Package evidence

@chatlayer/[email protected]

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 142
Versions published: 59Mature · −50% score
First published: Feb 2022
Publisher: miguel.carvajal

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@chatlayer/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@chatlayer/[email protected]"],"fail_on":"review"}'

Publishermiguel.carvajal

Artifact bytes36,678

Previous version1.0.1

Published2024-11-22T11:47:25.200Z

SHA-256058d795ec7f5cefe52dde523026a9735a5bb57785a670e2e3a917e521d5cbd7c

Why flagged

What the scanner saw

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

20d agoLast checked

reviewRisk

10Score

1.0.2Version

Status history (1 event)

new → available20d ago · risk review · score 10 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Credential file access	package/src/gcp/CloudFunctionClient.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	10

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Credential file access	package/src/gcp/CloudFunctionClient.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	10
low	Credential file access	package/src/cli_commands/build.js	matched ".npmrc"	5
low	Credential file access	package/src/gcp/CloudFunction.js	matched "NPM_TOKEN"	5

Manifest

Package metadata

Scripts3

formatprettier --write src/**/*.js
pre-commitlint-staged
testjest

Dependencies39

@chatlayer/blip1.1.1
@oclif/core^1.6.3
@oclif/plugin-help^5.1.12
adm-zip^0.5.5
archiver^5.3.0
atomic-sleep^1.0.0
axios0.26.1
browserify^17.0.0
colors1.4.0
console^0.7.2
esbuild0.24.0
fast-redact^3.0.2
fastify-warning^0.2.0
flatstr^1.0.12
form-data^4.0.0
fs-extra^10.0.0
gaxios^4.3.2
google-auth-library^7.6.2
googleapis85.0.0
gulp-filter^7.0.0
gulp-prettier^4.0.0
ignore^5.1.8
jsonschema^1.4.0
klaw4.1.0
lodash^4.17.21
node-fetch^2.6.1
ora5.4.0
parse-gitignore^1.0.1
pino^6.13.2
pino-std-serializers^4.0.0
…and 9 more.