PkgRadar

Package evidence

@mohasinac/[email protected]

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
266
Versions published
106
First published
Apr 2026
Publisher
mohasinac

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@mohasinac/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@mohasinac/[email protected]"],"fail_on":"review"}'
Publishermohasinac
Artifact bytes2,291,958
Previous version2.8.8
Published2026-06-10T20:22:35.540Z
SHA-2565b6d752b854f2763d68f7c8279c7a12165625018188da4f2210d1e6d63f24325

Why flagged

What the scanner saw

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
10Score
2.8.9Version
Status history (1 event)
  1. newavailable · risk review · score 10 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/providers/db-firebase/admin-app-lite.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/providers/db-firebase/admin.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5

Manifest

Package metadata

Scripts19
  • auditnode scripts/audit-violations.mjs
  • audit:action-confirmationnode scripts/audit-action-confirmation.mjs
  • audit:appkit-reexportsnode scripts/audit-appkit-reexports.mjs
  • audit:create-with-idnode scripts/audit-create-with-id.mjs
  • audit:css-importsnode scripts/audit-css-imports.mjs
  • audit:listing-indicesnode scripts/audit-listing-indices.mjs
  • audit:listing-type-readsnode scripts/audit-listing-type-reads.mjs
  • audit:paginated-selectnode scripts/audit-paginated-select.mjs
  • audit:route-stringsnode scripts/audit-route-strings.mjs
  • audit:sieve-viewsnode scripts/audit-sieve-constants-views.mjs
  • buildnode -e "const fs=require('fs');try{fs.rmSync('tsconfig.build.tsbuildinfo')}catch(e){}" && tsc -p tsconfig.build.json && node scripts/copy-assets.mjs && tailwindcss -i src/tailwind-input.css -o dist/tailwind-utilities.css --minify && node scripts/bundle-css.mjs && node scripts/verify-css-build.mjs
  • checknpm run check:types && npm run check:audits
  • check:auditsnode scripts/audit-violations.mjs && node scripts/verify-entries.mjs && node scripts/verify-css-build.mjs && node scripts/audit-use-client.mjs && node scripts/audit-double-navigation.mjs && node scripts/audit-repository-fields.mjs && node scripts/audit-query-provider.mjs && node scripts/audit-export-paths.mjs && node scripts/audit-listing-indices.mjs --summary-only && node scripts/audit-listing-type-reads.mjs && node scripts/audit-create-with-id.mjs && node scripts/audit-css-imports.mjs && node scripts/audit-appkit-reexports.mjs && node scripts/audit-action-confirmation.mjs && node scripts/audit-route-strings.mjs && node scripts/audit-paginated-select.mjs && node scripts/audit-sieve-constants-views.mjs
  • check:typestsc --noEmit
  • prepublishOnlynpm run build
  • testvitest run --passWithNoTests
  • test:watchvitest
  • watchconcurrently --kill-others --restart-tries 0 --names "ts,css" "tsc -p tsconfig.build.json --watch" "npm run watch:css"
  • watch:csstailwindcss -i src/tailwind-input.css -o dist/tailwind-utilities.css --watch
Dependencies6
  • @mohasinac/sievejs^1.0.0
  • motion^12.40.0
  • react-advanced-cropper^0.20.1
  • tailwind-merge^3.3.0
  • zod^3.24.0
  • zustand^5.0.13