Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 362
- Versions published
- 125Established · −30% score
- First published
- Oct 2025
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@quiltdata/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@quiltdata/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 3 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/dist/bin/commands/publish.js | matched ".npmrc" | 10 |
Manifest
Package metadata
Scripts47
buildtscbuild:cleanrm -rf cdk.out dist */{*.js,*.d.ts}build:synthnpx cdk synthbuild:typechecktsc --noEmitdeploy:devts-node bin/cli.ts deploy --profile devdeploy:notesbash scripts/release-notes.shdeploy:prodts-node bin/cli.ts deploydestroyts-node bin/cli.ts destroydestroy:devts-node bin/cli.ts destroy --profile devdestroy:prodts-node bin/cli.ts destroydevnpm run launch -- --mode native --profile dev --verbosedev:dockernpm run launch -- --mode docker-dev --profile dev --verbosedev:prodnpm run launch -- --mode docker --profile devlaunchts-node bin/xdg-launch.tslinteslint . --ext .ts --fix && make -C docker lintlogsnpm run setup -- logspostbuildchmod +x dist/bin/cli.jsprebuildrm -rf distprepublishOnlynpm run buildsetupts-node bin/cli.tssetup:cleants-node bin/cli.ts cleansetup:devts-node bin/cli.ts --profile devsetup:healthts-node bin/cli.ts health-checksetup:inferts-node bin/commands/infer-quilt-config.tssetup:prodts-node bin/cli.ts --profile prodsetup:profilets-node bin/cli.ts setup-profilesetup:sync-secretsts-node bin/commands/sync-secrets.tstestnpm run lint && npm run build:typecheck && npm run test:ts && npm run test:pythontest:cinpm run lint && npm run build:typecheck && npm run test:unittest:devnpm run deploy:dev -- --yes && make -C docker test-deployed-dev PROFILE=dev TEST_FLAGS=--health-only- …and 17 more.
Dependencies27
@aws-sdk/client-api-gateway^3.953.0@aws-sdk/client-apigatewayv2^3.953.0@aws-sdk/client-cloudformation^3.920.0@aws-sdk/client-cloudwatch-logs^3.933.0@aws-sdk/client-ec2^3.940.0@aws-sdk/client-ecs^3.933.0@aws-sdk/client-elastic-load-balancing-v2^3.932.0@aws-sdk/client-s3^3.758.0@aws-sdk/client-secrets-manager^3.932.0@aws-sdk/client-sts^3.922.0@aws-sdk/credential-providers^3.922.0@types/inquirer^9.0.9@types/lodash.merge^4.6.9adm-zip^0.5.10ajv^8.17.1ajv-formats^3.0.1aws-cdk-lib2.250.0boxen^8.0.0chalk^5.0.0commander^14.0.2constructs^10.0.0dotenv-expand^12.0.3enquirer^2.4.1execa^9.0.0inquirer^12.0.0lodash.merge^4.6.2ora^9.0.0