PkgRadar

Package evidence

[email protected]

Remote Payload: matched "curl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
6,507Niche · −30% score
Versions published
1,330Mature · −50% score
First published
Oct 2016
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes4,024,527
Previous version36.1.1
Published2026-06-03T14:50:45.556Z
SHA-2560d0cd745de57ca1a3ee1871b8a5c05e3885bc90fc239d4d2b545017f38840eaa

Why flagged

What the scanner saw

Remote Payload: matched "curl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
36.1.2Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/Sources/Common/System/MobileVR/fetchDatabase.shmatched "curl "12
Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/Sources/Common/System/MobileVR/fetchDatabase.shmatched "curl "12
lowLarge Javascript Payloadpackage/vtk-lite.js2305163 bytes0
lowLarge Javascript Payloadpackage/vtk.js2305163 bytes0

Manifest

Package metadata

Scripts35
  • buildnpm run build:esm && npm run build:umd
  • build:esmnpm run build:pre && cross-env BUILD_TARGET=esm vite build
  • build:prepatch-package
  • build:releasenpm run lint && npm run build
  • build:umdnpm run build:pre && cross-env BUILD_TARGET=umd vite build
  • commitgit cz
  • dev:esmcross-env BUILD_TARGET=esm vite build --watch
  • dev:umdcross-env BUILD_TARGET=umd vite build --watch
  • docs:buildvitepress build Documentation
  • docs:build-examplesnpm run docs:prepare && node ./Documentation/scripts/build-examples.mjs
  • docs:devvitepress dev Documentation
  • docs:generatenpm run docs:generate-api && npm run docs:generate-examples && npm run docs:generate-sidebar && npm run docs:generate-gallery
  • docs:generate-apinpm run docs:prepare && node ./Documentation/scripts/generate-api-docs.mjs
  • docs:generate-examplesnpm run docs:prepare && node ./Documentation/scripts/generate-examples.mjs
  • docs:generate-gallerynpm run docs:prepare && node ./Documentation/scripts/generate-gallery.mjs
  • docs:generate-sidebarnpm run docs:prepare && node ./Documentation/scripts/generate-sidebar-config.mjs
  • docs:preparenpm run build:pre
  • docs:servevitepress serve Documentation
  • examplenode ./Utilities/ExampleRunner/example-runner-cli.mjs
  • example:httpsnode ./Utilities/ExampleRunner/example-runner-cli.mjs --server-type https
  • example:webgpucross-env WEBGPU=1 NO_WEBGL=1 node ./Utilities/ExampleRunner/example-runner-cli.mjs --server-type https
  • lintoxlint Sources Examples
  • lint-fixoxlint --fix Sources Examples
  • preparenode ./Utilities/prepare.js
  • reformatoxfmt --write "Sources/**/*.[tj]s" "Examples/**/*.[tj]s"
  • reformat-onlyoxfmt --write
  • release:create-packagesnode ./Utilities/ci/build-npm-package.js
  • semantic-releasesemantic-release
  • testvitest run
  • test:debugvitest run --reporter=verbose
  • …and 5 more.
Dependencies13
  • @types/webxr0.5.5
  • commander9.2.0
  • d3-scale4.0.2
  • fast-deep-equal3.1.3
  • fflate0.7.3
  • gl-matrix3.4.3
  • globalthis1.0.3
  • seedrandom3.0.5
  • shelljs0.8.5
  • spark-md53.0.2
  • utif3.1.0
  • webworker-promise0.5.0
  • xmlbuilder24.0.3