Package evidence

@zshr/[email protected]

Credential file access: matched "npm_token"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 1
First published: May 2026
Publisher: zshr

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@zshr/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@zshr/[email protected]"],"fail_on":"review"}'

Publisherzshr

Artifact bytes79,023

Previous versionnone

Published2026-05-29T08:50:04.688Z

SHA-256ef19efa4362c201714494af0dc11433bc618a7ad272b6058dfa6790f8e41d5e4

Why flagged

What the scanner saw

Credential file access: matched "npm_token"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

15d agoLast checked

reviewRisk

5Score

0.6.0Version

Status history (1 event)

new → available15d ago · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/publish-quick.sh	matched "npm_token"	5

Manifest

Package metadata

Scripts14

build:prodvue-cli-service build
build:stagevue-cli-service build --mode staging
devvue-cli-service serve
libvue-cli-service build --target lib --name EcComponents ./src/index.js
libAcevue-cli-service build --target lib --name EcAce --dest distAce ./src/aceIndex.js
libDesignvue-cli-service build --target lib --name EcDesign --dest distDesign ./src/designIndex.js
libEditorvue-cli-service build --target lib --name EcEditor --dest distEditor ./src/editorIndex.js
linteslint --ext .js,.vue src
newplop
previewnode build/index.js --preview
releasegit pull && yarn lib && standard-version -t @zshr/ecip-components\@ && git push --follow-tags origin dev && yarn publish --access public --non-interactive
svgosvgo -f src/icons/svg --config=src/icons/svgo.yml
test:cinpm run lint && npm run test:unit
test:unitjest --clearCache && vue-cli-service test:unit

Dependencies19

axios0.18.1
core-js^3.18.1
echarts4.2.1
element-ui2.13.2
moment^2.26.0
operation-tree-node1.0.5
pako^1.0.11
script-loader0.7.2
vue2.6.10
vue-color^2.8.1
vue-grid-layout^2.3.12
vue-ls^3.2.1
vue-router3.0.2
vue2-ace-editor^0.0.15
vuex3.1.0
vxe-table2.9.15
vxe-table-plugin-element1.8.9
vxe-table-plugin-virtual-tree0.3.1
xe-utils2.6.5