PkgRadar

Package evidence

@marimo-team/[email protected]

Credential file access: matched "aws_access_key"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
3,487Mature · −50% score
First published
Apr 2024
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@marimo-team/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@marimo-team/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes9,565,896
Previous version0.23.10-dev36
Published2026-06-12T20:40:13.043Z
SHA-2567eb1812c99d379055f12940f1b68eeade8cf32eb952294c5e98d00423661814d

Why flagged

What the scanner saw

Credential file access: matched "aws_access_key"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
4Score
0.23.10-dev37Version
Status history (1 event)
  1. newavailable · risk review · score 4 · status changed

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/src/components/editor/connections/database/as-code.tsmatched "aws_access_key"5
lowCredential file accesspackage/src/components/editor/connections/database/schemas.tsmatched "aws_access_key"5
lowInstall-time lifecycle scriptpackage.jsonpreinstall="npx only-allow pnpm"5
lowObfuscation Densitypackage/dist/chunk-5FQGJX7Z-BNjes6Yx.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/chunk-B4BG7PRW-BL98U9B4.jshigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/dist/node-sql-parser-B8nBD36q.js4602987 bytes0
lowLarge Javascript Payloadpackage/dist/Plot-CAYS29h9.js8384833 bytes0
lowObfuscation Densitypackage/dist/zod-aLSua2NL.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts19
  • buildcross-env vite build
  • build-storybookstorybook build
  • build:islandscross-env VITE_MARIMO_ISLANDS=true vite --config islands/vite.config.mts build
  • build:watchvite build --watch --outDir ../marimo/_static
  • cicross-env CI=true run-s lint typecheck test build
  • devvite
  • dev:islandscross-env VITE_MARIMO_ISLANDS=true vite --config islands/vite.config.mts
  • dev:quartoVITE_MARIMO_ISLANDS=true vite
  • formatoxfmt --config ../.oxfmtrc.json
  • lintrun-s lint:oxlint lint:stylelint
  • lint:oxlintoxlint --fix
  • lint:stylelintstylelint src/**/*.css --fix
  • preinstallnpx only-allow pnpm
  • previewvite preview
  • preview:islandscross-env VITE_MARIMO_VERSION='0.4.6' VITE_MARIMO_ISLANDS=true vite --config islands/vite.config.mts build
  • startvite
  • storybookstorybook dev -p 6006
  • testvitest
  • typechecktsgo
Dependencies142
  • @ai-sdk/react^3.0.134
  • @anywidget/types^0.2.0
  • @codemirror/autocomplete^6.20.1
  • @codemirror/commands^6.10.2
  • @codemirror/lang-markdown^6.5.0
  • @codemirror/lang-python^6.2.1
  • @codemirror/lang-sql^6.10.0
  • @codemirror/language^6.12.2
  • @codemirror/language-data^6.5.2
  • @codemirror/legacy-modes^6.5.2
  • @codemirror/lint^6.9.5
  • @codemirror/merge^6.12.0
  • @codemirror/search^6.6.0
  • @codemirror/state^6.5.4
  • @codemirror/theme-one-dark^6.1.3
  • @codemirror/view^6.39.16
  • @dagrejs/dagre^1.1.8
  • @date-fns/tz^1.4.1
  • @dnd-kit/core^6.3.1
  • @dnd-kit/modifiers^9.0.0
  • @dnd-kit/sortable^10.0.0
  • @dnd-kit/utilities^3.2.2
  • @emotion/cache^11.14.0
  • @emotion/react^11.14.0
  • @glideapps/glide-data-grid6.0.4-alpha9
  • @hookform/resolvers^5.2.2
  • @img-comparison-slider/react^8.0.2
  • @internationalized/date^3.10.1
  • @lezer/common^1.5.1
  • @lezer/highlight^1.2.3
  • …and 112 more.