PkgRadar

npm · registry.npmjs.org

composable.env

Credential file access: matched ".ssh"

Why PkgRadar flagged 1.37.7

SeveritySignalEvidence
mediumCredential file accessmatched ".ssh" · package/dist/src/vault.js

Scanned versions

VersionVerdictScoreScanned (UTC)
1.37.7Review72026-05-26
1.37.6Review72026-05-26
1.37.5Review102026-05-25
1.37.2Review72026-05-25
1.37.4Review72026-05-25
1.36.0Review102026-05-25
1.37.0Review102026-05-25
1.34.1Review422026-05-24
1.34.0Review422026-05-24

Block this in CI

PkgRadar gates composable.env (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence