PkgRadar

Package evidence

@el-j/[email protected]

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
37
Versions published
23
First published
Mar 2026
Publisher
el-j-personal

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@el-j/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@el-j/[email protected]"],"fail_on":"review"}'
Publisherel-j-personal
Artifact bytes225,998
Previous version2.2.0-beta.4
Published2026-06-11T11:40:28.663Z
SHA-256b95a53d9bf48f3b0ff1e5db0aa2e7e5b32e81626c6eb62cdce339cdbeb1d621f

Why flagged

What the scanner saw

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
2.2.0-beta.5Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/esm/index.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/index.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist-cli/setup-wif.mjsmatched "AWS_ACCESS_KEY"5

Manifest

Package metadata

Scripts20
  • buildnpm run build:types && npm run build:cjs && npm run build:esm && npm run build:cli
  • build:actionrimraf dist-action && esbuild src/action-entrypoint.ts --bundle --platform=node --format=esm --outfile=dist-action/index.mjs --banner:js="import{createRequire}from'module';const require=createRequire(import.meta.url);" --log-level=info && node -e "const fs=require('fs');const path='dist-action/index.mjs';const search='const url = (opts.url || \"\").toString();\n if (!url.includes(\"googleapis.com\") && !url.includes(\"google.com\")) {';const replacement='const url = (opts.url || \"\").toString();\n let isGoogleHost = false;\n try {\n const parsedUrl = new URL(url);\n const hostname = (parsedUrl.hostname || \"\").toLowerCase();\n isGoogleHost = hostname === \"googleapis.com\" || hostname.endsWith(\".googleapis.com\") || hostname === \"google.com\" || hostname.endsWith(\".google.com\");\n } catch {\n isGoogleHost = false;\n }\n if (!isGoogleHost) {';const data=fs.readFileSync(path,'utf8');if(!data.includes(search)){throw new Error('Expected host-check snippet not found in dist-action bundle');}fs.writeFileSync(path,data.replace(search,replacement));"
  • build:cjsesbuild src/index.ts --bundle --format=cjs --outfile=dist/index.js --platform=node --packages=external
  • build:clirimraf dist-cli && esbuild src/setup/cli.ts --bundle --platform=node --format=esm --outfile=dist-cli/setup-wif.mjs --banner:js="#!/usr/bin/env node" --log-level=info
  • build:esmesbuild src/index.ts --bundle --format=esm --outfile=dist/esm/index.js --platform=node --packages=external && node -e "require('fs').writeFileSync('dist/esm/package.json', JSON.stringify({type:'module'}))"
  • build:typestsc --emitDeclarationOnly
  • changelog:previewnode scripts/changelog-preview.mjs
  • cleanrimraf dist
  • devtsc --watch
  • docs:buildvitepress build website
  • docs:devvitepress dev website
  • docs:previewvitepress preview website
  • linteslint src/ --ext .ts --max-warnings 0
  • prebuildnpm run clean
  • preparenpm run build
  • releasesemantic-release
  • release:dry-runsemantic-release --dry-run
  • sync:translationsnode scripts/sync-demo-translations.mjs
  • testvitest run --coverage
  • test:integrationINTEGRATION=true vitest run tests/integration --testTimeout=60000
Dependencies3
  • @actions/core^3.0.1
  • google-auth-library^10.7.0
  • google-spreadsheet^5.3.0