PkgRadar

Package evidence

@digital-realty/[email protected]

Credential file access: matched ".azure"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,173Niche · −30% score
Versions published
85
First published
Apr 2026
Publisher
dlr-pi-devops

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@digital-realty/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@digital-realty/[email protected]"],"fail_on":"review"}'
Publisherdlr-pi-devops
Artifact bytes1,171,600
Previous version13.0.1
Published2026-05-26T16:11:36.927Z
SHA-2569c2fb4204afefc62e5379e820da8a88352171810d8f85bf6c91a737536b947e4

Why flagged

What the scanner saw

Credential file access: matched ".azure"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
13.0.2-IXUAT-10198.531680Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/scripts/config.jsmatched ".azure"5

Manifest

Package metadata

Scripts32
  • buildrun-s build:step:*
  • build:localnpm run build --env=local
  • build:step:generatenpm run generate-config && npm run generate-api:notifications && npm run compile-less-to-styles && npm run tailwindcss:build && npm run twlit:build
  • build:step:packagerimraf dist && tsc && rollup -c rollup.config.mjs
  • build:workspacenpm run build
  • compile-less-to-stylesrimraf --glob "src/styles/*.js" && node build_scripts/compile-less-to-styles.cjs
  • formatnpm run format:eslint && npm run format:prettier
  • format:eslinteslint --ext .js,.html . --fix
  • format:prettierprettier "**/*.js" --write
  • generate-api:notificationsopenapi-generator-cli generate -i src/components/notifications/api/notifications-api.yaml -g typescript-fetch -o src/components/notifications/api/notifications-api --additional-properties=typescriptThreePlus=true,importFileExtension=.js
  • generate-confignode build_scripts/generate-config.cjs
  • generate-import-mapix-import-map write-import-map --latest-packages=true && node build_scripts/inject-mfe-importmap.cjs
  • generate-import-map-localhostix-import-map write-import-map --cdn=http://localhost:8081 && node build_scripts/inject-mfe-importmap.cjs
  • inject-mfe-importmapnode build_scripts/inject-mfe-importmap.cjs
  • lintnpm run lint:eslint && npm run lint:prettier
  • lint:eslinteslint --ext .js,.html .
  • lint:prettierprettier "**/*.js" --list-different || (echo '↑↑ these files are not prettier formatted ↑↑' && exit 1)
  • pipelines-npm-auditnode build_scripts/pipelines-npm-audit.cjs
  • prepacknpm run build
  • servenpm run build && prpl-server --root dist
  • serve:distweb-dev-server --config web-dist-server.config.mjs
  • startnpm run start:pre-serve && concurrently -k -r "tsc --watch --preserveWatchOutput" "wds" "npm run tailwindcss:watch" "npm run twlit:watch"
  • start:pre-serverimraf lib && rollup -c preserve.rollup.config.mjs && tsc
  • start:serveweb-dev-server
  • tailwindcss:buildtailwind -i ./src/tailwindlib.css -o ./src/styles/tw.css
  • tailwindcss:watchtailwind -i ./src/tailwindlib.css -o ./src/styles/tw.css --watch
  • testnpm run test:prebuild && web-test-runner --coverage
  • test:prebuildrimraf lib && tsc && rollup -c preserve.rollup.config.mjs && npm run compile-less-to-styles && npm run tailwindcss:build && npm run twlit:build && npm run generate-config --use_test_settings=true
  • test:watchtsc && concurrently -k -r "tsc --watch --preserveWatchOutput" "wtr --watch"
  • ts:watchconcurrently -k -r "tsc --watch --preserveWatchOutput" "npm run tailwindcss:watch" "npm run twlit:watch"
  • …and 2 more.
Dependencies49
  • @adobe/lit-mobx^2.2.2
  • @digital-realty/ix-account-switcher^1.1.6
  • @digital-realty/ix-app-logic^2.0.1
  • @digital-realty/ix-divider^1.2.3
  • @digital-realty/ix-icon^1.1.3
  • @digital-realty/ix-icon-button1.2.2
  • @digital-realty/ix-intraportal-nav^1.0.1
  • @digital-realty/ix-menu1.0.4
  • @digital-realty/ix-toast1.0.27
  • @digital-realty/ix-tooltip^1.1.3
  • @digital-realty/theme^3.0.1
  • @floating-ui/dom^1.6.7
  • @koa/cors^3.4.3
  • @lit-labs/motion^1.0.7
  • @lit/react^1.0.5
  • @lit/reactive-element^2.0.4
  • @material/web2.4.0
  • @microsoft/applicationinsights-web^2.5.10
  • @redux-offline/redux-offline^2.6.0
  • @vaadin/grid^24.4.7
  • @vaadin/router^1.7.2
  • @web/dev-server-import-maps^0.0.7
  • @web/dev-server-rollup^0.3.19
  • @webcomponents/custom-elements^1.4.2
  • @webcomponents/webcomponentsjs^2.4.3
  • cross-fetch^4.0.0
  • date-fns^4.1.0
  • http-request-mock^1.8.28
  • http-status-codes^1.4.0
  • lit^3.1.0
  • …and 19 more.
Optional dependencies2
  • @rollup/rollup-darwin-x64^4.24.0
  • @rollup/rollup-win32-x64-msvc^4.24.0