Package evidence

@chainlink/[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 228Mature · −50% score
First published: Sep 2022
Publisher: secure.andrew

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@chainlink/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@chainlink/[email protected]"],"fail_on":"review"}'

Publishersecure.andrew

Artifact bytes6,367,169

Previous version2.1.1

Published2025-03-07T18:15:35.296Z

SHA-256be744fdfdf5f91a8fa1d28504c3871b6c8afed818d335daf5986eb3cc6e4d0fd

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

2d agoLast checked

reviewRisk

10Score

2.1.2Version

Status history (1 event)

new → available2d ago · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Credential file access	package/generator-adapter/node_modules/@pnpm/npm-conf/lib/defaults.js	matched ".npmrc"	10
medium	Credential file access	package/generator-adapter/node_modules/@pnpm/npm-conf/index.js	matched ".npmrc"	10

Manifest

Package metadata

Scripts12

buildrm -rf dist/src && mkdir -p ./dist/src && cp package.json dist/src && cp README.md dist/src && tsc && yarn pre-build-generator
build-generatormkdir -p ./dist/src/generator-adapter/generators/app/templates && cp -R scripts/generator-adapter/generators/app/templates dist/src/generator-adapter/generators/app && cp scripts/generator-adapter/package.json dist/src/generator-adapter && cp -R scripts/generator-adapter/node_modules dist/src/generator-adapter && tsc --project scripts/generator-adapter/tsconfig.json && tsc scripts/adapter-generator.ts --outDir dist/src
code-coveragec8 check-coverage --statements 95 --lines 95 --functions 95 --branches 90
generate-docstypedoc src/**/*.ts
generate-ref-tablests-node scripts/metrics-table.ts > docs/reference-tables/metrics.md && ts-node scripts/ea-settings-table.ts > docs/reference-tables/ea-settings.md && yarn prettier --write docs/reference-tables
linteslint --max-warnings=0 . && prettier --check ./src/**/*.ts ./test/**/*.ts ./*.{json,yaml}
lint-fixeslint --max-warnings=0 --fix . && prettier --write ./src/**/*.ts ./test/**/*.ts ./*.{json,yaml}
portal-pathecho "portal:$(readlink -f ./dist/src)"
pre-build-generatorcd scripts/generator-adapter && yarn && cd .. && cd .. && yarn build-generator
testEA_HOST=localhost LOG_LEVEL=error EA_PORT=0 c8 ava
test-debugEA_HOST=localhost LOG_LEVEL=trace DEBUG=true EA_PORT=0 c8 ava --verbose
verifyyarn lint && yarn build && yarn build -p ./test/tsconfig.json && yarn test && yarn code-coverage

Dependencies11

ajv8.17.1
axios1.8.2
eventsource2.0.2
fastify5.2.1
ioredis5.6.0
mock-socket9.3.1
pino9.6.0
pino-pretty13.0.0
prom-client15.1.3
redlock5.0.0-beta.2
ws8.18.1