Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 239
- Versions published
- 233Mature · −50% score
- First published
- Aug 2024
- Publisher
- illesg
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Large Javascript Payload: 2157012 bytes
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 32 · status changed
Evidence
Static findings
8 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/metadata/TextBox-D-3iXLdI.js | 2157012 bytes | 10 |
| medium | Large Javascript Payload | package/dist/standalone/xmlui-standalone.umd.js | 4284472 bytes | 10 |
| medium | Large Javascript Payload | package/dist/lib/xmlui.js | 2117248 bytes | 10 |
| medium | Large Javascript Payload | package/dist/nodejs/bin/dist-BrzOM4ND.mjs | 5754174 bytes | 10 |
| medium | Large Javascript Payload | package/dist/nodejs/bin/typescript-DqXqqY-f.mjs | 7843382 bytes | 10 |
Show all 8 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Large Javascript Payload | package/dist/metadata/TextBox-D-3iXLdI.js | 2157012 bytes | 10 |
| medium | Large Javascript Payload | package/dist/standalone/xmlui-standalone.umd.js | 4284472 bytes | 10 |
| medium | Large Javascript Payload | package/dist/lib/xmlui.js | 2117248 bytes | 10 |
| medium | Large Javascript Payload | package/dist/nodejs/bin/dist-BrzOM4ND.mjs | 5754174 bytes | 10 |
| medium | Large Javascript Payload | package/dist/nodejs/bin/typescript-DqXqqY-f.mjs | 7843382 bytes | 10 |
| low | Credential file access | package/dist/metadata/apiInterceptorWorker-Cj18AtSS.cjs | matched ".azure" | 5 |
| low | Credential file access | package/dist/metadata/apiInterceptorWorker-Cw7K9ZKO.js | matched ".azure" | 5 |
| low | Credential file access | package/dist/lib/apiInterceptorWorker-nSA-hoBP.js | matched ".azure" | 5 |
Manifest
Package metadata
Scripts23
build:for-nodetsdownbuild:inspector-parservite build --mode inspector-parserbuild:xmluivite build --mode libbuild:xmlui-metadatavite build --mode metadatabuild:xmlui-standalonevite build --mode standalonebuild:xmlui-test-bedcd src/testing/infrastructure && xmlui build --build-mode=INLINE_ALL --withHostingMetaFiles --withMockcheck:css-chunksnode scripts/inspect-css-chunks.mjscheck:metadata-puritynode scripts/check-metadata-purity.mjsexport-themesnpm run build:xmlui-metadata && node scripts/generate-docs/create-theme-files.mjsgen:langserver-metadatanode scripts/get-langserver-metadata.js > src/language-server/xmlui-metadata-generated.jsgenerate-all-docsnpm run build:xmlui-metadata && npm run generate-docs && npm run generate-docs-summariesgenerate-context-vars-summarynpm run build:xmlui-metadata && node scripts/generate-docs/generate-context-vars-summary.mjsgenerate-docsnode scripts/generate-docs/get-docs.mjsgenerate-docs-summariesnode scripts/generate-docs/generate-summary-files.mjslinteslint --ignore-path .gitignore --cache --cache-location ./node_modules/.cache/eslint .pack:localclean-package && npm pack && clean-package restorepostpublishclean-package restoreprepublishOnlyclean-packagestart-test-bedcd src/testing/infrastructure && xmlui starttest:e2eplaywright test -c ..test:e2e-summarynode scripts/e2e-test-summary.jstest:e2e-website-examplesplaywright test -c .. --grep "@website"test:unitvitest run
Dependencies68
@eslint-community/regexpp4.10.0@formkit/auto-animate0.7.0@modyfi/vite-plugin-yaml1.1.1@popperjs/core2.11.6@radix-ui/react-accordion1.2.12@radix-ui/react-alert-dialog1.1.15@radix-ui/react-dialog1.1.15@radix-ui/react-dropdown-menu2.1.16@radix-ui/react-hover-card1.1.15@radix-ui/react-popover1.1.15@radix-ui/react-radio-group1.3.8@radix-ui/react-select2.2.6@radix-ui/react-slider1.3.6@radix-ui/react-tabs1.1.13@radix-ui/react-tooltip1.2.8@radix-ui/react-visually-hidden1.2.4@react-spring/web^10.0.2@remix-run/react2.17.4@tanstack/react-query^4.36.1@tanstack/react-table8.17.3@vitejs/plugin-react^6.0.0adm-zip0.5.10chroma-js^3.1.2classnames2.5.1color4.2.3date-fns2.30.0dexie3.2.4dotenv16.3.1embla-carousel-autoplay^8.3.0embla-carousel-react^8.3.0- …and 38 more.