Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 86
- First published
- Apr 2026
- Publisher
- atrouw
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@xylabs/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@xylabs/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched ".npmrc"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 50 · status changed
Evidence
Static findings
37 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/dist/lib/updo/fetchRegistryInfo.mjs | matched ".npmrc" | 10 |
| medium | Credential file access | package/dist/lib/updo/index.mjs | matched ".npmrc" | 10 |
Show all 37 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Credential file access | package/dist/lib/updo/fetchRegistryInfo.mjs | matched ".npmrc" | 10 |
| medium | Credential file access | package/dist/lib/updo/index.mjs | matched ".npmrc" | 10 |
| low | Credential file access | package/dist/actions/build.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/build/buildCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/common/checkCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/compile.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/build/compileCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/packman/convert.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/packman/convertToPnpm.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/packman/convertToYarn.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/lint/cycleCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/incremental.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/packman/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/lib/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/lib/pnpmConfig/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/build/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/common/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/install/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/lint/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/lint/lint/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/lint.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/lint/lintCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/common/packmanCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/publint.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/lint/publintCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/lib/pnpmConfig/readMinReleaseAge.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/recompile.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/build/recompileCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/lint/lint/runCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/lib/updo/runUpdo.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/actions/updo.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/install/updoCommand.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/bin/xy.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/xy/xy.mjs | matched ".npmrc" | 5 |
Manifest
Package metadata
Scripts4
package-cleanecho Not cleaning...package-compilenode scripts/packageCompile.mjspackage-recompilenode scripts/packageCompile.mjsupdate-latest-versionstsx scripts/updateLatestVersions.ts
Dependencies18
@inquirer/core~11.2.1@types/node^25.9.2chalk~5.6.2cosmiconfig~9.0.2cosmiconfig-typescript-loader~6.3.0cross-spawn~7.0.6esbuild^0.28.0find-up~8.0.0get-tsconfig~4.14.0glob~13.0.6license-checker-rseidelsohn~5.0.1minimatch^10.2.5publint~0.3.21semver~7.8.3sort-package-json~4.0.0source-map-explorer~2.5.3yaml~2.9.0yargs~18.0.0