Package evidence

[email protected]

Remote Dependency Spec: dependencies.smoldot="https://github.com/ukint-vs/smoldot-gear/releases/download/v2.0.40-gear/smoldot-2.0.40.tgz"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 147
Versions published: 15
First published: Mar 2026
Publisher: ukint

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherukint

Artifact bytes2,536,336

Previous version0.19.0

Published2026-05-27T08:37:23.950Z

SHA-2566b0776b4f27f7d744372d2ce54e1f5c9af833b44988e2ea74f80b578340e3e60

Why flagged

What the scanner saw

Remote Dependency Spec: dependencies.smoldot="https://github.com/ukint-vs/smoldot-gear/releases/download/v2.0.40-gear/smoldot-2.0.40.tgz"

2 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

17d agoLast checked

reviewRisk

30Score

0.20.0Version

Status history (1 event)

new → available17d ago · risk review · score 30 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Remote Dependency Spec	package.json	dependencies.smoldot="https://github.com/ukint-vs/smoldot-gear/releases/download/v2.0.40-gear/smoldot-2.0.40.tgz"	12
medium	Large Javascript Payload	package/dist/app.js	3515673 bytes	10
high	Remote Dependency Spec	package.json	devDependencies.sails-js="https://github.com/gear-tech/sails/releases/download/js%2Fv1.0.0-beta.2/sails-js.tgz"	8

Remote payloads

Followed remote artifacts

Source	URL	Risk	Score	Summary
dependencies.smoldot	https://github.com/ukint-vs/smoldot-gear/releases/download/v2.0.40-gear/smoldot-2.0.40.tgz	error	0	unexpected end of file
devDependencies.sails-js	https://github.com/gear-tech/sails/releases/download/js%2Fv1.0.0-beta.2/sails-js.tgz	error	0	unexpected end of file

Manifest

Package metadata

Scripts9

buildrm -rf dist && node scripts/build.mjs
cleanrm -rf dist
devts-node --transpile-only src/app.ts
dev:link:vara-ethnode scripts/dev-link-vara-eth.mjs
prepublishOnlynpm run build
startnode dist/app.js
testjest
test:smokenpm run build && node scripts/smoke.mjs
test:vara-eth-sails:e2enode scripts/vara-eth-sails-e2e.mjs

Dependencies10

@noble/ciphers^1.2.1
@noble/curves^1.6.0
@noble/hashes^1.6.1
@scure/bip32^1.6.0
@scure/bip39^1.5.0
@vara-eth/apifile:vendor/vara-eth-api-0.5.0-rc.1.tgz
better-sqlite3^11.0.0
kzg-wasm1.0.0
smoldothttps://github.com/ukint-vs/smoldot-gear/releases/download/v2.0.40-gear/smoldot-2.0.40.tgz
viemnpm:@vara-eth/[email protected]