Package evidence

[email protected]

Remote Payload: matched "github.com/maptiler/tileserver-gl/releases/download"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 127Mature · −50% score
First published: May 2016
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes4,260,088

Previous version5.6.0

Published2026-05-12T17:52:11.019Z

SHA-2566a6dac50b9ede15b70f00d24ea222d5994cc613d7e8e8eff48bf1df0792632a5

Why flagged

What the scanner saw

Remote Payload: matched "github.com/maptiler/tileserver-gl/releases/download"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

20d agoLast checked

reviewRisk

3Score

5.6.1-pre.0Version

Status history (1 event)

new → available20d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/src/main.js	matched "github.com/maptiler/tileserver-gl/releases/download"	12

Manifest

Package metadata

Scripts17

copy:leafletcopyfiles -EVf node_modules/leaflet/dist/leaflet.js node_modules/leaflet/dist/leaflet.js.map node_modules/leaflet/dist/leaflet.css node_modules/leaflet/dist/leaflet-hash.js public/resources/
copy:leaflet-hashcopyfiles -EVf node_modules/leaflet-hash/leaflet-hash.js public/resources/
copy:mapbox-rtl-textcopyfiles -EVf node_modules/@mapbox/mapbox-gl-rtl-text/dist/mapbox-gl-rtl-text.js public/resources/
copy:maplibrecopyfiles -EVf node_modules/maplibre-gl/dist/maplibre-gl.js node_modules/maplibre-gl/dist/maplibre-gl.js.map node_modules/maplibre-gl/dist/maplibre-gl.css public/resources/
copy:maplibre-inspectcopyfiles -EVf node_modules/@maplibre/maplibre-gl-inspect/dist/maplibre-gl-inspect.js node_modules/@maplibre/maplibre-gl-inspect/dist/maplibre-gl-inspect.js.map node_modules/@maplibre/maplibre-gl-inspect/dist/maplibre-gl-inspect.css public/resources/
dockerdocker build . && docker run --rm -i -p 8080:8080 $(docker build -q .)
lint:eslinteslint "{,!(node_modules|dist|static|public)/**/}*.{js,ts,cjs,mjs}" --ignore-pattern '.gitignore'
lint:eslint:fixeslint --fix "{,!(node_modules|dist|static|public)/**/}*.{js,ts,cjs,mjs}" --ignore-pattern '.gitignore'
lint:jsnpm run lint:eslint && npm run lint:prettier
lint:js:fixnpm run lint:eslint:fix && npm run lint:prettier:fix
lint:prettierprettier --check "{,!(node_modules|dist|static|public)/**/}*.{js,ts,cjs,mjs,json}" --ignore-path .gitignore
lint:prettier:fixprettier --write "{,!(node_modules|dist|static|public)/**/}*.{js,ts,cjs,mjs,json}" --ignore-path .gitignore
lint:ymlyamllint --schema=CORE_SCHEMA *.{yml,yaml}
preparenpm run copy:maplibre && npm run copy:maplibre-inspect && npm run copy:mapbox-rtl-text && npm run copy:leaflet && npm run copy:leaflet-hash
testmocha test/**.js --timeout 10000 --exit
test-dockerxvfb-run npm test
test:visual:generatecross-env GENERATE_FIXTURES=true mocha test/setup.js test/static_images.js --timeout 10000 --exit

Dependencies31

@aws-sdk/client-s3^3.1045.0
@jsse/pbfont^0.3.3
@mapbox/mapbox-gl-rtl-text0.4.0
@mapbox/mbtiles0.12.1
@mapbox/polyline^1.2.1
@mapbox/sphericalmercator2.0.2
@mapbox/vector-tile2.0.4
@maplibre/maplibre-gl-inspect1.8.2
@maplibre/maplibre-gl-style-spec24.8.5
@sindresorhus/fnv1a3.1.0
advanced-pool0.3.3
chokidar5.0.0
clone2.1.2
color5.0.3
commander14.0.3
copyfiles2.4.1
cors2.8.6
express5.2.1
handlebars4.7.9
http-shutdown1.2.2
leaflet1.9.4
leaflet-hash0.2.1
maplibre-gl5.24.0
morgan1.10.1
pbf4.0.1
pmtiles4.4.1
proj42.20.8
sanitize-filename1.6.4
secure-json-parse^4.1.0
semver^7.8.0
…and 1 more.