Package evidence

[email protected]

Credential file access: matched ".aws/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 341Mature · −50% score
First published: Apr 2021
Publisher: cdklabs-automation

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publishercdklabs-automation

Artifact bytes24,136,057

Previous version3.2.2

Published2025-03-13T14:19:27.468Z

SHA-2569a1f7cf1167e663f108100b4c7b0caf54b3e354794d0636d6bd616a014db260c

Why flagged

What the scanner saw

Credential file access: matched ".aws/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

29h agoLast checked

reviewRisk

1Score

3.3.0Version

Status history (1 event)

new → available29h ago · risk review · score 1 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/lib/index.js	matched ".aws/"	5

Manifest

Package metadata

Scripts31

buildnpx projen build
bumpnpx projen bump
clobbernpx projen clobber
compatnpx projen compat
compilenpx projen compile
defaultnpx projen default
docgennpx projen docgen
ejectnpx projen eject
eslintnpx projen eslint
integnpx projen integ
integ:updatenpx projen integ:update
packagenpx projen package
package-allnpx projen package-all
package:dotnetnpx projen package:dotnet
package:gonpx projen package:go
package:javanpx projen package:java
package:jsnpx projen package:js
package:pythonnpx projen package:python
post-compilenpx projen post-compile
post-upgradenpx projen post-upgrade
pre-compilenpx projen pre-compile
projennpx projen
releasenpx projen release
rosetta:extractnpx projen rosetta:extract
testnpx projen test
test:watchnpx projen test:watch
unbumpnpx projen unbump
upgradenpx projen upgrade
upgrade-cdklabs-projen-project-typesnpx projen upgrade-cdklabs-projen-project-types
upgrade-dev-depsnpx projen upgrade-dev-deps
…and 1 more.

Dependencies2

got^11.8.6
hpagent^0.1.2