PkgRadar

Package evidence

@nlabs/[email protected]

Credential file access: matched "GITHUB_TOKEN"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
243Mature · −50% score
First published
Apr 2018
Publisher
nitrog7

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@nlabs/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@nlabs/[email protected]"],"fail_on":"review"}'
Publishernitrog7
Artifact bytes348,502
Previous version1.58.2
Published2026-05-29T01:42:22.031Z
SHA-256320ea5c055c924b30acd339d06c83c5c93bcc5d0eb2d7f5040673b19ec4c89b7

Why flagged

What the scanner saw

Credential file access: matched "GITHUB_TOKEN"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
1Score
1.59.0Version
Status history (1 event)
  1. newavailable · risk review · score 1 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/lib/commands/ai/ai.jsmatched "GITHUB_TOKEN"5

Manifest

Package metadata

Scripts34
  • buildNODE_ENV=production && rm -rf lib && npx swc src --out-dir ./lib --source-maps inline --strip-leading-paths --extensions .ts,.tsx --ignore '**/*.test.ts' --ignore '**/*.test.tsx' --ignore '**/*.spec.ts' --ignore '**/*.spec.tsx' --ignore '**/*.integration.ts' --ignore '**/*.integration.tsx' --ignore '**/*.e2e.ts' --ignore '**/*.e2e.tsx' && npm run declarations
  • build:aiNODE_ENV=production && npx swc 'src/commands/ai/**/*.{ts,tsx}' --out-dir ./lib/commands/ai --source-maps inline
  • build:allnpm run build && npm run build:ai
  • ci:buildnpm run build && npm run package
  • ci:deploynpm run prepublishOnly
  • ci:installnpm ci
  • ci:testnpm run lint && npm run type-check && npm run test:unit
  • cleanrm -rf lib node_modules package-lock.json *.log coverage
  • compiletsc -p tsconfig.build.json
  • declarationstsc -p tsconfig.build.json
  • envLEX_CONFIG='{"useTypescript":true}'
  • linteslint ./src --fix --no-warn-ignored --ignore-pattern '**/*.js' --ignore-pattern '**/*.md'
  • lint:ainode ./lib/lex.js lint --fix
  • lint:rebuildnpm run build && npm run lint:ai
  • packagenpm run build && npm pack
  • prepublishOnlynpm run build
  • publish:majornpm version major && npm publish
  • publish:minornpm version minor && npm publish
  • publish:patchnpm version patch && npm publish
  • testNODE_ENV=test && (npm run lint || true) && npm run test:unit
  • test:allNODE_ENV=test && npm run test:unit && npm run test:e2e
  • test:cliNODE_ENV=test && npx vitest run "src/**/*.cli.*"
  • test:commandsNODE_ENV=test && npm run test:cli && npm run test:integration
  • test:coverageNODE_ENV=test && npx vitest run --coverage
  • test:coverage:uploadcodecov
  • test:e2eNODE_ENV=test && npx playwright test
  • test:integrationNODE_ENV=test && npx vitest run "src/**/*.integration.*"
  • test:unitNODE_ENV=test && npm run env && npx vitest run
  • test:webpacknode scripts/test-webpack.js
  • type-checktsc --noEmit --project tsconfig.lint.json
  • …and 4 more.
Dependencies105
  • @mdx-js/loader^3.1.1
  • @nlabs/webpack-plugin-static-site*
  • @playwright/test^1.60.0
  • @storybook/addon-docs^10.4.1
  • @storybook/addon-links^10.4.1
  • @storybook/addon-styling-webpack^3.0.2
  • @storybook/addon-themes^10.4.1
  • @storybook/cli^10.4.1
  • @storybook/react^10.4.1
  • @storybook/react-webpack5^10.4.1
  • @swc/cli^0.8.1
  • @swc/core^1.15.40
  • @swc/react-compiler^1.15.40
  • @tailwindcss/forms^0.5.11
  • @tailwindcss/nesting^0.0.0-insiders.565cd3e
  • @tailwindcss/postcss4.3.0
  • @testing-library/jest-dom^6.9.1
  • @testing-library/react^16.3.2
  • @vitest/coverage-v8^4.1.7
  • assert^2.1.0
  • autoprefixer^10.5.0
  • boxen8.0.1
  • buffer^6.0.3
  • caniuse-lite1.0.30001793
  • chalk^5.6.2
  • commander^14.0.3
  • compare-versions^6.1.1
  • compression-webpack-plugin^12.0.0
  • copy-webpack-plugin^14.0.0
  • core-js^3.49.0
  • …and 75 more.