Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 2
- First published
- Jun 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@michaelthielemann/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@michaelthielemann/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/bin/init.js | matched ".npmrc" | 5 |
Manifest
Package metadata
Scripts26
buildnode ./scripts/build.jsdevnode ./scripts/dev.jsdev:buildnuxi build playgrounddev:pgcross-env NUXT_PRUVIOUS_DATABASE=postgresql://pruvious:[email protected]:5433/pruvious node ./scripts/dev.jsdev:preparenuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playgrounddev:rediscross-env NUXT_PRUVIOUS_REDIS=redis://127.0.0.1:6380/0 node ./scripts/dev.jsdev:s3cross-env NUXT_PRUVIOUS_UPLOADS_DRIVE_TYPE=s3 NUXT_PRUVIOUS_UPLOADS_DRIVE_KEY=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_SECRET=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_BUCKET=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_REGION=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_ENDPOINT=http://127.0.0.1:9000 NUXT_PRUVIOUS_UPLOADS_DRIVE_BASE_URL=http://127.0.0.1:9000/pruvious node ./scripts/dev.jsformatprettier --write .linteslint .releasenode ./scripts/release.jstestvitest runtest-uivitest --uitest-ui:pgcross-env NUXT_PRUVIOUS_DATABASE=postgresql://pruvious:[email protected]:5433/pruvious_test vitest --uitest-ui:rediscross-env NUXT_PRUVIOUS_REDIS=redis://127.0.0.1:6380/1 vitest --uitest-ui:s3cross-env NUXT_PRUVIOUS_UPLOADS_DRIVE_TYPE=s3 NUXT_PRUVIOUS_UPLOADS_DRIVE_KEY=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_SECRET=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_BUCKET=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_REGION=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_ENDPOINT=http://127.0.0.1:9000 NUXT_PRUVIOUS_UPLOADS_DRIVE_BASE_URL=http://127.0.0.1:9000/pruvious vitest --uitest:componentsvitest run test/componentstest:db-backup-s3cross-env PRUVIOUS_DB_BACKUP_S3_KEY=pruvious PRUVIOUS_DB_BACKUP_S3_SECRET=pruvious PRUVIOUS_DB_BACKUP_S3_BUCKET=pruvious PRUVIOUS_DB_BACKUP_S3_REGION=us-east-1 PRUVIOUS_DB_BACKUP_S3_ENDPOINT=http://127.0.0.1:9000 vitest run --config vitest.db-backup-s3.config.tstest:mysqlcross-env NUXT_PRUVIOUS_DATABASE=mysql://pruvious:[email protected]:3306/pruvious_test vitest runtest:pgcross-env NUXT_PRUVIOUS_DATABASE=postgresql://pruvious:[email protected]:5433/pruvious_test vitest runtest:rediscross-env NUXT_PRUVIOUS_REDIS=redis://127.0.0.1:6380/1 vitest runtest:s3cross-env NUXT_PRUVIOUS_UPLOADS_DRIVE_TYPE=s3 NUXT_PRUVIOUS_UPLOADS_DRIVE_KEY=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_SECRET=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_BUCKET=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_REGION=pruvious NUXT_PRUVIOUS_UPLOADS_DRIVE_ENDPOINT=http://127.0.0.1:9000 NUXT_PRUVIOUS_UPLOADS_DRIVE_BASE_URL=http://127.0.0.1:9000/pruvious vitest runtest:ssgvitest run --config vitest.ssg.config.tstest:ssg-s3cross-env PRUVIOUS_SSG_S3=1 PRUVIOUS_SSG_S3_KEY=pruvious PRUVIOUS_SSG_S3_SECRET=pruvious PRUVIOUS_SSG_S3_BUCKET=pruvious PRUVIOUS_SSG_S3_REGION=us-east-1 PRUVIOUS_SSG_S3_ENDPOINT=http://127.0.0.1:9000 PRUVIOUS_SSG_S3_BASE_URL=http://127.0.0.1:9000/pruvious vitest run --config vitest.ssg-s3.config.tstest:typesvue-tsc --noEmit && cd playground && vue-tsc --noEmittest:watchvitest watchtrynode ./scripts/try.js
Dependencies76
@antfu/utils^0.7.10@aws-sdk/client-s3^3.1053.0@babel/generator^7.29.1@inquirer/editor^1.2.15@node-rs/argon2^2.0.2@nuxt/kit^4.4.6@tiptap/core^3.23.6@tiptap/extension-blockquote^3.23.6@tiptap/extension-bold^3.23.6@tiptap/extension-bullet-list^3.23.6@tiptap/extension-code^3.23.6@tiptap/extension-code-block^3.23.6@tiptap/extension-document^3.23.6@tiptap/extension-dropcursor^3.23.6@tiptap/extension-gapcursor^3.23.6@tiptap/extension-hard-break^3.23.6@tiptap/extension-heading^3.23.6@tiptap/extension-highlight^3.23.6@tiptap/extension-history^3.23.6@tiptap/extension-horizontal-rule^3.23.6@tiptap/extension-italic^3.23.6@tiptap/extension-link^3.23.6@tiptap/extension-list-item^3.23.6@tiptap/extension-ordered-list^3.23.6@tiptap/extension-paragraph^3.23.6@tiptap/extension-placeholder^3.23.6@tiptap/extension-strike^3.23.6@tiptap/extension-subscript^3.23.6@tiptap/extension-superscript^3.23.6@tiptap/extension-text^3.23.6- …and 46 more.