Package evidence

@hsupu/[email protected]

Credential file access: matched "github_token"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 307
Versions published: 36
First published: Jan 2026
Publisher: hsupu

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@hsupu/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@hsupu/[email protected]"],"fail_on":"review"}'

Publisherhsupu

Artifact bytes3,128,221

Previous version0.8.4-beta.4

Published2026-06-06T18:12:48.583Z

SHA-2560dcc86fddc73c08b673d41e8562a7f0145a61c4eae216378ff5ba11b3bea1fe6

Why flagged

What the scanner saw

Credential file access: matched "github_token"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

10d agoLast checked

reviewRisk

10Score

0.8.4-beta.5Version

Status history (1 event)

new → available10d ago · risk review · score 10 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Credential file access	package/dist/main.mjs	matched "github_token"	10

Manifest

Package metadata

Scripts32

buildnpm run build:ui && npm run build:backend
build:backendnpx tsdown
build:uivite build --config ui/vite.config.ts
devbun run --watch ./src/main.ts
dev:uivite --config ui/vite.config.ts
generate:config-schemabun run scripts/generate-config-json-schema.ts
knipknip-bun
linteslint --cache
lint:alleslint --cache .
prepacknpm run build
preparenpm run build && (command -v bun >/dev/null 2>&1 && simple-git-hooks || true)
preview:uivite preview --config ui/vite.config.ts
releasebumpp && npm publish --access public
startNODE_ENV=production bun run ./src/main.ts
testnpm run test:backend
test:acceptancenpm run test:backend && npm run test:ui && npm run test:e2e-ui
test:allnpm run test:backend && npm run test:ui
test:backendbun test .unit.test .it.test .http.test
test:cinpm run test:backend
test:covbun test --coverage .unit.test .it.test .http.test
test:cov:reportbun test --coverage --coverage-reporter lcov .unit.test .it.test .http.test
test:e2ebun test tests/e2e/
test:e2e-uibunx playwright test
test:e2e-ui:localPLAYWRIGHT_BASE_URL=http://localhost:4141 bunx playwright test
test:httpbun test .http.test
test:itbun test .it.test
test:uinpm run test:ui:bun && npm run test:ui:vitest
test:ui:bunbun test ./ui/tests/
test:ui:vitestvitest run --config ui/vitest.config.ts
test:unitbun test .unit.test
…and 2 more.

Dependencies25

@google/genai^2.8.0
@hono/node-ws^1.3.1
@mdi/font^7.4.47
@vueuse/core^14.3.0
@vueuse/integrations^14.3.0
citty^0.2.2
consola^3.4.2
diff^8.0.4
diff2html^3.4.56
fetch-event-stream^0.1.6
gpt-tokenizer^3.4.0
hono^4.12.23
picocolors^1.1.1
pinia^3.0.4
proxy-from-env^2.1.0
socks^2.8.9
tiny-invariant^1.3.3
undici^7.26.0
unplugin-auto-import^21.0.0
unplugin-vue-components^32.1.0
vue^3.5.35
vue-json-pretty^2.6.0
vue-router^5.1.0
vuetify^4.0.8
yaml^2.9.0