Package evidence

@cdktn/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 827
Versions published: 17
First published: Jan 2026
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@cdktn/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@cdktn/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes203,020

Previous version0.7.39

Published2026-05-27T14:51:59.262Z

SHA-256454d9218dc1a1c7661efdde1b313dd9b46ba73e588f9dd2fe9b2107592483571

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

7Score

0.7.40Version

Status history (1 event)

new → available16d ago · risk review · score 7 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 5 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/lib/auto-approve.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/lib/auto-close-community-issues.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/lib/deprecate-packages.js	matched "NPM_TOKEN"	5
low	Credential file access	package/lib/index.js	matched "GITHUB_TOKEN"	5
low	Credential file access	package/lib/provider-upgrade.js	matched "GITHUB_TOKEN"	5

Manifest

Package metadata

Scripts24

buildnpx projen build
bumpnpx projen bump
clobbernpx projen clobber
compatnpx projen compat
compilenpx projen compile
defaultnpx projen default
docgennpx projen docgen
ejectnpx projen eject
eslintnpx projen eslint
eslint:fixnpx projen eslint:fix
packagenpx projen package
package-allnpx projen package-all
package:jsnpx projen package:js
post-compilenpx projen post-compile
post-upgradenpx projen post-upgrade
pre-compilenpx projen pre-compile
projennpx projen
releasenpx projen release
testnpx projen test
test:watchnpx projen test:watch
unbumpnpx projen unbump
upgradenpx projen upgrade
validate-workflowsnpx projen validate-workflows
watchnpx projen watch

Dependencies2

change-case^4.1.2
fs-extra^10.1.0