Package evidence
@heartlandone/vega-sandbox-pr-2962-56ee0a8b6fbe49d22d429742fea93686343a2270@2.85.0
Credential file access: matched ".azure"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1
- First published
- May 2026
- Publisher
- aprilzhu
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@heartlandone/vega-sandbox-pr-2962-56ee0a8b6fbe49d22d429742fea93686343a2270@2.85.0"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@heartlandone/vega-sandbox-pr-2962-56ee0a8b6fbe49d22d429742fea93686343a2270@2.85.0"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".azure"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 115 · status changed
Evidence
Static findings
56 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 56 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/esm/index-bfc6dfa2.js | matched ".azure" | 5 |
| low | Credential file access | package/dist/cjs/index-f054eb5d.js | matched ".azure" | 5 |
| low | Credential file access | package/dist/vega/p-5a25014f.js | matched ".azure" | 5 |
| low | Obfuscation | package/dist/esm/code-block-10be3916.js | matched "\\u200b" | 3 |
| low | Obfuscation | package/dist/cjs/code-block-c6c70464.js | matched "\\u200b" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-rich-text-editor/constants/constant.js | matched "\\u200b" | 3 |
| low | Obfuscation | package/dist/esm/polyfills/core-js.js | matched "\\uD800" | 3 |
| low | Obfuscation | package/dist/collection/polyfill/prism/languages/css.js | matched "\\u00B7" | 3 |
| low | Obfuscation | package/dist/collection/polyfill/d3/d3-scale-polyfill.js | matched "\\u2212" | 3 |
| low | Obfuscation | package/dist/esm/index-bfc6dfa2.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/cjs/index-f054eb5d.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/collection/polyfill/prism/languages/javascript.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/dist/vega/p-13e7f906.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-1ec763ab.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-2ae5acfc.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-3d0ba2c6.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-423762ae.entry.js | matched "\\x01" | 3 |
| low | Obfuscation | package/dist/vega/p-5a25014f.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/vega/p-613ddaab.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-6817b9bd.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-818da356.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-aacf6920.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-aaf44879.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-af00e6e2.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-c51ebb14.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-c78fe943.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-d402eb7b.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-e47b2c4c.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/vega/p-e95cb28f.entry.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/dist/vega/p-ed26f4c8.entry.js | matched "\\x3c" | 3 |
| low | Obfuscation | package/dist/collection/polyfill/prism/tokenizer.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/collection/polyfill/prism/languages/typescript.js | matched "\\xA0" | 3 |
| low | Obfuscation | package/dist/collection/constants/validator.js | matched "\\x01" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-app-footer/vega-app-footer.js | matched "\\u00A9" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-calendar/vega-calendar.js | matched "\\u00B1" | 3 |
| low | Obfuscation | package/dist/cjs/vega-code-block.cjs.entry.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/esm/vega-code-block.entry.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-date-picker/vega-date-picker-calendar/vega-date-picker-calendar.js | matched "\\u00B1" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-date-picker/vega-date-picker.js | matched "\\u00B1" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-input-numeric/vega-input-numeric.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-input-passcode/vega-input-passcode.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-input-phone-number/vega-input-phone-number.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/cjs/vega-input.cjs.entry.js | matched "\\x01" | 3 |
| low | Obfuscation | package/dist/esm/vega-input.entry.js | matched "\\x01" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-input/vega-input.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-nav/vega-left-nav-link/vega-left-nav-link.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-popover/vega-popover.js | matched "\\u2018" | 3 |
| low | Obfuscation | package/dist/cjs/vega-signature-capture.cjs.entry.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/esm/vega-signature-capture.entry.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-textarea/vega-textarea.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-time-picker/vega-time-picker.js | matched "\\u2715" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-tooltip/vega-tooltip-content-box/vega-tooltip-content-box.js | matched "\\u00A0" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-tooltip/vega-tooltip.js | matched "\\u00A0" | 3 |
| low | Obfuscation | package/dist/collection/components/vega-signature-capture/slimmers/written-mode/controllers/written-mode-svg-controller.js | matched "atob(" | 3 |
| low | Obfuscation | package/dist/cjs/y-axis-input-processor-54a26515.js | matched "\\u2212" | 3 |
| low | Obfuscation | package/dist/esm/y-axis-input-processor-c7e05353.js | matched "\\u2212" | 3 |
Manifest
Package metadata
Scripts57
buildnpm run build:base -- --docs && node scripts/update-toobigrc-for-new-files-only.jsbuild-components-definitionnpm run setup:base && npx stencil build -- --docs-json docs/components-definition.jsonbuild-components-type-definitionnpx typedoc src/types/public-api.ts --json docs/components-type-definition.jsonbuild-feature-flagsnode ./scripts/build-feature-flags.jsbuild-migrationnode ./scripts/build-migration.jsbuild-storybookbuild-storybook --quietbuild:basenpx patch-package && npm run setup && npx stencil buildcheck-feature-flagsnode ./scripts/check-feature-flags.jsclean:test:visualnode scripts/visual-test-screenshot-handle.jsclean:test:visual:pipelineNODE_ENV=pipeline npm run clean:test:visualconsume-design-tokennode ./scripts/consume_vega_design_output.jsdebugnpm run prepare:postcss -- -w | npm run build:base -- --dev --watch --serve --debug --no-cachegeneratestencil generategenerate-export-components-typesnode ./scripts/generate-export-components-types.js && npx prettier -w ./src/types/components.type.d.tsgenerate-export-typenode ./scripts/generate-export-types-checking.js && npx prettier -w ./src/types/test/exported-type.tslintnpm run setup && npm run lint:build-bundles && npm run lint:ts:export-type && npm run lint:ts:strict && npm run lint:ts:base && npm run lint:prettier && npm run lint:eslint && npm run lint:e2e-module && npm run lint:test-caselint:build-bundlesnode scripts/build-bundles-config.jslint:e2e-modulenode scripts/e2e-test-module-validation.jslint:eslintnpx eslint --max-warnings=0 srclint:prettiernpx prettier -c .lint:test-casenode scripts/test-case-vaildation.jslint:ts:basetsc -p ./tsconfig.json --noEmitlint:ts:export-typeyarn generate-export-type && tsc -p ./tsconfig.type-check.json --noEmitlint:ts:stricttsc -p ./tsconfig.strict.json --noEmitpostbuildcp dist/vega/*.css style/ && npm run postbuild:SRI && npm run postbuild:ensure-dist-dts && npm run postbuild:angular && npm run postbuild:vue && npm run postbuild:react && npm run postbuild:dist-check && npm run postbuild:verify-no-test-in-distpostbuild-storybookmkdir -p storybook-static/vega && cp dist/vega/vega.css storybook-static/vega/vega.csspostbuild:SRInode ./scripts/subresource-integrity/sri-setup.jspostbuild:angularnpm run stencil-postbuild --prefix ../vega-angular-workspace/projects/vega-angularpostbuild:dist-checknode ./scripts/components-dynamic-import-path-validation.jspostbuild:ensure-dist-dtsnode ./scripts/ensure-dist-dts.js- …and 27 more.
Dependencies2
@heartlandone/vega-telemetry-install-ledgers^1.1.0@heartlandone/vega-telemetry-runtime-metrics^1.0.10