PkgRadar

Package evidence

[email protected]

Large Javascript Payload: 3321822 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes2,602,989
Previous version4.1.1
Published2026-05-25T00:13:47.115Z
SHA-2565fce275bc39e5f2ac5b70462811f9c0d86362d0a9a6dacce627edc6d8f07c525

Why flagged

What the scanner saw

Large Javascript Payload: 3321822 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
17Score
4.2.0Version
Status history (1 event)
  1. newavailable · risk review · score 17 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/tods-competition-factory.development.cjs.js3321822 bytes10
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/tods-competition-factory.development.cjs.js3321822 bytes10
lowInstall-time lifecycle scriptpackage.jsonprepare="husky"4
lowObfuscationpackage/dist/index.mjsmatched "\\xB1"3

Manifest

Package metadata

Scripts39
  • buildrimraf dist && rollup --config && ./esbuild.mjs
  • check-typestsc --noEmit
  • check:engine-methodsnode scripts/generateEngineMethods.mjs --check
  • commitsgit log $(git describe --tags --abbrev=0)..HEAD --oneline --no-merges --pretty=format:'%s: %h' | sed '/factory/d'
  • covvitest run --coverage --config ./src/tests/vitest.noThreshold.config.ts
  • coveragevitest run --coverage
  • coverage:badgesvitest run --coverage --coverage.thresholds.statements=0 --coverage.thresholds.branches=0 --coverage.thresholds.functions=0 --coverage.thresholds.lines=0 && istanbul-badges-readme
  • deptreedep-tree entropy src/index.ts
  • docs:publishcd documentation && GIT_USER=CourtHive USE_SSH=true pnpm docpub
  • esmrimraf dist && ./esbuild.mjs
  • formatprettier --write src
  • gen:engine-methodsnode scripts/generateEngineMethods.mjs
  • linteslint src --fix --cache
  • lint:mdmarkdownlint-cli2 "**/*.md"
  • lint:md:fixmarkdownlint-cli2 --fix "**/*.md"
  • lint:reporteslint src & eslint --cache src -f json > eslint-report.json
  • lint:stagedTZ=UTC lint-staged
  • lint:tsctsc --project tsconfig.json
  • minor:alphanpm run commits && npm version $(semver $npm_package_version -i preminor --preid alpha) && git push && git push --tags
  • minor:betanpm run commits && npm version $(semver $npm_package_version -i preminor --preid beta) && git push && git push --tags
  • patch:alphanpm run commits && npm version $(semver $npm_package_version -i prerelease --preid alpha) && git push && git push --tags
  • patch:betanpm run commits && npm version $(semver $npm_package_version -i prerelease --preid beta) && git push && git push --tags
  • postpublishpinst --enable
  • prebuildnode scripts/generateEngineMethods.mjs
  • preparehusky
  • prepublishOnlypinst --disable
  • releasenpm run release:patch
  • release:alphanpm run commits && npm version $(semver $npm_package_version -i premajor --preid alpha) && git push && git push --tags
  • release:betanpm run commits && npm version $(semver $npm_package_version -i prerelease --preid beta) && git push && git push --tags
  • release:majornpm run commits && npm version $(semver $npm_package_version -i major) && git push && git push --tags
  • …and 9 more.