Package evidence

@decaf-ts/[email protected]

Credential file access: matched ".npmrc"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@decaf-ts/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@decaf-ts/[email protected]"],"fail_on":"high"}'

Publishertvenceslau

Artifact bytes623,465

Previous version0.12.6

Published2026-05-18T15:02:28.061Z

SHA-25628e85a9deda3a1580cdb2d3df2bb55b7518a492cab51803b9e040809694374f5

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

24d agoLast checked

highRisk

120Score

0.12.7Version

Status history (1 event)

new → available24d ago · risk high · score 120 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

tvenceslau

8 members · evidence strength 84

Evidence

Static findings

13 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/lib/cjs/cli-module.cjs	matched ".npmrc"	30
high	Credential file access	package/lib/esm/cli-module.js	matched ".npmrc"	30
high	Credential file access	package/package.json	matched "NPM_TOKEN"	30

Show all 13 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/lib/cjs/cli-module.cjs	matched ".npmrc"	30
high	Credential file access	package/lib/esm/cli-module.js	matched ".npmrc"	30
high	Credential file access	package/package.json	matched "NPM_TOKEN"	30
low	Obfuscation	package/lib/cjs/client/crypto.cjs	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/cjs/client/fabric-fs.cjs	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/cjs/client/FabricClientStatement.cjs	matched "\\u0000"	3
low	Obfuscation	package/dist/for-fabric.cjs	matched "Buffer.from(t.x\|\|\"\",\"base64"	3
low	Obfuscation	package/lib/cjs/client/utils.cjs	matched "Buffer.from(jwk.x \|\| \"\", \"base64"	3
low	Obfuscation	package/lib/esm/client/crypto.js	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/esm/client/fabric-fs.js	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/esm/client/FabricClientStatement.js	matched "\\u0000"	3
low	Obfuscation	package/dist/for-fabric.js	matched "Buffer.from(e.x\|\|\"\",\"base64"	3
low	Obfuscation	package/lib/esm/client/utils.js	matched "Buffer.from(jwk.x \|\| \"\", \"base64"	3

Manifest

Package metadata

Scripts44

builddecaf build --dev && sed -i -e '1i#!/usr/bin/env node\' lib/cjs/bin/cli.cjs
build:contractdecaf fabric compile-contract --sourcemaps --dev --debug --bundle --name ${CONTRACT_NAME:-GlobalContract} --input ./src/contract --output ./docker/infrastructure/chaincode && LEVEL=verbose decaf fabric extract-indexes --folder ./lib/cjs/contract --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract}
build:contract2decaf fabric compile-contract --debug --bundle --name ${CONTRACT_NAME:-GlobalContract} --input ./src/contract --output ./docker/infrastructure/chaincode && LEVEL=verbose decaf fabric extract-indexes --folder ./lib/cjs/contract --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract}
build:proddecaf build --prod && sed -i -e '1i#!/usr/bin/env node\' lib/cjs/bin/cli.cjs
clean-publishnpx clean-publish
copy-storagesudo cp -R docker/infrastructure/storage docker/docker-data/ && sudo chmod -R 755 docker/docker-data
copy:cryptodecaf fabric get-crypto-material --folder ./docker/docker-data
coveragerimraf ./workdocs/reports/data/*.json && npm run test:unit -- --coverage --config=./workdocs/reports/jest.coverage.config.cjs
deploy:contractdecaf fabric deploy-contract --name ${CONTRACT_NAME:-GlobalContract} --input ${CONTRACT_NAME:-GlobalContract}
do-installNPM_TOKEN=$(cat .npmtoken) npm install
docsnpx rimraf ./docs && mkdir docs && build-scripts --docs
drawingsfor FILE in workdocs/drawings/*.drawio; do echo "converting $FILE to image..." && docker run --rm -v $(pwd):/data rlespinasse/drawio-export --format png $FILE; done && cp -rf workdocs/drawings/export/* workdocs/resources/
extract:collectionsdecaf fabric extract-collections --folder ./lib/cjs/contract --outDir ./docker/infrastructure/chaincode/GlobalContract --mspIds '["org-b","org-c"]' --mainMspId org-a
extract:indexesdecaf fabric extract-indexes --folder ./lib/cjs/contract --outDir ./docker/infrastructure/chaincode/GlobalContract
flash-forwardnpx npm-check-updates -u && npm run do-install
infrastructure-hsm:downdocker compose -f ./docker/infrastructure/docker-compose-hsm.yaml down --rmi local -v
infrastructure-hsm:updocker compose -f ./docker/infrastructure/docker-compose-hsm.yaml up -d
infrastructure:downdocker compose -f ./docker/infrastructure/docker-compose.yaml down --rmi local -v && rm -rf ./docker/docker-data && rm -f ./tests/integration/chaincodeTrackers/*.count
infrastructure:updocker compose -f ./docker/infrastructure/docker-compose.yaml up -d
linteslint .
lint-fixeslint --fix .
on-first-runnpx update-scripts --boot
prepare-prnpm run lint-fix && npm run build:prod && npm run coverage && npm run docs
prepare-releasenpm run build:prod
publish-docsdocker run -it --rm --user $(id -u):$(id -g) -v "$(pwd)/workdocs/confluence:/content" -e ATLASSIAN_API_TOKEN=$(cat .confluence-token) ghcr.io/markdown-confluence/publish:latest
release./bin/tag-release.sh
repo:doccodex exec "$(cat ./.codex/prompts/doc.md) $(cat ./.codex/prompts/bulk-docs.md) base_path is ./" -s workspace-write
repo:initcodex exec "$(cat ./.codex/prompts/repo-setup.md) base_path is `./`, initialize the repository" -s workspace-write
repo:prnpm run repo:doc && npm run repo:tests && npm run repo:readme
repo:readmecodex exec "$(cat ./.codex/prompts/update-readme.md) base_path is ./" -s workspace-write
…and 14 more.

Dependencies12

@decaf-ts/corelatest
@decaf-ts/db-decoratorslatest
@decaf-ts/decorationlatest
@decaf-ts/decorator-validationlatest
@decaf-ts/for-couchdblatest
@decaf-ts/injectable-decoratorslatest
@decaf-ts/logginglatest
@decaf-ts/transactional-decoratorslatest
@decaf-ts/ui-decoratorslatest
@peculiar/x509^1.14.2
json-stringify-deterministic^1.0.12
sort-keys-recursive^2.1.10

Optional dependencies1

pkcs11js^2.1.6