Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 237
- Versions published
- 111Mature · −50% score
- First published
- Mar 2024
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@aws/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@aws/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".aws/"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 29 · status changed
Evidence
Static findings
20 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/out/language-server/agenticChat/tools/chatDb/chatDb.js | matched ".aws/" | 10 |
Show all 20 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/out/language-server/agenticChat/tools/chatDb/chatDb.js | matched ".aws/" | 10 |
| low | Credential file access | package/out/shared/constants.js | matched ".aws/" | 5 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-node/dist-es/defaultProvider.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-node/dist-es/defaultProvider.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/out/language-server/agenticChat/tools/executeBash.js | matched ".npmrc" | 5 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-env/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-env/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-ini/dist-es/resolveStaticCredentials.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-ini/dist-es/resolveStaticCredentials.js | matched "aws_access_key" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node ./script/install_transitive_dep.js" | 5 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-ini/package.json | matched ".aws/" | 3 |
| low | Credential file access | package/node_modules/@amzn/amazon-q-developer-streaming-client/node_modules/@aws-sdk/credential-provider-process/package.json | matched ".aws/" | 3 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-ini/package.json | matched ".aws/" | 3 |
| low | Credential file access | package/node_modules/@amzn/codewhisperer/node_modules/@aws-sdk/credential-provider-process/package.json | matched ".aws/" | 3 |
Manifest
Package metadata
Scripts14
compiletsc --buildcoverage:checkc8 check-coverage --lines 80 --functions 80 --branches 50 --statements 80coverage:reportc8 report --reporter=html --reporter=textfixnpm run fix:prettierfix:prettierprettier . --writelintnpm run lint:srclint:bundle:webworkerwebpack --config webpack.lint.config.js && eslint bundle/aws-lsp-codewhisperer-webworker.js # Verify compatibility with web runtime targetlint:srceslint src/ --ext .ts,.tsxpostinstallnode ./script/install_transitive_dep.jsprepacknpm run compile && ts-node ../../script/link_bundled_dependencies.tstestnpm run lint && npm run test:unittest:coveragenpm run lint && npm run test:unit:coveragetest:unitts-mocha --timeout 0 -b "./src/**/*.test.ts"test:unit:coveragec8 ts-mocha --timeout 0 -b "./src/**/*.test.ts"
Dependencies41
@amazon/elastic-gumby-frontend-clientfile:../../core/atx-fes-client/amazon-elastic-gumby-frontend-client-1.1.0.tgz@amzn/amazon-q-developer-streaming-clientfile:../../core/q-developer-streaming-client/amzn-amazon-q-developer-streaming-client-1.0.0.tgz@amzn/codewhispererfile:../../core/codewhisperer/amzn-codewhisperer-1.0.0.tgz@amzn/codewhisperer-runtimefile:../../core/codewhisperer-runtime/amzn-codewhisperer-runtime-1.0.0.tgz@amzn/codewhisperer-streamingfile:../../core/codewhisperer-streaming/amzn-codewhisperer-streaming-1.0.0.tgz@aws-sdk/types^3.734.0@aws-sdk/util-arn-parser^3.723.0@aws-sdk/util-retry^3.374.0@aws/chat-client-ui-types0.1.68@aws/language-server-runtimes^0.3.17@aws/lsp-core^0.0.21@modelcontextprotocol/sdk^1.23.0@mozilla/readability^0.6.0@smithy/node-http-handler^2.5.0adm-zip^0.5.10archiver^7.0.1async-mutex^0.5.0axios^1.8.4chokidar^4.0.3deepmerge^4.3.1diff^7.0.0encoding-japanese^2.2.0fast-glob^3.3.3fastest-levenshtein^1.0.16fdir^6.4.3fuse.js^7.1.0got^11.8.5hpagent^1.2.0ignore^7.0.3image-size^2.0.2- …and 11 more.