Package evidence

@woocommerce/[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 631
Versions published: 10Established · −30% score
First published: May 2020
Publisher: rrennick

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@woocommerce/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@woocommerce/[email protected]"],"fail_on":"high"}'

Publisherrrennick

Artifact bytes36,899

Previous version0.2.1

Published2021-05-19T18:27:17.005Z

SHA-25651f170c6445ed8d818939d2fe4945c89b87fff7160bae4bb83d3c4585952284c

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

21h agoLast checked

highRisk

49Score

0.2.2Version

Status history (1 event)

new → available21h ago · risk high · score 49 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/.env	package/.env	35
medium	Remote Payload	package/bin/install-wp-tests.sh	matched "curl "	12
medium	Remote Payload	package/bin/wait-for-build.sh	matched "curl "	12
medium	Remote Dependency Spec	package.json	dependencies.@automattic/puppeteer-utils="github:Automattic/puppeteer-utils#0f3ec50"	12

Manifest

Package metadata

Scripts12

buildnpm run clean && npm run compile
cleanrm -rf ./build ./build-module
compilenode ./../bin/build.js
docker:clear-alldocker rmi --force $(docker images -q)
docker:down./bin/docker-compose.sh down
docker:sshdocker exec -it $(node utils/get-app-name.js)_wordpress-www /bin/bash
docker:up./bin/docker-compose.sh up
install-wp-tests./bin/install-wp-tests.sh
preparenpm run build
test:e2ebash ./bin/wait-for-build.sh && ./bin/e2e-test-integration.js
test:e2e-debugbash ./bin/wait-for-build.sh && ./bin/e2e-test-integration.js --dev --debug
test:e2e-devbash ./bin/wait-for-build.sh && ./bin/e2e-test-integration.js --dev

Dependencies9

@automattic/puppeteer-utilsgithub:Automattic/puppeteer-utils#0f3ec50
@jest/test-sequencer^25.5.4
@slack/web-api^6.1.0
@wordpress/e2e-test-utils^4.15.0
@wordpress/jest-preset-default^6.4.0
app-root-path^3.0.0
jest^25.1.0
jest-each25.5.0
jest-puppeteer^4.4.0