PkgRadar

Package evidence

@manisranjan/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
2
First published
May 2026
Publisher
manisranjan

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@manisranjan/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@manisranjan/[email protected]"],"fail_on":"review"}'
Publishermanisranjan
Artifact bytes575,868
Previous version3.2.0-beta.0
Published2026-05-26T06:45:10.670Z
SHA-256060caa5764774c7e125184ce1cc149d861de16443e9be8c7baa39df83ab919dd

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
6Score
3.2.0-beta.1Version
Status history (1 event)
  1. newavailable · risk review · score 6 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/.github/workflows/boilerplate-integration.yamlmatched "GITHUB_TOKEN"3
lowCredential file accesspackage/.github/workflows/pr-release-alpha.yamlmatched "NPM_TOKEN"3

Manifest

Package metadata

Scripts20
  • analyzeANALYZE=true elsie build
  • buildelsie build
  • build:ciexport PR_VERSION=${VERSION_PARAM#*=} && mkdir -p ./dist/${PR_VERSION} && elsie build --outDir=./dist/${PR_VERSION}; cp -r ./static/* ./dist/${PR_VERSION}/. ; storybook build -o ./dist/${PR_VERSION}/storybook --disable-telemetry; cp ./static/index.html ./dist/.
  • build:storybookstorybook build --disable-telemetry
  • changesetchangeset
  • changeset:alphachangeset version --snapshot alpha
  • changeset:publishchangeset publish
  • changeset:statuschangeset status
  • changeset:versionchangeset version
  • clean:reportsrm -R -f cypress/reports && mkdir cypress/reports
  • cypress:localconcurrently 'npm run serve:static' 'cd cypress && yarn install && yarn test'
  • cypress:mochawesomecd cypress && yarn cypress:mochawesome:merge && yarn cypress:mochawesome:m2e && yarn cypress:mochawesome:html
  • devconcurrently 'npm run storybook' 'npm run serve'
  • lintelsie lint --max-warnings=0
  • prebuild:ciecho "Building PR version: ${VERSION_PARAM:-"."}"
  • serveconcurrently 'elsie serve' 'wait-on tcp:${PORT:=3002} && alive-server ./examples/html-host --port=3000 --watch=../../dist/reload'
  • storybookelsie storybook
  • testelsie test
  • test:cijest --config jest.config.js --maxWorkers=50% --passWithNoTests --coverage
  • test:cypress:ciyarn clean:reports && cd cypress && yarn install && cross-env TZ=utc yarn cypress run --headed --browser chrome --config baseUrl=${DEPLOY_URL}
Dependencies7
  • @adobe-commerce/elsie1.8.1
  • @adobe-commerce/event-bus~1.0.1
  • @adobe-commerce/fetch-graphql~1.2.3
  • @adobe-commerce/recaptcha~1.1.0
  • @adobe-commerce/storefront-design~1.0.0
  • @dropins/build-tools~1.1.0
  • preact~10.29.1