Package evidence

@rh-support/[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 1,190Niche · −30% score
Versions published: 1,008Mature · −50% score
First published: Jul 2019
Publisher: vrathee

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@rh-support/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@rh-support/[email protected]"],"fail_on":"review"}'

Publishervrathee

Artifact bytes3,132,506

Previous versionnone

Published2019-07-31T14:56:12.618Z

SHA-2565e4599201aa87def29b4960d3a9b250a0978aec0eb734e31d6e2f04028658597

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

18h agoLast checked

reviewRisk

14Score

0.0.3Version

Status history (1 event)

new → available18h ago · risk review · score 14 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/.env	package/.env	35
medium	Remote Dependency Spec	package.json	dependencies.hydrajs="git+https://gitlab.cee.redhat.com/redhataccess/hydrajs.git#1.2.9"	12

Manifest

Package metadata

Scripts11

buildrm -rf dist && webpack --config webpack-prod.js --bail --progress --profile && npm run build:server
build:devrm -rf dist && webpack --config webpack-dev.js --bail --progress --profile
build:server./node_modules/.bin/tsc server.ts --allowSyntheticDefaultImports true --esModuleInterop true --outDir dist
generate-translationnpm run build && react-gettext-parser --output messages.pot 'dist/assets/*.js'
startnode --max-http-header-size=32768 dist/server.js
start:devwebpack-dev-server --config webpack-dev.js --https --cert server.cert --key server.key --hot --inline & spandx
testnpm run test:unit && npm run test:snap
test:coveragejest -c jest.config.coverage.js || true
test:snapjest -c jest.config.snapshot.js
test:unitjest -c jest.config.unit.js
test:watchjest --watch

Dependencies34

@patternfly/patternfly^2.17.0
@patternfly/pfe-accordion^1.0.0-prerelease.10
@patternfly/pfelement^1.0.0-prerelease.14
@patternfly/react-core^3.38.1
@rh-support/api^0.0.3
@rh-support/types^0.0.3
@rh-support/utils^0.0.3
@types/marked^0.6.5
@types/react^16.8.23
@types/react-dom^16.8.5
@webcomponents/webcomponentsjs^2.2.10
abortcontroller-polyfill^1.3.0
compression^1.7.4
connect-history-api-fallback^1.6.0
downshift^3.2.7
es6-object-assign^1.1.0
express^4.17.0
hydrajsgit+https://gitlab.cee.redhat.com/redhataccess/hydrajs.git#1.2.9
i18next^17.0.1
js-markdown-extra^1.2.4
jsuri^1.3.1
lodash^4.17.14
marked^0.7.0
morgan^1.9.1
promise-polyfill^8.1.0
qs^6.7.0
react^16.8.6
react-bootstrap-typeahead^3.4.3
react-dom^16.8.6
react-dropzone^10.1.4
…and 4 more.