PkgRadar

Package evidence

@datalayer/[email protected]

Credential file access: matched "AWS_SECRET_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
39Established · −30% score
First published
Jul 2025
Publisher
echarles

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@datalayer/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@datalayer/[email protected]"],"fail_on":"review"}'
Publisherecharles
Artifact bytes1,291,448
Previous version1.0.22
Published2026-06-05T12:05:33.737Z
SHA-2563d41c4e3bee08503d9154c8d546e14c5975c004da0a2e2330034af9984cbaa73

Why flagged

What the scanner saw

Credential file access: matched "AWS_SECRET_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
1.0.23Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/lib/views/datasources/DatasourceNew.jsmatched "AWS_SECRET_ACCESS_KEY"5

Manifest

Package metadata

Scripts54
  • apply:patchesbash scripts/apply-patches.sh
  • buildnpm run clean && gulp resources-to-lib && tsc -b && vite build
  • build-storybookstorybook build
  • build:allnpm run build && npm run build:examples
  • build:examplesnpm run build:nextjs
  • build:libnpm run clean:lib && gulp resources-to-lib && tsc -b && node scripts/fix-esm-imports.cjs
  • build:nextjsnpm run build --workspace=nextjj-example
  • build:typesnpm run clean:lib && tsc -b
  • checknpm run format:check && npm run lint:all && npm run type-check:all
  • check:fixnpm run format:all && npm run lint:fix && npm run type-check:all
  • cleanrimraf lib dist build tsconfig.tsbuildinfo
  • clean:cacherimraf node_modules/.vite
  • clean:distrimraf dist
  • clean:librimraf lib tsconfig.tsbuildinfo
  • create:patchesbash scripts/create-patches.sh
  • devvite
  • docsmake typedoc && make pydoc && cd docs && npm install && npm run build
  • examplesrun-p jupyter:start examples:vite
  • examples:freshnpm run clean:cache && npm run examples
  • examples:nextjsnpm run dev --workspace=nextjj-example
  • examples:viteVITE_DATALAYER_RUN_URL=http://localhost:8888 vite --config vite.examples.config.ts
  • formatprettier --write "src/**/*.{js,jsx,ts,tsx,css,json,md}" "examples/**/*.{js,jsx,ts,tsx,css,json,md,mjs}"
  • format:allnpm run format && npm run format --workspaces --if-present
  • format:checkprettier --check "src/**/*.{js,jsx,ts,tsx,css,json,md}" "examples/**/*.{js,jsx,ts,tsx,css,json,md,mjs}"
  • format:check:allnpm run format:check && npm run format:check --workspaces --if-present
  • format:fixnpm run format
  • format:fix:allnpm run format:all
  • jupyter:start./dev/sh/start-jupyter-server.sh
  • kill./dev/sh/kill.sh || true
  • linteslint . --quiet
  • …and 24 more.
Dependencies71
  • @datalayer/icons-react^1.0.7
  • @datalayer/jupyter-lexical^1.0.16
  • @datalayer/jupyter-react^2.0.7
  • @datalayer/primer-addons^1.0.15
  • @datalayer/primer-rjsf^1.0.3
  • @fluentui/react^8.125.3
  • @jupyter-widgets/base-manager^1.0.12
  • @jupyter-widgets/schema^0.5.6
  • @jupyterlab/apputils^4.6.0
  • @jupyterlab/cells^4.5.0
  • @jupyterlab/codeeditor^4.5.0
  • @jupyterlab/coreutils^6.0.0
  • @jupyterlab/documentsearch^4.5.0
  • @jupyterlab/rendermime^4.5.0
  • @jupyterlab/services^7.0.0
  • @jupyterlab/translation^4.5.0
  • @jupyterlab/ui-components^4.5.0
  • @lumino/commands^2.3.3
  • @lumino/coreutils^2.2.2
  • @lumino/datagrid^2.5.3
  • @lumino/disposable^2.1.5
  • @lumino/polling^2.1.5
  • @lumino/signaling^2.1.5
  • @lumino/widgets^2.7.3
  • @primer/behaviors^1.8.4
  • @primer/brand-primitives^0.51.0
  • @primer/css^21.5.1
  • @primer/octicons-react^19.15.1
  • @primer/primitives^10.5.0
  • @primer/react^37.19.0
  • …and 41 more.
Optional dependencies1
  • @github/keytar^7.10.6