Package evidence

@naturalcycles/[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 416Mature · −50% score
First published: Feb 2019
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@naturalcycles/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@naturalcycles/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes72,018

Previous version9.61.0

Published2026-06-10T06:37:27.095Z

SHA-2567aa690062c9fc8f562a8ed06e53bda63f787e6227e3aae423d610f2997437584

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

38h agoLast checked

reviewRisk

3Score

9.62.0Version

Status history (1 event)

new → available38h ago · risk review · score 3 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/deploy/deployPrepare.js	matched ".npmrc"	5
low	Credential file access	package/src/deploy/deployPrepare.ts	matched ".npmrc"	5

Manifest

Package metadata

Scripts13

btdev-lib bt
builddev-lib build
checkdev-lib check
cleandev-lib clean
deploy-gaetsx src/bin/deploy-gae.ts
deploy-health-check-debug1tsx src/bin/deploy-health-check.ts --url https://api-master.naturalcycles.com
deploy-health-check-debug2tsx src/bin/deploy-health-check.ts --url https://api-master2.naturalcycles.com --thresholdUnhealthy 5
deploy-preparetsx src/bin/deploy-prepare.ts
deploy-prepare-debugAA=AA1 BB=BB1 tsx src/bin/deploy-prepare.ts --projectDir ./src/test/project
devAPP_ENV=dev tsx watch src/test/server/server.ts
lintdev-lib lint
testdev-lib test
typecheckdev-lib typecheck

Dependencies21

@naturalcycles/db-lib^10
@naturalcycles/js-lib^15
@naturalcycles/nodejs-lib^15
@types/body-parser^1
@types/compressible^2
@types/cookie-parser^1
@types/cors^2
@types/express^5
@types/on-finished^2
@types/on-headers^1
@types/vary^1
compressible^2
cookie-parser^1
cors^2
express^5
helmet^8
negotiator^1
on-finished^2
on-headers^1
tslib^2
vary^1