Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 694,325Ubiquitous · −70% score
- Versions published
- 437Mature · −50% score
- First published
- Jul 2016
- Publisher
- verdaccio.npm
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
No high-signal static finding in the saved report.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
No findings stored for this release.
Manifest
Package metadata
Scripts24
code:buildyarn babel src/ --out-dir build/ --copy-files --extensions ".ts,.tsx" --source-maps inlinecode:docker-buildyarn babel src/ --out-dir build/ --copy-files --extensions ".ts,.tsx"coverage:publishcodecovdev:startyarn babel-node --extensions ".ts,.tsx" src/lib/clidockerdocker build -t verdaccio/verdaccio:local . --no-cachedocker:rundocker run -it --rm -p 4873:4873 verdaccio/verdaccio:localformatprettier --single-quote --trailing-comma none --write "{src,test}/**/*.ts"format:checkprettier --check "**/*.{js,jsx,ts,tsx,json,yml,yaml,md}" --debug-checklintyarn run type-check && yarn run lint:tslint:lockfilelockfile-lint --path yarn.lock --type yarn --validate-https --allowed-hosts verdaccio npm yarnlint:tseslint "**/*.{js,jsx,ts,tsx}"pre:ciyarn run lintprepublishin-publish && yarn run code:build || not-in-publishpretestyarn run code:buildreleasestandard-version -a -stestyarn run test:unittest:allyarn run test && yarn run test:functional && yarn run test:e2e & yarn run test:e2e:pkgtest:cleannpx jest --clearCachetest:e2eyarn jest --config ./test/jest.config.e2e.jstest:e2e:clicross-env NODE_ENV=test jest --config ./test/e2e-cli/jest.config.e2e.cli.js --passWithNoTeststest:functionalcross-env NODE_ENV=test jest --config ./test/jest.config.functional.js --testPathPattern ./test/functional/index* --passWithNoTeststest:unitcross-env NODE_ENV=test TZ=UTC FORCE_COLOR=1 jest --config ./jest.config.js --maxWorkers 2 --passWithNoTeststype-checktsc --noEmittype-check:watchyarn run type-check -- --watch
Dependencies33
@verdaccio/commons-api9.7.1@verdaccio/local-storage9.7.5@verdaccio/readme9.7.5@verdaccio/streams9.7.2@verdaccio/ui-theme1.15.1JSONStream1.3.5async3.2.3body-parser1.19.0bunyan1.8.15commander3.0.2compression1.7.4cookies0.8.0cors2.8.5dayjs1.10.4envinfo7.7.4express4.17.1handlebars4.7.7http-errors1.8.0js-yaml3.14.1jsonwebtoken8.5.1kleur4.1.4lodash4.17.21lunr-mutable-indexes2.3.2marked2.0.1mime2.5.2minimatch3.0.4mkdirp0.5.5mv2.1.1pkginfo0.4.1request2.88.0- …and 3 more.