Package evidence

@decaf-ts/[email protected]

Credential file access: matched ".npmrc"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@decaf-ts/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@decaf-ts/[email protected]"],"fail_on":"high"}'

Publishertvenceslau

Artifact bytes637,465

Previous version0.12.7

Published2026-05-24T09:24:52.566Z

SHA-256e9a174008169dc4e0bb0d4cbb978db056192c9dd9e18ecbfb184225d3945b5af

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

24d agoLast checked

highRisk

120Score

0.12.8Version

Status history (1 event)

new → available24d ago · risk high · score 120 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

tvenceslau

8 members · evidence strength 84

Evidence

Static findings

13 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/lib/cjs/cli-module.cjs	matched ".npmrc"	30
high	Credential file access	package/lib/esm/cli-module.js	matched ".npmrc"	30
high	Credential file access	package/package.json	matched "NPM_TOKEN"	30

Show all 13 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/lib/cjs/cli-module.cjs	matched ".npmrc"	30
high	Credential file access	package/lib/esm/cli-module.js	matched ".npmrc"	30
high	Credential file access	package/package.json	matched "NPM_TOKEN"	30
low	Obfuscation	package/lib/cjs/client/crypto.cjs	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/cjs/client/fabric-fs.cjs	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/cjs/client/FabricClientStatement.cjs	matched "\\u0000"	3
low	Obfuscation	package/dist/for-fabric.cjs	matched "Buffer.from(t.x\|\|\"\",\"base64"	3
low	Obfuscation	package/lib/cjs/client/utils.cjs	matched "Buffer.from(jwk.x \|\| \"\", \"base64"	3
low	Obfuscation	package/lib/esm/client/crypto.js	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/esm/client/fabric-fs.js	matched "Buffer.from(str, \"base64"	3
low	Obfuscation	package/lib/esm/client/FabricClientStatement.js	matched "\\u0000"	3
low	Obfuscation	package/dist/for-fabric.js	matched "Buffer.from(e.x\|\|\"\",\"base64"	3
low	Obfuscation	package/lib/esm/client/utils.js	matched "Buffer.from(jwk.x \|\| \"\", \"base64"	3

Manifest

Package metadata

Scripts55

builddecaf build --dev && sed -i -e '1i#!/usr/bin/env node\' lib/cjs/bin/cli.cjs
build:contractdecaf fabric compile-contract --sourcemaps --dev --debug --bundle --name ${CONTRACT_NAME:-GlobalContract} --input ./src/contract --output ./docker/infrastructure/chaincode && LEVEL=verbose npm run extract:indexes && LEVEL=verbose npm run extract:collections
build:contract2decaf fabric compile-contract --debug --bundle --name ${CONTRACT_NAME:-GlobalContract} --input ./src/contract --output ./docker/infrastructure/chaincode && LEVEL=verbose decaf fabric extract-indexes --folder ./lib/cjs/contract --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract}
build:contract:dockernpm run compile:contract:docker && npm run extract:indexes:docker && npm run extract:collections:docker
build:contract:sharednpm run compile:contract:shared && npm run extract:indexes:shared && npm run extract:collections:shared
build:proddecaf build --prod && sed -i -e '1i#!/usr/bin/env node\' lib/cjs/bin/cli.cjs
clean-publishnpx clean-publish
compile:contract:dockerdecaf fabric compile-contract --dev --debug --bundle --ccaas --name ${CONTRACT_NAME:-global} --input ./src/contracts --output ./contracts --strip-contract-name
compile:contract:shareddecaf fabric compile-contract --dev --debug --bundle --name ${CONTRACT_NAME:-Global} --input ./src/contracts --output ./docker/infrastructure/chaincode
copy-storagesudo cp -R docker/infrastructure/storage docker/docker-data/ && sudo chmod -R 755 docker/docker-data
copy:cryptodecaf fabric get-crypto-material --folder ./docker/docker-data
coveragerimraf ./workdocs/reports/data/*.json && npm run test:unit -- --coverage --config=./workdocs/reports/jest.coverage.config.cjs
deploy:contractdecaf fabric deploy-contract --name ${CONTRACT_NAME:-GlobalContract} --input ${CONTRACT_NAME:-GlobalContract}
do-installNPM_TOKEN=$(cat .npmtoken) npm install
docker:build-contractsDOCKER_BUILDKIT=1 docker build --no-cache --secret id=TOKEN,src=$PWD/.npmtoken -t ghcr.io/decaf-ts/for-fabric:contract-$(cat package.json | jq -r '.version') -t ghcr.io/decaf-ts/for-fabric:contract-${VERSION:-latest} -f ./docker/images/Dockerfile-contract .
docsnpx rimraf ./docs && mkdir docs && build-scripts --docs
drawingsfor FILE in workdocs/drawings/*.drawio; do echo "converting $FILE to image..." && docker run --rm -v $(pwd):/data rlespinasse/drawio-export --format png $FILE; done && cp -rf workdocs/drawings/export/* workdocs/resources/
extract:collectionsdecaf fabric extract-collections --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract} --mspIds '["org-a","org-c"]' --mainMspId org-b
extract:collections:dockerdecaf fabric extract-collections --folder ./lib/cjs/contract/models --outDir ./contracts --mspIds '["org-b","org-c"]' --mainMspId org-a
extract:collections:shareddecaf fabric extract-collections --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-Global}
extract:indexesdecaf fabric extract-indexes --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract}
extract:indexes:dockerdecaf fabric extract-indexes --folder ./lib/cjs/contract/models --outDir ./contracts
extract:indexes:shareddecaf fabric extract-indexes --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-Global}
flash-forwardnpx npm-check-updates -u && npm run do-install
infrastructure-ccaas:downdocker compose -f ./docker/infrastructure/docker-compose-ccaas.yaml down --rmi local -v
infrastructure-ccaas:updocker compose -f ./docker/infrastructure/docker-compose-ccaas.yaml up -d
infrastructure-hsm:downdocker compose -f ./docker/infrastructure/docker-compose-hsm.yaml down --rmi local -v
infrastructure-hsm:updocker compose -f ./docker/infrastructure/docker-compose-hsm.yaml up -d
infrastructure:downdocker compose -f ./docker/infrastructure/docker-compose.yaml down --rmi local -v && rm -rf ./docker/docker-data && rm -f ./tests/integration/chaincodeTrackers/*.count
infrastructure:updocker compose -f ./docker/infrastructure/docker-compose.yaml up -d
…and 25 more.

Dependencies12

@decaf-ts/corelatest
@decaf-ts/db-decoratorslatest
@decaf-ts/decorationlatest
@decaf-ts/decorator-validationlatest
@decaf-ts/for-couchdblatest
@decaf-ts/injectable-decoratorslatest
@decaf-ts/logginglatest
@decaf-ts/transactional-decoratorslatest
@decaf-ts/ui-decoratorslatest
@peculiar/x509^1.14.2
json-stringify-deterministic^1.0.12
sort-keys-recursive^2.1.10

Optional dependencies1

pkcs11js^2.1.6