PkgRadar

Package evidence

@manisranjan/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
2
First published
May 2026
Publisher
manisranjan

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@manisranjan/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@manisranjan/[email protected]"],"fail_on":"review"}'
Publishermanisranjan
Artifact bytes850,237
Previous version3.2.0-beta.1
Published2026-05-26T06:53:46.934Z
SHA-256b05cff5d31a6d92325b2176ce7fbd55802ea6b4a99ebffafdba7419267e1c042

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
6Score
3.2.1-beta.1Version
Status history (1 event)
  1. newavailable · risk review · score 6 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/.github/workflows/boilerplate-integration.yamlmatched "GITHUB_TOKEN"3
lowCredential file accesspackage/.github/workflows/pr-release-alpha.yamlmatched "NPM_TOKEN"3

Manifest

Package metadata

Scripts39
  • analyzeANALYZE=true elsie build --config=./vite.config.mjs
  • buildelsie build --config=./vite.config.mjs
  • build:ci./scripts/build.sh
  • build:storybookstorybook build --disable-telemetry
  • changesetchangeset
  • changeset:alphachangeset version --snapshot alpha
  • changeset:publishchangeset publish
  • changeset:statuschangeset status
  • changeset:versionchangeset version
  • check-updatesnode scripts/update-dependencies.js
  • clean:reportsrm -R -f cypress/reports && mkdir cypress/reports
  • collect-coveragecp coverage/storybook/coverage-storybook.json coverage/ && npx nyc report -r json -r lcov -r cobertura -t coverage --report-dir coverage
  • cypress:localconcurrently 'npm run serve' 'cd cypress && yarn install && yarn test'
  • cypress:mochawesomecd cypress && yarn cypress:mochawesome:merge && yarn cypress:mochawesome:m2e && yarn cypress:mochawesome:html
  • devconcurrently 'npm run storybook' 'npm run serve'
  • generate:api:mockselsie gql mocks
  • generate:api:typeselsie gql types
  • generate:translationsnode scripts/generate-translations.js
  • lighthouselighthouse --output html --output-path ./reports/lighthouse.html --view
  • lintelsie lint --max-warnings=0
  • prebuild:ciecho "Building PR version: ${VERSION_PARAM:-"."}"
  • predeploynpm run build:storybook
  • preparehusky
  • serveconcurrently 'NODE_ENV=development elsie serve --config=./vite.config.mjs' 'wait-on tcp:${PORT:=3004} && alive-server ./examples/html-host/ --port=3000 --no-browser --watch=../../dist/reload' 'wait-on http://localhost:3000/index.html && open http://localhost:3000/index.html'
  • serve:b2bconcurrently 'NODE_ENV=development elsie serve --config=./vite.config.mjs' 'wait-on tcp:${PORT:=3004} && alive-server ./examples/html-host --port=3000 --no-browser --watch=../../dist/reload' 'wait-on http://localhost:3000/index-b2b.html && open http://localhost:3000/index-b2b.html'
  • serve:b2b-quoteconcurrently 'NODE_ENV=development elsie serve --config=./vite.config.mjs' 'wait-on tcp:${PORT:=3004} && alive-server ./examples/html-host --port=3000 --no-browser --watch=../../dist/reload' 'wait-on http://localhost:3000/index-b2b-quote.html && open http://localhost:3000/index-b2b-quote.html'
  • serve:multistepconcurrently 'NODE_ENV=development elsie serve --config=./vite.config.mjs' 'wait-on tcp:${PORT:=3004} && alive-server ./examples/html-host --port=3000 --no-browser --watch=../../dist/reload' 'wait-on http://localhost:3000/index-multistep.html && open http://localhost:3000/index-multistep.html'
  • serve:with-extensionsconcurrently 'NODE_ENV=development elsie serve --config=./vite.config.mjs' 'wait-on tcp:${PORT:=3004} && alive-server ./examples/html-host --port=3000 --no-browser --watch=../../dist/reload' 'wait-on http://localhost:3000/index-with-extensions.html && open http://localhost:3000/index-with-extensions.html'
  • storybookelsie storybook
  • testelsie test
  • …and 9 more.
Dependencies8
  • @adobe-commerce/elsie~1.8.0
  • @adobe-commerce/event-bus~1.0.1
  • @adobe-commerce/fetch-graphql~1.2.3
  • @adobe-commerce/storefront-design~1.0.0
  • @dropins/build-tools~1.0.1
  • dompurify^3.2.6
  • glob^11.0.3
  • preact~10.22.1