Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 28
- First published
- Feb 2026
- Publisher
- robert.guehne
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@internetderdinge/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@internetderdinge/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "AWS_ACCESS_KEY"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 30 · status changed
Evidence
Static findings
6 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 6 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/src/email/email.service.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/src/iotdevice/iotdevice.service.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/src/files/upload.service.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/src/email/email.service.ts | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/src/iotdevice/iotdevice.service.ts | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/src/files/upload.service.ts | matched "AWS_ACCESS_KEY" | 5 |
Manifest
Package metadata
Scripts9
buildtsc -p tsconfig.jsondeploy:versionnode ./scripts/release-version.mjsdeps:versionsnode --input-type=module -e "import { createRequire } from 'node:module'; const require = createRequire(import.meta.url); const out = (name) => { const pkgPath = require.resolve(name + '/package.json'); const version = require(pkgPath).version; console.log(name + '@' + version + ' -> ' + pkgPath); }; out('zod'); out('@asteasolutions/zod-to-openapi');"dev:watchtsc -p tsconfig.json --watch --incremental --preserveWatchOutputdev:yalcnodemon --watch src --watch package.json --ext ts,json --exec "yarn build && yalc publish --push"linteslint .lint:fixeslint . --fixreleasenode ./scripts/release-and-sync-paperless.mjsyalc:publishyalc publish --push
Dependencies71
@aws-sdk/client-cloudwatch-events^3.990.0@aws-sdk/client-iot-data-plane^3.990.0@aws-sdk/client-s3^3.990.0@aws-sdk/client-sesv2^3.990.0@aws-sdk/credential-provider-node^3.972.9@aws-sdk/lib-storage^3.990.0@aws-sdk/s3-request-presigner^3.990.0@aws-sdk/util-endpoints^3.990.0@sentry/node^10.38.0@sentry/profiling-node^10.38.0agenda^6.2.2agendash^8.1.1auth0^5.3.1aws-crt^1.29.0aws-iot-device-sdk-v2^1.25.0aws4^1.13.2axios^1.13.5body-parser~2.2.2body-parser-xml~2.0.5compression^1.8.1config^4.3.0cors^2.8.6cron^4.4.0date-fns^4.1.0date-fns-tz3.2.0dotenv^17.3.1elevenlabs^1.59.0express^5.2.1express-jwt^8.5.1express-mongo-sanitize^2.2.0- …and 41 more.