PkgRadar

Package evidence

@itwin/[email protected]

Credential file access: matched ".Azure"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
17,941Mainstream · −50% score
Versions published
1,356Mature · −50% score
First published
Sep 2021
Publisher
imodeljs

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@itwin/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@itwin/[email protected]"],"fail_on":"review"}'
Publisherimodeljs
Artifact bytes6,866,079
Previous version5.10.0-dev.21
Published2026-05-27T16:49:16.337Z
SHA-2569b915a08a75a47e35eccf2c84fa9bcfadb8be431cc3c496f38629a5f7ca077e9

Why flagged

What the scanner saw

Credential file access: matched ".Azure"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
5.10.0-dev.22Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/lib/cjs/internal/tile/map/ImageryProviders/AzureMapsLayerImageryProvider.jsmatched ".Azure"5
lowCredential file accesspackage/lib/esm/internal/tile/map/ImageryProviders/AzureMapsLayerImageryProvider.jsmatched ".Azure"5

Manifest

Package metadata

Scripts22
  • buildnpm run -s copy:public && npm run -s build:cjs && npm run -s build:esm && npm run -s webpackWorkers && npm run -s copy:workers && npm run -s copy:draco
  • build:cjsnpm run -s copy:js:cjs && tsc 1>&2 --outDir lib/cjs
  • build:esmnpm run -s copy:js:esm && tsc 1>&2 --module ES2022 --outDir lib/esm
  • cleanrimraf -g lib .rush/temp/package-deps*.json
  • copy:dracocpx "./node_modules/@loaders.gl/draco/dist/libs/*" ./lib/public/scripts
  • copy:js:cjscpx "./src/**/*.js" ./lib/cjs
  • copy:js:esmcpx "./src/**/*.js" ./lib/esm
  • copy:publiccpx "./src/public/**/*" ./lib/public
  • copy:workerscpx "./lib/workers/webpack/parse-imdl-worker.js" ./lib/public/scripts
  • covernpm run webpackTestWorker && vitest --run
  • docsbetools docs --json=../../generated-docs/core/core-frontend/file.json --tsIndexFile=./core-frontend.ts --onlyJson --excludes=webgl/**/*,**/map/*.d.ts,**/tile/*.d.ts,**/*-css.ts && npm run -s extract
  • extractbetools extract --fileExt=ts --extractFrom=./src/test/example-code --recursive --out=../../generated-docs/extract
  • extract-apibetools extract-api --entry=core-frontend && npm run extract-extension-api
  • extract-extension-apieslint --no-inline-config -c extraction.eslint.config.js "./src/**/*.ts" 1>&2
  • linteslint "./src/**/*.ts" 1>&2
  • lint-deprecationeslint --fix -f visualstudio --no-inline-config -c ../../common/config/eslint/eslint.config.deprecation-policy.js "./src/**/*.ts"
  • lint-fixeslint --fix -f visualstudio "./src/**/*.ts" 1>&2
  • pseudolocalizebetools pseudolocalize --englishDir ./src/public/locales/en --out ./public/locales/en-PSEUDO
  • testnpm run webpackTestWorker && vitest --run
  • webpackTestWorkerwebpack --config ./src/test/worker/webpack.config.js 1>&2 && cpx "./lib/test/test-worker.js" ./lib/test
  • webpackTestswebpack --config ./src/test/utils/webpack.config.js 1>&2 && npm run -s webpackTestWorker
  • webpackWorkerswebpack --config ./src/workers/ImdlParser/webpack.config.js 1>&2
Dependencies6
  • @itwin/core-i18n5.10.0-dev.22
  • @itwin/webgl-compatibility5.10.0-dev.22
  • @loaders.gl/core~4.3.4
  • @loaders.gl/draco~4.3.4
  • fuse.js^3.3.0
  • wms-capabilities0.4.0