Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,072Niche · −30% score
- Versions published
- 78
- First published
- Mar 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Credential file access: matched "id_rsa"
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 1 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Credential file access | package/dist/analyzers/securityCheck.js | matched "id_rsa" | 5 |
Manifest
Package metadata
Scripts21
benchnode scripts/bench.mjsbench:referencesnode scripts/bench-references.mjsbuildtsc && node scripts/copy-wasm.mjs && node scripts/generate-tool-manifest.mjscheck:graph-corpusnode scripts/check-graph-corpus.mjscheck:stabilitynode scripts/check-stability.mjsdevtsc --watchdocs:assetsnpm run docs:screenshots && npm run docs:demosdocs:demosnpm run build && node scripts/capture-vhs-demos.mjsdocs:screenshotsnode scripts/capture-readme-assets.mjsformatprettier --write .linteslint src/preparenpm run buildrelease:checknode scripts/release-check.mjssbom:generatenode scripts/generate-sbom.mjssecurity:release-gatenode scripts/release-gate.mjssmoke:packed-installnode scripts/packed-install-smoke.mjstestvitest run --exclude '.worktrees/**' --test-timeout 60000 --hook-timeout 60000 --maxWorkers 4test:trust-smokevitest run --exclude '.worktrees/**' tests/cli/privacyCheck.test.ts tests/cli/start.test.ts tests/cli/preflight.test.ts tests/mcp/start.test.ts tests/mcp/preflight.test.ts tests/mcp/fileChangedNotifications.test.ts tests/core/repositoryScanner.gitignore.test.ts tests/core/issueEngine.trustConfig.test.ts tests/utils/changedFiles.test.ts tests/core/auditRunner.offline.test.ts tests/core/upgradePreview.checkRegistry.test.ts tests/core/telemetry.test.ts tests/analyzers/securityCheck.test.ts --test-timeout 60000 --hook-timeout 60000test:watchvitest --exclude '.worktrees/**' --test-timeout 60000 --hook-timeout 60000typechecktsc --noEmittypecheck:public-typestsc -p tsconfig.public-types.json
Dependencies14
@babel/parser^7.29.2@babel/types^7.29.0chalk^5.3.0commander^12.1.0fast-glob^3.3.2ora^8.1.0tree-sitter-c-sharp^0.23.5tree-sitter-go^0.25.0tree-sitter-java^0.23.5tree-sitter-php^0.23.12tree-sitter-python^0.25.0tree-sitter-ruby^0.23.1tree-sitter-rust^0.23.3web-tree-sitter^0.26.8