PkgRadar

Package evidence

@notty/[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
16
First published
Dec 2025
Publisher
anvpro

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@notty/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@notty/[email protected]"],"fail_on":"review"}'
Publisheranvpro
Artifact bytes19,861,565
Previous version0.14.0
Published2026-06-06T20:25:04.091Z
SHA-256de8ca4550ec16cc4398b660662ef4be43801f7b6ef8a1cff4258dbfe36ec0f94

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
31Score
1.0.0Version
Status history (1 event)
  1. newavailable · risk review · score 31 · status changed

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/.output/server/node_modules/google-auth-library/build/src/auth/defaultawssecuritycredentialssupplier.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/.output/server/node_modules/google-auth-library/build/src/auth/googleauth.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/.output/server/node_modules/@aws-sdk/credential-provider-env/dist-cjs/index.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/.output/server/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.jsmatched "aws_access_key"5
lowCredential file accesspackage/.output/server/node_modules/@aws-sdk/credential-provider-node/dist-cjs/index.jsmatched "AWS_ACCESS_KEY"5
lowCredential file accesspackage/.output/server/node_modules/@aws-sdk/credential-provider-ini/package.jsonmatched ".aws/"3
lowCredential file accesspackage/.output/server/node_modules/@aws-sdk/credential-provider-process/package.jsonmatched ".aws/"3
lowLarge Javascript Payloadpackage/.output/server/chunks/nitro/nitro.mjs2440942 bytes0

Manifest

Package metadata

Scripts20
  • buildpnpm build:server && pnpm postbuild && pnpm build:cli
  • build:clitsup
  • build:libstsup
  • build:servernitro build
  • cleanrm -rf .output dist
  • devnitro dev
  • linteslint src
  • lint:fixeslint src --fix
  • postbuildnode -e "const fs = require('fs'); const path = require('path'); const bundled = ['better-sqlite3', 'pg-native', 'graphql']; bundled.forEach(m => { const p = path.join('.output/server/node_modules', m); if(fs.existsSync(p)) { fs.rmSync(p, {recursive:true}); console.log('Removed bundled runtime module:', m); } });"
  • previewnitro preview
  • startnode .output/server/index.mjs
  • testvitest run --config vitest.config.ts
  • test:coveragevitest run --config vitest.config.ts --coverage
  • test:fullpnpm test:unit && pnpm test:integration
  • test:integrationvitest run --config vitest.integration.config.ts
  • test:uivitest --ui --config vitest.config.ts
  • test:unitvitest run --config vitest.unit.config.ts
  • test:watchvitest watch --config vitest.config.ts
  • type-checktsc --noEmit
  • validatepnpm type-check && pnpm lint && pnpm test:full
Dependencies29
  • @node-rs/argon2^2.0.2
  • @notty/core1.0.0
  • @notty/database1.0.0
  • @notty/locales1.0.0
  • @notty/modules1.0.0
  • @notty/plugin-api1.0.0
  • @notty/types1.0.0
  • @opentelemetry/api^1.9.0
  • @opentelemetry/exporter-trace-otlp-http^0.55.0
  • @opentelemetry/instrumentation-http^0.55.0
  • @opentelemetry/instrumentation-pg^0.49.0
  • @opentelemetry/resources^1.28.0
  • @opentelemetry/sdk-node^0.55.0
  • @opentelemetry/semantic-conventions^1.28.0
  • bcryptjs^3.0.2
  • better-sqlite3^12.4.1
  • chokidar^4.0.3
  • dotenv^16.4.5
  • drizzle-orm^0.36.1
  • esbuild^0.24.2
  • graphql^16.13.2
  • graphql-yoga^5.18.1
  • h3^1.12.0
  • jsonwebtoken^9.0.2
  • mysql2^3.11.3
  • pg^8.13.0
  • pino^9.5.0
  • prom-client^15.1.3
  • sharp^0.34.5