Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 692
- Versions published
- 10
- First published
- May 2026
- Publisher
- dswbx
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@supabase/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@supabase/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".aws"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 5 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/index.js | matched ".aws" | 5 |
Manifest
Package metadata
Scripts51
buildbun run build.tsbuild:allbun run build:static && bun run build.ts --types --minifybuild:staticvite buildcliLOCAL=1 bun src/cli/index.tsdebug:bunbun run --hot dev/debug.tsdebug:nodetsx --watch dev/debug.tsdevvitedev:bunbun run --hot dev/bun/bun.dev.tsdocs:generatebun run internal/extract.tsformatbiome format --write .lintbiome check --write .postpackbun run internal/package-readme.ts cleanupprepackbun run internal/package-readme.ts prepareprepublishOnlynpm whoami && bun run typecheck && bun run test && bun run build:all && bun run smoke:pack -- --no-buildrelease:canaryecho "PR previews publish through GitHub Actions > Preview Package using pkg.pr.new." && exit 1release:minorecho "Use GitHub Actions > Release with version_specifier=minor." && exit 1release:nextecho "Use GitHub Actions > Release Next from develop." && exit 1release:patchecho "Use GitHub Actions > Release with version_specifier=patch." && exit 1smoke:packbun run internal/smoke-pack.tstestbun test --bailtest:allbun run test:low && bun run vitest && bun run test:spec:status && bun run test:spec:auth && bun run test:spec:storagetest:coveragebun test --bail --coverage --coverage-reporter=text --coverage-reporter=lcovtest:gotrueGOTRUE_TEST_SUITE=1 bun test auth/gotrue-suite.postgres.test.tstest:lowbun run test/run-low-memory.tstest:phenotype:storagebun run test:spec:storage:postgrestest:postgrestbun test postgrest/suite/postgres.test.tstest:spec:analyzebun run test/supabase-spec/rest/analyze.tstest:spec:analyze:pglitebun run test/supabase-spec/rest/analyze.ts --backend=pglitetest:spec:analyze:postgresbun run test/supabase-spec/rest/analyze.ts --backend=postgrestest:spec:analyze:sqlitebun run test/supabase-spec/rest/analyze.ts --backend=sqlite- …and 21 more.
Dependencies17
@commander-js/extra-typings^14.0.0@electric-sql/pglite0.4.5@hono/node-server^1.19.9@sentry/node^10.51.0@supabase/pg-delta1.0.0-alpha.10@vercel/detect-agent^1.2.3bcryptjs^3.0.3chokidar^5.0.0commander^14.0.3dotenv^17.3.1kysely^0.28.11kysely-generic-sqlite^1.2.1kysely-postgres-js^3.0.0libpg-query17.7.3pgsql-deparser17.18.3pgsql-parser17.9.15uuid^13.0.0