Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 16
- Versions published
- 11
- First published
- Apr 2026
- Publisher
- avinash.s.karanth
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "AWS_ACCESS_KEY"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 5 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/src/cli/init/generators.js | matched "AWS_ACCESS_KEY" | 5 |
Manifest
Package metadata
Scripts17
demo:clearnode -e "var fs=require('fs'),p=require('path'),d=p.join(__dirname,'demo');fs.existsSync(d)&&fs.rmSync(d,{recursive:true,force:true});fs.mkdirSync(d,{recursive:true})"demo:createnode scripts/demo-create.jsdevnodemon src/serve.jstestdotenv -e env/.env.default -- mocha --exittest:allmocha test/adapters/*.test.js test/properties/*.property.test.js test/function.test.js test/commands/*.test.js --timeout 300000 --exittest:cockroachdbdotenv -e env/.env.cockroachdb -- mocha test/adapters/cockroachdb.*.test.js --timeout 15000 --exittest:commandmocha test/commands/*.test.js --timeout 30000 --exittest:dynamodbdotenv -e env/.env.dynamodb -- mocha test/adapters/dynamodb.*.test.js test/properties/dynamodb.filter.property.test.js --timeout 15000 --exittest:kafkadotenv -e env/.env.kafka -- mocha test/kafka.test.js test/kafka.integration.test.js --timeout 30000 --exittest:mongodbdotenv -e env/.env.mongodb -- mocha test/adapters/mongodb.*.test.js test/properties/mongodb.filter.property.test.js --timeout 15000 --exittest:mssqldotenv -e env/.env.mssql -- mocha test/adapters/mssql.*.test.js --timeout 30000 --exittest:mysqldotenv -e env/.env.mysql -- mocha test/adapters/mysql.*.test.js test/properties/mysql.filter.property.test.js --timeout 15000 --exittest:oracledotenv -e env/.env.oracle -- mocha test/adapters/oracle.*.test.js test/properties/oracle.filter.property.test.js --timeout 30000 --exittest:postgresdotenv -e env/.env.postgres -- mocha test/adapters/postgres.*.test.js test/properties/postgres.filter.property.test.js --timeout 15000 --exittest:propertiesmocha test/properties/*.property.test.js --timeout 30000 --exittest:redisdotenv -e env/.env.redis -- mocha test/adapters/redis.*.test.js --timeout 15000 --exittest:sqlite3dotenv -e env/.env.sqlite3 -- mocha test/adapters/sqlite3.*.test.js test/properties/sqlite3.filter.property.test.js --timeout 15000 --exit
Dependencies5
dotenv^10.0.0ejs^5.0.2inquirer^8.2.6lodash^4.17.21node-input-validator^4.5.0