PkgRadar

Package evidence

@aws/[email protected]

Invalid Package Json: package.json is not valid JSON

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
4,795Niche · −30% score
Versions published
50
First published
Feb 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@aws/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@aws/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes2,308,331
Previous version1.0.0-preview.11
Published2026-06-05T23:51:04.832Z
SHA-2562dc4355ef4dcafec48d85d12221164ef7354909b026083f8acb88e57ccbfca3f

Why flagged

What the scanner saw

Invalid Package Json: package.json is not valid JSON

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
7Score
1.0.0-preview.12Version
Status history (1 event)
  1. newavailable · risk review · score 7 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumInvalid Package Jsonpackage/dist/assets/typescript/http/strands/base/package.jsonpackage.json is not valid JSON10
mediumInvalid Package Jsonpackage/dist/assets/typescript/http/vercelai/base/package.jsonpackage.json is not valid JSON10
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumInvalid Package Jsonpackage/dist/assets/typescript/http/strands/base/package.jsonpackage.json is not valid JSON10
mediumInvalid Package Jsonpackage/dist/assets/typescript/http/vercelai/base/package.jsonpackage.json is not valid JSON10
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/check-old-cli.mjs"5
lowObfuscation Densitypackage/npm-shrinkwrap.jsonhigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/dist/cli/index.mjs7638688 bytes0

Manifest

Package metadata

Scripts28
  • buildnpm run build:lib && npm run build:cli && npm run build:assets
  • build:assetsnode scripts/copy-assets.mjs
  • build:clinode esbuild.config.mjs
  • build:harnessBUILD_HARNESS=1 node esbuild.config.mjs
  • build:libtsc -p tsconfig.build.json
  • build:previewBUILD_PREVIEW=1 node esbuild.config.mjs
  • build:schemanode scripts/generate-schema.mjs && prettier --write schemas/
  • bundlenode scripts/bundle.mjs
  • cleannode -e "require('fs').rmSync('dist', {recursive: true, force: true})"
  • clinpx tsx src/cli/index.ts
  • formatprettier --cache --write .
  • format:checkprettier --cache --check .
  • linteslint --cache src/
  • lint:fixeslint --cache src/ --fix
  • postinstallnode scripts/check-old-cli.mjs
  • preparehusky
  • secrets:checksecretlint '**/*'
  • security:auditnpm audit --audit-level=high --omit=dev
  • testvitest run --project unit
  • test:allvitest run
  • test:browsernpx playwright test --config browser-tests/playwright.config.ts
  • test:e2evitest run --project e2e
  • test:integnpm run build && vitest run --project integ
  • test:tuinpm run build:harness && vitest run --project tui
  • test:unitvitest run --project unit --coverage
  • test:update-snapshotsvitest run --project unit --update
  • test:watchvitest --project unit
  • typechecktsc --noEmit --incremental
Dependencies39
  • @aws-cdk/cdk-assets-lib^1.4.10
  • @aws-cdk/toolkit-lib^1.28.0
  • @aws-sdk/client-application-signals^3.1003.0
  • @aws-sdk/client-bedrock^3.1012.0
  • @aws-sdk/client-bedrock-agent^3.1012.0
  • @aws-sdk/client-bedrock-agentcore^3.1020.0
  • @aws-sdk/client-bedrock-agentcore-control^3.1054.0
  • @aws-sdk/client-bedrock-runtime^3.893.0
  • @aws-sdk/client-cloudformation^3.893.0
  • @aws-sdk/client-cloudwatch-logs^3.893.0
  • @aws-sdk/client-efs^3.1049.0
  • @aws-sdk/client-resource-groups-tagging-api^3.893.0
  • @aws-sdk/client-s3^3.1012.0
  • @aws-sdk/client-s3files^3.1049.0
  • @aws-sdk/client-sts^3.893.0
  • @aws-sdk/client-xray^3.1003.0
  • @aws-sdk/credential-providers^3.893.0
  • @aws-sdk/region-config-resolver^3.972.13
  • @aws/agent-inspector0.5.0
  • @commander-js/extra-typings^14.0.0
  • @opentelemetry/api^1.9.1
  • @opentelemetry/exporter-metrics-otlp-http^0.215.0
  • @opentelemetry/otlp-transformer^0.213.0
  • @opentelemetry/resources^2.6.1
  • @opentelemetry/sdk-metrics^2.6.1
  • @smithy/shared-ini-file-loader^4.4.2
  • commander^14.0.2
  • dotenv^17.2.3
  • fast-json-stable-stringify^2.1.0
  • fflate^0.8.2
  • …and 9 more.