PkgRadar

Package evidence

@el-j/[email protected]

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
37
Versions published
23
First published
Mar 2026
Publisher
el-j-personal

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@el-j/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@el-j/[email protected]"],"fail_on":"review"}'
Publisherel-j-personal
Artifact bytes72,793
Previous version2.2.0-beta.3
Published2026-04-03T15:02:10.644Z
SHA-256d7a55fa9fd930c29c6e99784d626a6b946aef4a8b2e4cba74b85d52786faf42c

Why flagged

What the scanner saw

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
2.2.0-beta.4Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/esm/index.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/index.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5

Manifest

Package metadata

Scripts19
  • buildnpm run build:types && npm run build:cjs && npm run build:esm
  • build:actionrimraf dist-action && esbuild src/action-entrypoint.ts --bundle --platform=node --format=esm --outfile=dist-action/index.mjs --banner:js="import{createRequire}from'module';const require=createRequire(import.meta.url);" --log-level=info
  • build:cjsesbuild src/index.ts --bundle --format=cjs --outfile=dist/index.js --platform=node --packages=external
  • build:esmesbuild src/index.ts --bundle --format=esm --outfile=dist/esm/index.js --platform=node --packages=external && node -e "require('fs').writeFileSync('dist/esm/package.json', JSON.stringify({type:'module'}))"
  • build:typestsc --emitDeclarationOnly
  • changelog:previewnode scripts/changelog-preview.mjs
  • cleanrimraf dist
  • devtsc --watch
  • docs:buildvitepress build website
  • docs:devvitepress dev website
  • docs:previewvitepress preview website
  • linteslint src/ --ext .ts --max-warnings 0
  • prebuildnpm run clean
  • preparenpm run build
  • releasesemantic-release
  • release:dry-runsemantic-release --dry-run
  • sync:translationsnode scripts/sync-demo-translations.mjs
  • testvitest run --coverage
  • test:integrationINTEGRATION=true vitest run tests/integration --testTimeout=60000
Dependencies3
  • @actions/core^3.0.0
  • google-auth-library^10.6.2
  • google-spreadsheet^5.2.0