PkgRadar

npm · registry.npmjs.org

@heroku-cli/plugin-apps-v5

Credential file access: matched "id_rsa"

Why PkgRadar flagged 8.11.0

SeveritySignalEvidence
mediumCredential file accessmatched "id_rsa" · package/src/commands/keys/add.js

Scanned versions

VersionVerdictScoreScanned (UTC)
8.11.0Review32026-06-08
8.11.1-beta.6Review32026-06-08
8.11.1Review32026-05-27
8.11.2Review32026-05-27

Block this in CI

PkgRadar gates @heroku-cli/plugin-apps-v5 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @heroku-cli/[email protected]
Start free — 25 scans / moView full evidence