PkgRadar

npm · registry.npmjs.org

@ossjs/release

Credential file access: matched "GITHUB_TOKEN"

Why PkgRadar flagged 0.10.0

SeveritySignalEvidence
highCredential file accessmatched "GITHUB_TOKEN" · package/bin/build/utils/github/create-comment.js
highCredential file accessmatched "GITHUB_TOKEN" · package/bin/build/utils/github/create-github-release.js
highCredential file accessmatched "GITHUB_TOKEN" · package/bin/build/utils/github/get-commit-authors.js
highCredential file accessmatched "GITHUB_TOKEN" · package/bin/build/utils/github/get-github-release.js
highCredential file accessmatched "GITHUB_TOKEN" · package/bin/build/utils/release-notes/get-release-refs.js
highCredential file accessmatched "GITHUB_TOKEN" · package/bin/build/commands/show.js
highCredential file accessmatched "GITHUB_TOKEN" · package/src/utils/github/create-comment.ts
highCredential file accessmatched "GITHUB_TOKEN" · package/src/utils/github/create-github-release.ts
highCredential file accessmatched "GITHUB_TOKEN" · package/src/utils/github/get-commit-authors.ts
highCredential file accessmatched "GITHUB_TOKEN" · package/src/utils/github/get-github-release.ts
highCredential file accessmatched "GITHUB_TOKEN" · package/src/utils/release-notes/get-release-refs.ts
highCredential file accessmatched "GITHUB_TOKEN" · package/src/commands/show.ts

Scanned versions

VersionVerdictScoreScanned (UTC)
0.10.0Review372026-06-10
0.10.1Review222026-06-10
0.11.0Review222026-06-10
0.9.0Review312026-06-10

Block this in CI

PkgRadar gates @ossjs/release (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @ossjs/[email protected]
Start free — 25 scans / moView full evidence