Package evidence

@openapiserver/[email protected]

Credential File Packaged: package/examples/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 3
First published: Feb 2026
Publisher: zeno_begnini

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@openapiserver/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@openapiserver/[email protected]"],"fail_on":"high"}'

Publisherzeno_begnini

Artifact bytes38,977

Previous version4.5.8

Published2026-02-05T10:47:56.430Z

SHA-2569a66e548b57ccfbee33f65173d0b5d78ed35f9c079cc69cdc81e548c0c9e7e82

Why flagged

What the scanner saw

Credential File Packaged: package/examples/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

14h agoLast checked

highRisk

35Score

5.0.0Version

Status history (1 event)

new → available14h ago · risk high · score 35 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/examples/.env	package/examples/.env	35

Manifest

Package metadata

Scripts10

buildtsc
changelogauto-changelog -u --release-summary
coveragejest --coverage
examplenpm run build && node dist/cli.js -l --API_YML /examples/api.yml --API_PREFIX /api --STATIC_PATH /examples/static --MOCKS_PATH /examples/mocks
install:typestypesync
preparenpm run build
preversionnpm run build && npm run changelog
startnpm run build && node dist/cli.js
tddjest --watch
testjest

Dependencies24

ajv^7.2.4
axios^1.13.4
commander^7.2.0
compression^1.8.1
cors^2.8.6
dotenv^8.6.0
dotenv-expand^5.1.0
express^4.22.1
glob^7.2.3
jest-transform-stub^2.0.0
js-yaml^4.1.1
json-refs^3.0.15
json-schema-resolve-allof^1.5.0
lodash^4.17.23
mock-express-request^0.2.2
mock-express-response^0.3.0
node-fetch^2.7.0
openapi-schema-validator^7.2.3
openapi-types^7.2.3
postman-request^2.88.1-postman.8-beta.1
request^2.88.2
request-promise^4.2.6
tslib^2.8.1
typescript^5.9.3