Package evidence

@woocommerce/[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 631
Versions published: 10Established · −30% score
First published: May 2020
Publisher: rrennick

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@woocommerce/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@woocommerce/[email protected]"],"fail_on":"high"}'

Publisherrrennick

Artifact bytes60,040

Previous version0.2.3

Published2022-02-03T20:39:49.707Z

SHA-2568c8937dd44b17fcf64a8560b56761a94640840ffd4d7805085e2df6bf529783a

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

21h agoLast checked

highRisk

41Score

0.3.0Version

Status history (1 event)

new → available21h ago · risk high · score 41 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/.env	package/.env	35
medium	Remote Payload	package/bin/wait-for-build.sh	matched "curl "	12
medium	Remote Dependency Spec	package.json	dependencies.@automattic/puppeteer-utils="github:Automattic/puppeteer-utils#0f3ec50"	12

Manifest

Package metadata

Scripts11

buildpnpm run clean && pnpm run compile
cleanrm -rf ./build ./build-module
compilenode ./../bin/build.js
docker:clear-alldocker rmi --force $(docker images -q)
docker:down./bin/docker-compose.sh down
docker:sshdocker exec -it $(node utils/get-app-name.js)_wordpress-www /bin/bash
docker:up./bin/docker-compose.sh up
linteslint src
test:e2ebash ./bin/wait-for-build.sh && ./bin/e2e-test-integration.js
test:e2e-debugbash ./bin/wait-for-build.sh && ./bin/e2e-test-integration.js --dev --debug
test:e2e-devbash ./bin/wait-for-build.sh && ./bin/e2e-test-integration.js --dev

Dependencies18

@automattic/puppeteer-utilsgithub:Automattic/puppeteer-utils#0f3ec50
@jest/test-sequencer^25.5.4
@slack/web-api^6.1.0
@woocommerce/api^0.2.0
@wordpress/e2e-test-utils^4.16.1
@wordpress/jest-preset-default^7.1.3
app-root-path^3.0.0
commander4.1.1
config3.3.3
jest^25.1.0
jest-circus25.1.0
jest-each25.5.0
jest-puppeteer^4.4.0
node-stream-zip^1.13.6
puppeteer2.1.1
readline-sync^1.4.10
request^2.88.2
sprintf-js^1.1.2