npm · registry.npmjs.org

obfuscator-io-metro-plugin

Credential file access: matched "NPM_TOKEN"

Why PkgRadar flagged 2.1.3

Severity	Signal	Evidence
high	Credential file access	matched "NPM_TOKEN" · package/.github/workflows/npm-publish.yml

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.2.1`	Low risk	0	2026-05-27
`2.2.0`	Low risk	0	2026-05-24
`2.1.3`	Review	30	2026-05-24
`2.1.4`	Low risk	0	2026-05-24

Block this in CI

PkgRadar gates obfuscator-io-metro-plugin (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]