npm · registry.npmjs.org
jazz
Credential file access: matched "GITHUB_TOKEN"
Why PkgRadar flagged 1.0.0
| Severity | Signal | Evidence |
|---|---|---|
| high | Credential file access | matched "GITHUB_TOKEN" · package/.github/workflows/ci-workflow.yaml |
| high | Credential file access | matched "github_token" · package/.github/workflows/release-major-workflow.yaml |
| high | Credential file access | matched "github_token" · package/.github/workflows/release-minor-workflow.yaml |
| high | Credential file access | matched "github_token" · package/.github/workflows/release-patch-workflow.yaml |
| high | Credential file access | matched "GITHUB_TOKEN" · package/.github/workflows/upgrade-deps-workflow.yaml |
| high | Credential file access | matched "github_token" · package/suntory.yml |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/.github/workflows/ci-workflow.yaml |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
1.0.0 | Review | 100 | 2026-05-24 |
0.0.14 | Low risk | 0 | 2026-05-24 |
0.0.18 | Low risk | 0 | 2026-05-24 |
Block this in CI
pkgradar gate --ecosystem npm [email protected]