Package evidence
@juspay/[email protected]
Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 7,170Niche · −30% score
- Versions published
- 373Mature · −50% score
- First published
- Jun 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@juspay/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@juspay/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 30 · status changed
Evidence
Static findings
44 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/dist/lib/providers/googleVertex.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/providers/googleVertex.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/lib/utils/providerHealth.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/utils/providerHealth.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/adapters/video/vertexVideoHandler.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/lib/adapters/video/vertexVideoHandler.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/adapters/video/videoAnalyzer.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/lib/adapters/video/videoAnalyzer.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
Show all 44 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/dist/lib/providers/googleVertex.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/providers/googleVertex.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/lib/utils/providerHealth.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/utils/providerHealth.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/adapters/video/vertexVideoHandler.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/lib/adapters/video/vertexVideoHandler.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/adapters/video/videoAnalyzer.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| medium | Credential file access | package/dist/lib/adapters/video/videoAnalyzer.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 10 |
| low | Credential file access | package/dist/action/actionInputs.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/lib/action/actionInputs.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/lib/providers/amazonBedrock.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/providers/amazonBedrock.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/factories/commandFactory.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/lib/providers/sagemaker/config.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/providers/sagemaker/config.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/agent/directTools.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/lib/agent/directTools.js | matched ".ssh/" | 5 |
| low | Credential file access | package/dist/lib/providers/sagemaker/error-constants.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/providers/sagemaker/error-constants.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/errorHandler.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/lib/processors/config/fileTypes.js | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/processors/config/fileTypes.js | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/lib/voice/providers/GoogleSTT.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/voice/providers/GoogleSTT.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/adapters/tts/googleTTSHandler.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/lib/adapters/tts/googleTTSHandler.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/cli/utils/interactiveSetup.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/lib/processors/config/languageMap.js | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/processors/config/languageMap.js | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/core/modelConfiguration.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/lib/core/modelConfiguration.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/lib/neurolink.js | matched "google_application_credentials" | 5 |
| low | Credential file access | package/dist/neurolink.js | matched "google_application_credentials" | 5 |
| low | Credential file access | package/dist/lib/utils/providerConfig.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/utils/providerConfig.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/lib/utils/providerSetupMessages.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/utils/providerSetupMessages.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/lib/utils/providerUtils.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/utils/providerUtils.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/factories/sagemakerCommandFactory.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Credential file access | package/dist/cli/commands/setup-bedrock.js | matched "aws_access_key" | 5 |
| low | Credential file access | package/dist/cli/commands/setup-gcp.js | matched "GOOGLE_APPLICATION_CREDENTIALS" | 5 |
| low | Credential file access | package/dist/cli/commands/setup.js | matched "AWS_ACCESS_KEY" | 5 |
| low | Large Javascript Payload | package/dist/browser/neurolink.min.js | 4859687 bytes | 0 |
Manifest
Package metadata
Scripts149
// ===== NEUROLINK DEVELOPER EXPERIENCE ENHANCEMENT 2.0 =====// Build & Deploy (Complete Pipeline)// Build Rule Enforcement Scripts// CI tier — fast, no live AI calls, safe for every commit// CI tier — live providers, runs only when API keys are present (test:credentials and test:dynamic make real provider calls when keys are set, so they live here, not in test:unit)// CI tier — product output (image/video/TTS/PPT) — costs $$ per run// Content Generation (Cross-platform JS)// Development & Monitoring// Documentation (Docusaurus)// Documentation Automation (Legacy MkDocs)// Environment & Setup (pnpm-first)// Project Management & Analysis// Proxy Observability (Local OpenObserve)// Quality & Maintenance// Release & Publishing// Shell Script Conversion// Testing (Continuous Test Suites)auditpnpm auditbuildvite build && pnpm run prepackbuild:actionncc build src/action/index.ts -o action-dist --source-mapbuild:browsernode scripts/build-browser.mjsbuild:browser:devnode scripts/build-browser.mjs --devbuild:cliecho 'Building CLI...' && svelte-kit sync && tsc --project tsconfig.cli.jsonbuild:cli:bundlenode scripts/bundle-cli.mjsbuild:cli:bundle:minifynode scripts/bundle-cli.mjs --minifybuild:cli:linkpnpm run build:cli && pnpm link --globalbuild:completetsx tools/automation/buildSystem.tsbuild:react-hooksnpx tsc --jsx react-jsx --module nodenext --moduleResolution nodenext --target esnext --esModuleInterop --skipLibCheck --outDir dist --declaration false src/lib/client/reactHooks.tsxchangesetchangesetchangeset:versionchangeset version && git add --all- …and 119 more.
Dependencies51
@ai-sdk/anthropic^3.0.50@ai-sdk/mistral^3.0.21@ai-sdk/openai^3.0.37@ai-sdk/provider^3.0.8@anthropic-ai/sdk^0.102.0@anthropic-ai/vertex-sdk^0.16.0@aws-sdk/client-bedrock^3.1000.0@aws-sdk/client-bedrock-runtime^3.1000.0@aws-sdk/client-sagemaker-runtime^3.1000.0@aws-sdk/credential-provider-node^3.886.0@aws-sdk/types^3.862.0@google-cloud/text-to-speech^6.4.0@google-cloud/vertexai^1.10.0@google/genai^1.43.0@huggingface/inference^4.13.14@modelcontextprotocol/sdk^1.27.1@opentelemetry/api-logs^0.214.0@opentelemetry/context-async-hooks^2.6.1@opentelemetry/core^2.6.0@opentelemetry/exporter-logs-otlp-http^0.214.0@opentelemetry/exporter-metrics-otlp-http^0.214.0@opentelemetry/exporter-trace-otlp-http^0.214.0@opentelemetry/resources^2.6.0@opentelemetry/sdk-logs^0.214.0@opentelemetry/sdk-metrics^2.6.1@opentelemetry/sdk-trace-base^2.6.0@opentelemetry/semantic-conventions^1.40.0adm-zip^0.5.16ai^6.0.134chalk^5.6.2- …and 21 more.
Optional dependencies34
@aws-sdk/client-sagemaker^3.1000.0@fastify/cors^11.2.0@fastify/rate-limit^10.3.0@hono/node-server^1.19.13@koa/cors^5.0.0@koa/router^15.3.1@langfuse/otel^5.0.1@livekit/agents^1.4.5@livekit/agents-plugin-cartesia^1.4.5@livekit/agents-plugin-deepgram^1.4.5@livekit/agents-plugin-elevenlabs^1.4.5@livekit/agents-plugin-livekit^1.4.5@livekit/agents-plugin-silero^1.4.5@livekit/agents-plugin-soniox^1.4.5@livekit/rtc-node^0.13.29@picovoice/cobra-node^3.0.2bullmq^5.52.2cors^2.8.5exceljs^4.4.0express^5.1.0express-rate-limit^8.2.1fastify^5.7.2ffmpeg-static^5.3.0fluent-ffmpeg^2.1.3koa^3.1.1koa-bodyparser^4.4.1livekit-server-sdk^2.15.4mammoth^1.11.0mediabunny^1.40.1music-metadata^11.11.2- …and 4 more.