Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 5,532Niche · −30% score
- Versions published
- 415Mature · −50% score
- First published
- Mar 2023
- Publisher
- devopsmobb
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential File Packaged: package/.env
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (2 events)
- available → available · risk high · score 25 · status available -> available, risk high -> high, score 50 -> 25
- new → available · risk high · score 50 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential File Packaged | package/.env | package/.env | 35 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential File Packaged | package/.env | package/.env | 35 |
| low | Credential file access | package/dist/index.mjs | matched ".npmrc" | 5 |
| low | Credential file access | package/dist/args/commands/upload_ai_blame.mjs | matched ".npmrc" | 5 |
| low | Install-time lifecycle script | package.json | postinstall="node ./src/post_install/cx_install.mjs" | 5 |
Manifest
Package metadata
Scripts40
buildtsc && tsup-node --env.NODE_ENV productionbuild:devtsup-node --env.NODE_ENV developmentcleanrm -rf builddebug:mcppnpm run build && node dist/index.mjs mcp --debugdev:mcppnpm run build && node dist/index.mjs mcpenvdotenv -e ./.envgeneratepnpm run env -- graphql-codegen -r dotenv/config --config client_codegen.tsincrement-version./src/scripts/increment-version.shlinteslint --cache --max-warnings 0 --ignore-path .eslintignore --ext .ts,.tsx,.jsx,.graphql .lint:fixeslint --fix --cache --max-warnings 0 --ignore-path .eslintignore --ext .js,.ts,.tsx,.jsx,.graphql . && prettier --write "src/**/*.graphql"lint:fix:fileseslint --fix --cache --max-warnings 0 --ignore-path .eslintignore --ext .js,.ts,.tsx,.jsx,.graphqlpostinstallnode ./src/post_install/cx_install.mjsprepackdotenv-vault pull production .env && pnpm buildtestpnpm run test:unit && pnpm run test:integrationtest:adoGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run ado.testtest:cipnpm run test:unit:ci -- --coverage && pnpm run test:integration:ci -- --coveragetest:cli:mainGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run cli-main.testtest:coverageGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --coveragetest:e2ecd ./__e2e__ && npm i && npm run testtest:e2e:mcppnpm run build && cd ./__e2e__ && npm i && npm run test:mcptest:e2e:mcp:cipnpm run build && cd ./__e2e__ && npm i && npm run test:mcptest:githubGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run github.testtest:github:repoGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run github-repo.testtest:gitlabGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run gitlab.testtest:integrationGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --sequence.concurrent=false false __tests__/integration.test.tstest:integration:baseline-commitGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --sequence.concurrent=false false __tests__/integration.baseline-commit.test.tstest:integration:baseline-commit:proxyGIT_PROXY_HOST=http://tinyproxy:8888 HTTP_PROXY=http://localhost:8888 API_URL=http://app-api:8080/v1/graphql TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --sequence.concurrent=false false __tests__/integration.baseline-commit.test.tstest:integration:ciGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --sequence.concurrent=false false __tests__/integration.test.tstest:integration:mcpGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --sequence.concurrent=false false __tests__/integration.mcp.test.tstest:integration:mcp:ciGIT_PROXY_HOST=http://tinyproxy:8888 TOKEN=$(../../scripts/login_auth0.sh) vitest run --bail=1 --sequence.concurrent=false false __tests__/integration.mcp.test.ts- …and 10 more.
Dependencies56
@gitbeaker/requester-utils43.8.0@gitbeaker/rest43.8.0@grpc/grpc-js1.14.3@grpc/proto-loader0.8.0@modelcontextprotocol/sdk1.29.0@octokit/core5.2.0@octokit/request-error5.1.1@openredaction/openredaction1.0.4adm-zip0.5.17axios1.16.0azure-devops-node-api15.1.2bitbucket2.12.0chalk5.6.2chalk-animation2.0.3configstore7.1.0cross-fetch4.1.0debug4.4.3dotenv16.6.1extract-zip2.0.1fs-extra11.3.4globby14.1.0graphql16.13.2graphql-request6.1.0graphql-ws5.16.2hash-wasm4.12.0http-proxy-agent7.0.2https-proxy-agent7.0.6ignore7.0.5inquirer9.3.8isomorphic-ws5.0.0- …and 26 more.