Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 459
- Versions published
- 1,223Mature · −50% score
- First published
- Feb 2021
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@woosmap/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@woosmap/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential File Packaged: package/.env
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 10 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential File Packaged | package/.env | package/.env | 35 |
Manifest
Package metadata
Scripts20
buildrimraf dist && NODE_ENV=production babel src --out-dir dist --copy-files --no-copy-ignored --ignore '**/*.stories.js,**/*.test.js,**/*.styl' && yarn build-cssbuild-cssstylus ./src/styles/style-console.styl -o dist && stylus ./src/styles/style-stories.styl -o distbuild-storybookstorybook build -s publiccoveragereact-scripts test --coverage --silent --ci --coverageReporters=text --coverageReporters=text-summary --watchAll=false --collectCoverageFrom=!src/**/*.stories.js --collectCoverageFrom=!src/**/*.jsondeploy-storybookstorybook-to-ghpagesextractbabel -f .babelrc 'src/components/**/*.{js,jsx,ts,tsx}'formatprettier --write "src/**/*.{js,jsx,ts,tsx,json,css,md}"format:checkprettier --check "src/**/*.{js,jsx,ts,tsx,json,css,md}"iconssvgo -f ./src/icons --config ./svgo-config.jslinteslint src --ext .js,.jsx --fixlint:checkeslint src --ext .js,.jsxprestorybook:devclear && echo "DOING FIRST TEST RUN" && CI=true npm run test:generate-outputpublish-npmyarn version --minor && npm publish --access=publicstartyarn stylus-dev && yarn storybook:devstorybookstorybook dev -p 9009 public -h localhoststorybook:devclear && concurrently -k "npm run storybook" "npm run test:generate-output"stylusstylus ./src/styles/style-console.styl -o dist/styles/devstylus-devstylus ./src/styles/style-console.styl -o dist/styles/dev && stylus ./src/styles/style-stories.styl -o dist/styles/devtestreact-scripts testtest:generate-outputreact-scripts test --json --outputFile=./.storybook/jest-test-results.json --silent
Dependencies19
@mapbox/polyline^1.2.1axios0.28.1classnames^2.5.1framer-motion^11.3.28google-map-react^2.2.1i18next^23.14.0moment^2.30.1numeral^2.0.6perfect-scrollbar^1.5.5prop-types^15.8.1react^18.3.1react-datetime^3.2.0react-dom^18.3.1react-laag^2.0.5react-select^5.10.0react-slider^2.0.6react-syntax-highlighter^15.5.0resize-observer-polyfill^1.5.1zxcvbn^4.4.2