Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 53Mature · −50% score
- First published
- May 2018
- Publisher
- germanbisurgi
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@json-editor/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@json-editor/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential File Packaged: package/.env
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 17 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential File Packaged | package/.env | package/.env | 35 |
Manifest
Package metadata
Scripts26
buildnpm run build.prod && npm run build.nonminbuild.devwebpack --config config/webpack.dev.js --progress --profile --bailbuild.nonminwebpack --config config/webpack.nonmin.js --progress --profile --bailbuild.nonmin.traviswebpack --config config/webpack.nonmin.js --env travis --progress --profile --bailbuild.prodwebpack --config config/webpack.prod.js --progress --profile --bailcleannpm run clean.css.jsclean.css.jsfind ./src -name *.css.js -type f -deletecp:fulltestcodeceptjs run --stepscp:fulltestmochacodeceptjs run --steps --reporter mochawesomecp:testcodeceptjs run --steps --invert --grep @optionalcp:testmochacodeceptjs run --steps --reporter mochawesome --invert --grep @optionaldebugwebpack-dev-server --config config/webpack.dev.js --progressdebug.nonminwebpack-dev-server --config config/webpack.nonmin.js --progressdocker-codeceptjsdocker-compose exec node codeceptjs run-multiple --config /repo/tests/codeceptjs/codecept.json basic:chrome --invert --grep '@optional'docker-prepare-codeceptjsdocker-compose run --rm node npm install && docker-compose run --rm node npm run build && docker-compose up -d && docker-compose psdocker-testnpm run docker-prepare-codeceptjs && npm run docker-codeceptjseslinteslint -c ./.eslintrc src/**/*.jseslint.fixeslint -c ./.eslintrc src/**/*.js --fixpostversiongit push && git push --tags && npm publish ./ --access publicpreparenpm run buildpreversionnpm run test-headless && npm run docker-testserve-testhttp-server --p 9001testkarma start config/karma.conf.js --browsers Chrome --log-level debugtest-headlesskarma start config/karma.conf.js --singleRun true --browsers ChromeHeadlesswatchwebpack --config config/webpack.nonmin.js --watchwinservercd tests && start cmd /c npm run serve-test .
Dependencies1
core-js^3.27.2