Package evidence

[email protected]

Credential File Packaged: package/.env

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 481
Versions published: 37Mature · −50% score
First published: Dec 2024
Publisher: ellrohir

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisherellrohir

Artifact bytes11,442,208

Previous version0.5.3

Published2026-05-23T21:04:05.915Z

SHA-256f8f95ce55437bb7c065caca6e10ed4e0672ae06d2c64d026e927c0d7d2ded57e

Why flagged

What the scanner saw

Credential File Packaged: package/.env

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

7d agoLast checked

highRisk

17Score

0.6.0-rc.1Version

Status history (2 events)

available → available17d ago · risk high · score 17 · status available -> available, risk high -> high, score 29 -> 17
new → available20d ago · risk high · score 29 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/.env	package/.env	35

Show all 3 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential File Packaged	package/.env	package/.env	35
low	Obfuscation Density	package/.output/server/chunks/_/prompt.mjs	high encoded/escaped-token density	0
low	Obfuscation Density	package/.output/server/chunks/build/server.mjs	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts13

analyzenuxt analyze
buildcd ../docs && pnpm test && pnpm build && cd ../core && pnpm test-unit && nuxt build
devcross-env CONSOLA_LEVEL=4 nuxt dev
eslinteslint .
generatenuxt generate
previewnuxt preview
startnuxt start
testvitest run
test-e2evitest run e2e
test-ivitest
test-uvitest run -u
test-unitvitest run unit
test:typesvue-tsc --noEmit

Dependencies18

@nuxt-ignis/content0.0.66
@nuxt-ignis/db0.0.19
@nuxt-ignis/default0.0.19
@nuxt-ignis/forms0.0.23
@nuxt-ignis/ui0.0.18
@nuxt-ignis/utils0.0.14
@nuxt-ignis/validation0.0.17
@nuxt/eslint1.15.2
consola3.4.2
cross-env^10.1.0
date-fns4.1.0
defu6.1.7
elrh-cosca0.3.5
nuxt4.4.6
nuxt-spec0.2.2
typescript6.0.3
vue3.5.34
vue-router5.0.7