PkgRadar

Package evidence

[email protected]

New Account With Lifecycle Hook: package first published 87 day(s) ago, 10 total version(s), has lifecycle hook

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
453
Versions published
10
First published
Mar 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes906,409
Previous version1.1.1
Published2026-06-12T00:20:31.830Z
SHA-256ff346ad9379b4e93dac0d8a6a753e29a83d449f8710e09c008b60c1d0f3881be

Why flagged

What the scanner saw

New Account With Lifecycle Hook: package first published 87 day(s) ago, 10 total version(s), has lifecycle hook

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
1Score
1.1.2Version
Status history (1 event)
  1. newavailable · risk review · score 1 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumNew Account With Lifecycle Hookpackage.jsonpackage first published 87 day(s) ago, 10 total version(s), has lifecycle hook10
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumNew Account With Lifecycle Hookpackage.jsonpackage first published 87 day(s) ago, 10 total version(s), has lifecycle hook10
lowInstall-time lifecycle scriptpackage.jsonpreinstall="node ./scripts/check-node-version.cjs"5

Manifest

Package metadata

Scripts39
  • bench:allnpm run bench:media && npm run bench:binary && npm run bench:crypto && npm run bench:store:memory
  • bench:binarynode --expose-gc --import tsx bench/binary-codec.bench.ts
  • bench:commentnode ./scripts/build-bench-comment.cjs
  • bench:cryptonode --expose-gc --import tsx bench/crypto-core.bench.ts
  • bench:medianode --expose-gc --import tsx bench/media-streaming.bench.ts
  • bench:store:memorynode --expose-gc --import tsx bench/store-memory.bench.ts
  • buildnpm run clean && npm run build:cjs && npm run build:esm && npm run build:types && npm run build:esm:finalize
  • build:cjstsc -p tsconfig.build.cjs.json && tsc-alias -p tsconfig.build.cjs.json
  • build:esmtsc -p tsconfig.build.esm.json && tsc-alias -p tsconfig.build.esm.json
  • build:esm:finalizenode ./scripts/finalize-esm-build.cjs --proto-bridge
  • build:packagesturbo run build
  • build:typestsc -p tsconfig.build.types.json && tsc-alias -p tsconfig.build.types.json
  • changesetchangeset
  • changeset:statuschangeset status --verbose
  • cleannode -e "require('node:fs').rmSync('dist', { recursive: true, force: true })"
  • exampletsx examples/example.ts
  • formatprettier . --write
  • format:checkprettier . --check
  • linteslint . --ext .ts,.js,.cjs
  • lint:fixeslint . --ext .ts,.js,.cjs --fix
  • preinstallnode ./scripts/check-node-version.cjs
  • prepacknpm run build
  • proto:generatenode ./scripts/generate-proto.cjs
  • release:publishnpm run build && npm run build:packages && changeset publish
  • testnpm run test:structure && node --import tsx --test --test-skip-pattern "\\[flow\\]" "src/**/__tests__/**/*.test.ts"
  • test:coveragenpm run test:structure && c8 --all --include "src/**/*.ts" --exclude "src/**/*.d.ts" --exclude "src/**/__tests__/**" --exclude "src/**/types.ts" --exclude "src/store/contracts/**/*.ts" --reporter text --reporter html --reporter lcov node --import tsx --test --test-skip-pattern "\\[flow\\]" "src/**/__tests__/**/*.test.ts"
  • test:coverage:opennode -e "require('node:child_process').execSync(process.platform === 'win32' ? 'start coverage\\index.html' : process.platform === 'darwin' ? 'open coverage/index.html' : 'xdg-open coverage/index.html', { stdio: 'inherit' })"
  • test:flownode --import tsx --test --test-concurrency=1 "src/**/__tests__/**/*.flow.test.ts"
  • test:flow:watchnode --import tsx --test --watch --test-concurrency=1 "src/**/__tests__/**/*.flow.test.ts"
  • test:packagesturbo run test
  • …and 9 more.