode preview || vite build --mode productiondb:devdotenvx run -f .env.development -- ./__scripts__/interactive-db.bun.tsdb:gendotenvx run -f .env.development -- drizzle-kit generatedb:nuke./__scripts__/destroy-db.bun.tsdb:setup./__scripts__/setup-db.bun.tsdevbun run env:dev && concurrently "bun:dev:*"dev:backendbun --hot --no-clear-screen --env-file=.env.development ./src/backend.bun.tsdev:dbpnpm run db:devdev:emailbun --env-file=.env.development email devdev:vitevite --port 3333env:dev[ -f .env.development ] && echo '.env.development already present' || cp .env.defaults .env.developmentenv:pre[ -f .env.preview ] && echo '.env.preview already present' || cp .env.defaults .env.previewenv:prod[ -f .env.production ] && echo '.env.production already present' || echo 'VITE_BACKEND_ORIGIN=https://realtime.tempest.games' >> .env.production && echo 'VITE_HIDE_DEVTOOLS=true' >> .env.productionenv:test[ -f .env.test ] && echo '.env.test already present' || cp .env.defaults .env.testlintconcurrently "bun:lint:*"lint:biomebiome check -- .lint:eslinteslint -- .lint:typestsgo --noEmitpreviewPREVIEW=true nr build && concurrently "bun:preview:*"preview:backendbun --env-file=.env.preview bin/backend.bun.jspreview:frontendbun --env-file=.env.preview bin/frontend.bun.jstestbun env:test && vitesttest:oncebun env:test && varmint track && vitest run; varmint clean --ci-flag=CIwatch:typestsgo --watch --noEmit
Dependencies29
@ai-sdk/openai3.0.65@floating-ui/react0.27.19@js-temporal/polyfill0.5.1@react-spring/three10.1.0@react-three/drei10.7.7@react-three/fiber9.6.1@t3-oss/env-core0.13.11@trpc/client11.17.0@trpc/server11.17.0ai6.0.191arktype2.2.0atom.io0.47.0cron4.4.0drizzle-orm0.45.2motion12.40.0nanoid5.1.11openai6.39.0postgres3.4.9react19.2.6react-dom19.2.6react-email6.3.3resend6.12.4safedeposit0.1.2socket.io4.8.3socket.io-client4.8.3three0.184.0three-stdlib2.36.1treetrunks0.1.7varmint0.5.14