PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
31
Versions published
23Established · −30% score
First published
Nov 2025
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes201,257
Previous version5.13.5
Published2026-05-07T01:49:13.614Z
SHA-256b956c91439cf5aedaffefbed1123f4d4f1bb79859036a59e391ef8cc4de4e436

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
7Score
5.13.6Version
Status history (1 event)
  1. newavailable · risk review · score 7 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumCredential file accesspackage/setup.jsmatched ".npmrc"10
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumCredential file accesspackage/setup.jsmatched ".npmrc"10
lowCredential file accesspackage/lib/commands/deps.jsmatched "GITHUB_TOKEN"5
lowCredential file accesspackage/lib/commands/dry-run.jsmatched ".npmrc"5
lowCredential file accesspackage/lib/github-api.jsmatched "GITHUB_TOKEN"5

Manifest

Package metadata

Scripts52
  • coveragenpm run test:coverage && echo ' Coverage report generated in coverage/index.html'
  • dead-codeknip --no-exit-code || echo "Dead code found (non-blocking)"
  • dead-code:strictknip
  • docs:checkbash scripts/check-docs.sh
  • formatprettier --write .
  • format:checkprettier --check .
  • git:syncbash .github/git-sync.sh
  • license:checklicense-checker --onlyAllow "MIT;ISC;BSD-2-Clause;BSD-3-Clause;Apache-2.0;0BSD;BlueOak-1.0.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Unlicense;Python-2.0;MPL-2.0" --excludePrivatePackages
  • lighthouse:cilhci autorun
  • lighthouse:uploadlhci upload
  • linteslint . && stylelint "**/*.{css,scss,sass,less,pcss}" --allow-empty-input
  • lint:fixeslint . --fix && stylelint "**/*.{css,scss,sass,less,pcss}" --fix --allow-empty-input
  • pattern-checkbash scripts/pattern-check.sh
  • prepare[ "$CI" = "true" ] && echo 'Skipping Husky in CI' || husky
  • prereleasenpm run docs:check && npm run test:patterns && npm test && npm run test:commands && npm run test:e2e
  • quality:checknpm run type-check:all && npm run lint && npm run test
  • quality:cinpm run quality:check && npm run security:audit
  • release:majornpm version major && git push --follow-tags
  • release:minornpm version minor && git push --follow-tags
  • release:patchnpm version patch && git push --follow-tags
  • security:auditnpm audit --audit-level high
  • security:confignode setup.js --security-config
  • security:scanbash scripts/run-semgrep.sh
  • security:scan:cibash scripts/run-semgrep.sh --ci
  • security:secretsnode -e "const fs=require('fs');const content=fs.readFileSync('package.json','utf8');if(/[\"\'][a-zA-Z0-9+/]{20,}[\"\']/.test(content)){console.error('❌ Potential hardcoded secrets in package.json');process.exit(1)}else{console.log('✅ No secrets detected in package.json')}"
  • setupnode setup.js
  • sizesize-limit
  • size:whysize-limit --why
  • testexport QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/consumer-workflow-integration.test.js && node tests/esm-project-support.test.js && node tests/blob-storage.test.js
  • test:a11yvitest run tests/accessibility.test.js
  • …and 22 more.
Dependencies8
  • @buildproven/license-core^1.0.2
  • @npmcli/package-json^7.0.4
  • ajv^8.17.1
  • ajv-formats^3.0.1
  • js-yaml^4.1.0
  • markdownlint-cli2^0.21.0
  • ora^8.1.1
  • tar^7.5.7