PkgRadar

Package evidence

@heartlandone/vega-sandbox-pr-2960-5c3d57899e5da6bda077169b16d54038427afb0d@2.86.0

Credential file access: matched ".azure"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
May 2026
Publisher
aprilzhu

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@heartlandone/vega-sandbox-pr-2960-5c3d57899e5da6bda077169b16d54038427afb0d@2.86.0"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@heartlandone/vega-sandbox-pr-2960-5c3d57899e5da6bda077169b16d54038427afb0d@2.86.0"],"fail_on":"review"}'
Publisheraprilzhu
Artifact bytes7,172,503
Previous versionnone
Published2026-05-27T03:25:44.278Z
SHA-256157839f0ad5dda7cfeef2d0de36ab652b13f9cfea7c869693f73e0e57e1dae79

Why flagged

What the scanner saw

Credential file access: matched ".azure"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
2.86.0Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/esm/index-bfc6dfa2.jsmatched ".azure"5
lowCredential file accesspackage/dist/cjs/index-f054eb5d.jsmatched ".azure"5
lowCredential file accesspackage/dist/vega/p-5a25014f.jsmatched ".azure"5

Manifest

Package metadata

Scripts57
  • buildnpm run build:base -- --docs && node scripts/update-toobigrc-for-new-files-only.js
  • build-components-definitionnpm run setup:base && npx stencil build -- --docs-json docs/components-definition.json
  • build-components-type-definitionnpx typedoc src/types/public-api.ts --json docs/components-type-definition.json
  • build-feature-flagsnode ./scripts/build-feature-flags.js
  • build-migrationnode ./scripts/build-migration.js
  • build-storybookbuild-storybook --quiet
  • build:basenpx patch-package && npm run setup && npx stencil build
  • check-feature-flagsnode ./scripts/check-feature-flags.js
  • clean:test:visualnode scripts/visual-test-screenshot-handle.js
  • clean:test:visual:pipelineNODE_ENV=pipeline npm run clean:test:visual
  • consume-design-tokennode ./scripts/consume_vega_design_output.js
  • debugnpm run prepare:postcss -- -w | npm run build:base -- --dev --watch --serve --debug --no-cache
  • generatestencil generate
  • generate-export-components-typesnode ./scripts/generate-export-components-types.js && npx prettier -w ./src/types/components.type.d.ts
  • generate-export-typenode ./scripts/generate-export-types-checking.js && npx prettier -w ./src/types/test/exported-type.ts
  • lintnpm run setup && npm run lint:build-bundles && npm run lint:ts:export-type && npm run lint:ts:strict && npm run lint:ts:base && npm run lint:prettier && npm run lint:eslint && npm run lint:e2e-module && npm run lint:test-case
  • lint:build-bundlesnode scripts/build-bundles-config.js
  • lint:e2e-modulenode scripts/e2e-test-module-validation.js
  • lint:eslintnpx eslint --max-warnings=0 src
  • lint:prettiernpx prettier -c .
  • lint:test-casenode scripts/test-case-vaildation.js
  • lint:ts:basetsc -p ./tsconfig.json --noEmit
  • lint:ts:export-typeyarn generate-export-type && tsc -p ./tsconfig.type-check.json --noEmit
  • lint:ts:stricttsc -p ./tsconfig.strict.json --noEmit
  • postbuildcp dist/vega/*.css style/ && npm run postbuild:SRI && npm run postbuild:ensure-dist-dts && npm run postbuild:angular && npm run postbuild:vue && npm run postbuild:react && npm run postbuild:dist-check && npm run postbuild:verify-no-test-in-dist
  • postbuild-storybookmkdir -p storybook-static/vega && cp dist/vega/vega.css storybook-static/vega/vega.css
  • postbuild:SRInode ./scripts/subresource-integrity/sri-setup.js
  • postbuild:angularnpm run stencil-postbuild --prefix ../vega-angular-workspace/projects/vega-angular
  • postbuild:dist-checknode ./scripts/components-dynamic-import-path-validation.js
  • postbuild:ensure-dist-dtsnode ./scripts/ensure-dist-dts.js
  • …and 27 more.
Dependencies2
  • @heartlandone/vega-telemetry-install-ledgers^1.1.0
  • @heartlandone/vega-telemetry-runtime-metrics^1.0.10