Package evidence

@decaf-ts/[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 265Established · −30% score
First published: Oct 2025
Publisher: tvenceslau

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@decaf-ts/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@decaf-ts/[email protected]"],"fail_on":"review"}'

Publishertvenceslau

Artifact bytes670,426

Previous version0.13.29

Published2026-06-12T16:46:04.076Z

SHA-2561f8890d9198329dd75213420ff89c1406c32d4bda1254b80328c7dec748d3c50

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

17h agoLast checked

reviewRisk

10Score

0.13.30Version

Status history (1 event)

new → available17h ago · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Credential file access	package/lib/esm/cli-module.js	matched ".npmrc"	10

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Credential file access	package/lib/esm/cli-module.js	matched ".npmrc"	10
low	Credential file access	package/lib/cjs/cli-module.cjs	matched ".npmrc"	5

Manifest

Package metadata

Scripts55

builddecaf build --dev && sed -i -e '1i#!/usr/bin/env node\' lib/cjs/bin/cli.cjs
build:contractdecaf fabric compile-contract --sourcemaps --dev --debug --bundle --name ${CONTRACT_NAME:-GlobalContract} --input ./src/contract --output ./docker/infrastructure/chaincode && LEVEL=verbose npm run extract:indexes && LEVEL=verbose npm run extract:collections
build:contract2decaf fabric compile-contract --debug --bundle --name ${CONTRACT_NAME:-GlobalContract} --input ./src/contract --output ./docker/infrastructure/chaincode && LEVEL=verbose decaf fabric extract-indexes --folder ./lib/cjs/contract --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract}
build:contract:dockernpm run compile:contract:docker && npm run extract:indexes:docker && npm run extract:collections:docker
build:contract:sharednpm run compile:contract:shared && npm run extract:indexes:shared
build:proddecaf build --prod && sed -i -e '1i#!/usr/bin/env node\' lib/cjs/bin/cli.cjs
clean-publishnpx clean-publish
compile:contract:dockerdecaf fabric compile-contract --dev --debug --bundle --ccaas --name ${CONTRACT_NAME:-global} --input ./src/contracts --output ./contracts --strip-contract-name
compile:contract:shareddecaf fabric compile-contract --ccaas --from-lib --dev --debug --name ${CONTRACT_NAME:-Global} --input ./src/contract --output ./docker/infrastructure/chaincode
copy-storagesudo cp -R docker/infrastructure/storage docker/docker-data/ && sudo chmod -R 755 docker/docker-data
copy:cryptodecaf fabric get-crypto-material --folder ./docker/docker-data
coveragerimraf ./workdocs/reports/data/*.json && npm run test:unit -- --coverage --config=./workdocs/reports/jest.coverage.config.cjs
deploy:contractdecaf fabric deploy-contract --name ${CONTRACT_NAME:-GlobalContract} --input ${CONTRACT_NAME:-GlobalContract}
do-installNPM_TOKEN=$(cat .npmtoken) npm install
docker:build-contractsDOCKER_BUILDKIT=1 docker build --no-cache --secret id=TOKEN,src=$PWD/.npmtoken -t ghcr.io/decaf-ts/for-fabric:contract-$(cat package.json | jq -r '.version') -t ghcr.io/decaf-ts/for-fabric:contract-${VERSION:-latest} -f ./docker/images/Dockerfile-contract .
docsnpx rimraf ./docs && mkdir docs && build-scripts --docs
drawingsfor FILE in workdocs/drawings/*.drawio; do echo "converting $FILE to image..." && docker run --rm -v $(pwd):/data rlespinasse/drawio-export --format png $FILE; done && cp -rf workdocs/drawings/export/* workdocs/resources/
extract:collectionsdecaf fabric extract-collections --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract} --mspIds '["org-a","org-c"]' --mainMspId org-b
extract:collections:dockerdecaf fabric extract-collections --folder ./lib/cjs/contract/models --outDir ./contracts --mspIds '["org-b","org-c"]' --mainMspId org-a
extract:collections:shareddecaf fabric extract-collections --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-Global}
extract:indexesdecaf fabric extract-indexes --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-GlobalContract}
extract:indexes:dockerdecaf fabric extract-indexes --folder ./lib/cjs/contract/models --outDir ./contracts
extract:indexes:shareddecaf fabric extract-indexes --folder ./lib/cjs/contract/trackedModels --outDir ./docker/infrastructure/chaincode/${CONTRACT_NAME:-Global}
flash-forwardnpx npm-check-updates -u && npm run do-install
infrastructure-ccaas:downdocker compose -f ./docker/infrastructure/docker-compose-ccaas.yaml down --rmi local -v
infrastructure-ccaas:updocker compose -f ./docker/infrastructure/docker-compose-ccaas.yaml up -d
infrastructure-hsm:downdocker compose -f ./docker/infrastructure/docker-compose-hsm.yaml down --rmi local -v
infrastructure-hsm:updocker compose -f ./docker/infrastructure/docker-compose-hsm.yaml up -d
infrastructure:downdocker compose -f ./docker/infrastructure/docker-compose.yaml down --rmi local -v && rm -rf ./docker/docker-data && rm -f ./tests/integration/chaincodeTrackers/*.count
infrastructure:updocker compose -f ./docker/infrastructure/docker-compose.yaml up -d
…and 25 more.

Dependencies12

@decaf-ts/corelatest
@decaf-ts/db-decoratorslatest
@decaf-ts/decorationlatest
@decaf-ts/decorator-validationlatest
@decaf-ts/for-couchdblatest
@decaf-ts/injectable-decoratorslatest
@decaf-ts/logginglatest
@decaf-ts/transactional-decoratorslatest
@decaf-ts/ui-decoratorslatest
@peculiar/x509^1.14.2
json-stringify-deterministic^1.0.12
sort-keys-recursive^2.1.10

Optional dependencies1

pkcs11js^2.1.6