PkgRadar

Package evidence

@microsoft/[email protected]

Credential file access: matched ".azure\\"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,689Niche · −30% score
Versions published
487Mature · −50% score
First published
Apr 2022
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@microsoft/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@microsoft/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes419,375
Previous version1.8.4-main.1167acf
Published2026-06-05T23:02:05.408Z
SHA-256b360bba39170da6cefcca84e29d7cab8808521601309fd6dc3799e8b6cf56a6f

Why flagged

What the scanner saw

Credential file access: matched ".azure\\"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
1.8.4-main.11a7566Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/lib/cjs/common/telemetry/loggers/appInsightsLogger.jsmatched ".azure\\"5
lowCredential file accesspackage/lib/esm/common/telemetry/loggers/appInsightsLogger.jsmatched ".azure\\"5

Manifest

Package metadata

Scripts40
  • buildyarn clean && yarn lint && yarn build:esm && yarn build:cjs && tsc
  • build-composite-storybookcross-env NODE_OPTIONS=--openssl-legacy-provider build-storybook -c stories/.storybook -o storybook-build
  • build-sampleyarn build && cross-env NODE_OPTIONS=--openssl-legacy-provider webpack --config ./webpack.config.cjs
  • build-sample:devyarn build && cross-env NODE_OPTIONS=--openssl-legacy-provider webpack --config ./webpack.dev.config.cjs
  • build-storybookcross-env NODE_OPTIONS=--openssl-legacy-provider build-storybook
  • build:cjsbabel ./src --config-file ./babel.config.json --out-dir lib/cjs --extensions .ts,.js,.tsx --ignore **/*.test.ts,**/*.stories.tsx,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx
  • build:cjs:watchbabel ./src --config-file ./babel.config.json --out-dir lib/cjs --extensions .ts,.js,.tsx --watch --ignore **/*.test.ts,**/*.stories.tsx,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx
  • build:esmbabel ./src --config-file ./babel.esm.config.json --out-dir lib/esm --extensions .ts,.js,.tsx --ignore **/*.test.ts,**/*.stories.tsx,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx
  • build:esm:watchbabel ./src --config-file ./babel.esm.config.json --out-dir lib/esm --extensions .ts,.js,.tsx --watch --ignore **/*.test.ts,**/*.stories.tsx,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx
  • build:umdwebpack --config ./webpack.umd.config.cjs
  • cleanrimraf lib
  • compose-storybookstart-storybook -c stories/.storybook -p 9009
  • danger:prepushyarn danger local --dangerfile dangerfile.js --base main
  • devconcurrently "yarn build:esm:watch" "webpack --config ./webpack.config.cjs --watch"
  • lintyarn eslint . --max-warnings=0
  • preparecd .. && husky chat-widget/.husky
  • prepushyarn lint && yarn danger:prepush
  • pretest:visualyarn playwright install
  • scan:a11yyarn build-storybook && yarn scan:a11y:axe && yarn scan:a11y:insights
  • scan:a11y:axenode ../tools/accessibility/axeScan.cjs
  • scan:a11y:axe:buildyarn build-storybook && yarn scan:a11y:axe
  • scan:a11y:axe:gatednode ../tools/accessibility/axeScan.cjs --gate-rules image-alt,button-name
  • scan:a11y:insightsnode ../tools/accessibility/insightsScan.cjs
  • scan:a11y:insights:buildyarn build-storybook && yarn scan:a11y:insights
  • storybookstart-storybook -p 6006
  • test:a11yjest -c jest.config.a11y.cjs --runInBand --force-exit
  • test:allyarn test:unit && yarn test:visual
  • test:e2ecd automation_tests && yarn test
  • test:e2e:buildyarn build-sample && cd automation_tests && yarn test
  • test:unitjest -c jest.config.unit.cjs --env=jsdom --runInBand --force-exit
  • …and 10 more.
Dependencies19
  • @azure/core-tracing^1.2.0
  • @microsoft/applicationinsights-web^3.3.6
  • @microsoft/omnichannel-chat-components1.1.17-main.5b3f077
  • @microsoft/omnichannel-chat-sdk1.11.9-main.47a6498
  • @opentelemetry/api^1.9.0
  • abort-controller^3
  • abort-controller-es5^2.0.1
  • botframework-webchat4.18.1-hotfix.20260308.b15b405
  • core-js-pure^3.42.0
  • dompurify^3.2.4
  • markdown-it^12.3.2
  • markdown-it-attrs^4.1.6
  • markdown-it-attrs-es5^2.0.2
  • markdown-it-for-inline^0.1.1
  • md5-typescript^1.0.5
  • p-defer-es5^2.0.1
  • sanitize-html2.14.0
  • simple-update-in2.2.0
  • slack-markdown-it^1.0.5