Package evidence

@controlplane/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 130Mature · −50% score
First published: Dec 2020
Publisher: jvassev

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@controlplane/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@controlplane/[email protected]"],"fail_on":"review"}'

Publisherjvassev

Artifact bytes349,768

Previous version3.9.1

Published2026-03-16T17:23:35.251Z

SHA-2564b742693b547437981e4b1b23fe3e30d0a0f2716ce7b8b2dc90f6b8e373c57a0

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

8h agoLast checked

reviewRisk

1Score

3.10.0Version

Status history (1 event)

new → available8h ago · risk review · score 1 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/src/commands/secret.js	matched "AWS_ACCESS_KEY"	5

Manifest

Package metadata

Scripts13

build(cd login-ui && pnpm build) && tsc && cp -r src/cli/completion/scripts dist/src/cli/completion/
build:livetsc -w
cleanrm -fr dist && cd login-ui && pnpm clean
debug:clinode --inspect-brk=19046 -r ts-node/register src/cpln.ts
pkgnpm run build && pkg -c cpln.json --out-path dist/ dist/src/cpln.js && pkg -c docker-credential-cpln.json --out-path dist/ dist/src/docker-credential-cpln.js
pkg-macosnpm run build && pkg -c cpln-macos.json --out-path dist/ dist/src/cpln.js && pkg -c docker-credential-cpln-macos.json --out-path dist/ dist/src/docker-credential-cpln.js
prepare:wcd login-ui && npm run build:w
testjest --verbose --testPathIgnorePatterns test/
test-extendedjest --verbose --config jest.extended.config.js --testPathPattern test/extended --globalSetup '<rootDir>/test/globalSetup.ts'
test-itjest --verbose --testPathPattern test/it --globalSetup '<rootDir>/test/globalSetup.ts'
test:cleanupts-node test/cleanup.ts
test:covjest --coverage --testPathIgnorePatterns test/
test:wnpm run test -- --watch

Dependencies33

adm-zip^0.5.16
async-mutex^0.5.0
axios^1.7.4
axios-retry^4.5.0
base32-encode^1.2.0
base64url^3.0.1
chalk^3.0.0
cli-highlight^2.1.11
cli-progress3.12.0
express^4.21.0
get-stdin-with-tty^6.0.0
humanize-duration^3.32.1
inquirer^8.2.6
jose^5.9.6
js-yaml^4.1.1
json-colorizer^3.0.1
json-stable-stringify^1.1.1
jwt-decode^4.0.0
lodash^4.17.23
mkdirp^3.0.1
open^8.4.2
pako^2.1.0
semver^7.6.3
sha256-file^1.0.0
table^6.9.0
tar-stream^3.1.7
targz^1.0.1
tmp^0.2.4
url-pattern^1.0.3
uuid^10.0.0
…and 3 more.