npm · registry.npmjs.org

azure-pipelines-task-lib

Credential file access: matched ".npmrc"

Why PkgRadar flagged 2.9.2

Severity	Signal	Evidence
medium	Credential file access	matched ".npmrc" · package/_download/archive/https___nodejs.org_dist_v5.10.1_node-v5.10.1-darwin-x64.tar.gz/node-v5.10.1-darwin-x64/lib/node_modules/npm/lib/config/core.js
medium	Credential file access	matched ".npmrc" · package/_download/archive/https___nodejs.org_dist_v5.10.1_node-v5.10.1-darwin-x64.tar.gz/node-v5.10.1-darwin-x64/lib/node_modules/npm/lib/config/defaults.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`3.1.1`	Low risk	0	2026-06-10
`2.9.2`	Review	15	2026-06-10
`5.2.10`	Low risk	0	2026-06-10
`5.2.7`	Low risk	0	2026-06-10
`5.2.8`	Low risk	0	2026-06-10
`5.2.11`	Low risk	0	2026-06-10

Block this in CI

PkgRadar gates azure-pipelines-task-lib (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]