PkgRadar

Package evidence

@heal-dev/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
60
Versions published
14
First published
Mar 2026
Publisher
pierre_oucif

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@heal-dev/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@heal-dev/[email protected]"],"fail_on":"review"}'
Publisherpierre_oucif
Artifact bytes2,094,975
Previous version0.3.65
Published2026-06-02T11:36:11.173Z
SHA-2562013bf430ece3ccaf2b528d4b73850946b126241c7e3851b4beaa25f6abe81a7

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
13Score
0.3.69Version
Status history (1 event)
  1. newavailable · risk review · score 13 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/infrastructure/code-execution-adapter/codeExecutionWorker.cjsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/dist/bundles/public-cli.bundle.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/package.jsonmatched ".npmrc"3

Manifest

Package metadata

Scripts25
  • buildnpm run build-lib-browser && tsc && npm run copy-resources && npm run make-cli-executable
  • build-lib-browsernode src/infrastructure/lib-browser-adapter/build-browser-bundle.js
  • build:publicOBFUSCATE_BROWSER_BUNDLE=1 npm run build && node validate-reserved-strings.js && node build-full-bundle.js && node prepare-public-package.js && cp PUBLIC_README.md README.md
  • build:public-ideOBFUSCATE_BROWSER_BUNDLE=1 npm run build && node validate-reserved-strings.js && node build-ide-extension-bundle.js && node prepare-public-ide-package.js && cp PUBLIC_README.md README.md
  • build:with-mock-sdknpm run build && npm run type-check:mock-sdk
  • copy-resourcesnode copy-resources.js
  • formatprettier --write .
  • format:checkprettier --check .
  • linteslint .
  • lint:fixeslint . --fix
  • make-cli-executablechmod +x dist/bootstrap/cli/cli.js
  • pack:publicnpm run build:public && npm pack --ignore-scripts && git checkout package.json README.md
  • pack:public-idenpm run build:public-ide && npm pack --ignore-scripts && git checkout package.json README.md
  • postpacknpm link
  • prepacknpm run build
  • preparehusky || true
  • prepublishOnlynpm run build
  • publish:npmnpm run build:public && echo '@heal-dev:registry=https://registry.npmjs.org' > .npmrc && npm publish --access public --ignore-scripts --tag latest; git checkout .npmrc package.json README.md
  • testnpm run build:with-mock-sdk && vitest
  • test:setupabilityvitest -c vitest.setupability.config.ts --
  • test:timesnode scripts/vitest/compute-test-execution-times.js
  • type-checktsc --noEmit -p tsconfig.test.json
  • type-check:mock-sdktsc -p tests/bootstrap/e2e/mock-sdk/tsconfig.json --noEmit
  • type-check:srctsc --noEmit
  • validate:obfuscatornode validate-reserved-strings.js
Dependencies49
  • @aws-sdk/client-s3^3.1000.0
  • @aws-sdk/client-sqs^3.1000.0
  • @jimp/core^1.6.0
  • @jimp/file-ops^1.6.0
  • @jimp/utils^1.6.0
  • @langchain/anthropic1.3.19
  • @langchain/core1.1.27
  • @langchain/openai1.2.9
  • @logtail/pino^0.5.7
  • @modelcontextprotocol/sdk^1.29.0
  • @mozilla/readability^0.6.0
  • @types/yauzl^2.10.3
  • @vscode/ripgrep^1.17.0
  • axe-core^4.10.3
  • cli-highlight^2.1.11
  • commander^14.0.2
  • consola^3.4.2
  • diff^8.0.3
  • dotenv^17.2.3
  • esbuild^0.27.1
  • eslint^9.39.0
  • eslint-config-prettier^10.1.8
  • fast-glob^3.3.3
  • gpt-tokenizer^2.9.0
  • jimp^1.6.0
  • jsdom^25.0.1
  • langfuse^3.38.6
  • linkedom^0.18.12
  • mailinator-client^1.0.6
  • mailslurp-client^15.21.0
  • …and 19 more.
Optional dependencies2
  • bufferutil^4.0.8
  • utf-8-validate^6.0.4