PkgRadar

Package evidence

[email protected]

Credential file access: matched ".aws\\"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
414Mature · −50% score
First published
May 2023
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes5,869,429
Previous version0.121.15
Published2026-06-16T15:21:36.243Z
SHA-256152247637db3248050e91311b347d800beb24dd19f98beeebf24ce7f0f9a93ed

Why flagged

What the scanner saw

Credential file access: matched ".aws\\"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
18Score
0.121.16Version
Status history (1 event)
  1. newavailable · risk review · score 18 · status changed

Evidence

Static findings

13 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 13 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/src/graders-CFH3vIXs.cjsmatched ".aws\\"5
lowCredential file accesspackage/dist/src/live-BK0wf_rZ.cjsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/util-BnWPjflW.cjsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/graders-BGwfaK_S.jsmatched ".aws\\"5
lowCredential file accesspackage/dist/src/graders-C-Kat4ka.jsmatched ".aws\\"5
lowCredential file accesspackage/dist/src/graders-lcHSCmgL.jsmatched ".aws\\"5
lowCredential file accesspackage/dist/src/live-_dSxGc5x.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/live-BDrqRvKB.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/live-COBJmPFv.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/util-BeTR7FpD.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/util-CtDOSWRi2.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowCredential file accesspackage/dist/src/util-DPVC09ml.jsmatched "GOOGLE_APPLICATION_CREDENTIALS"5
lowLarge Javascript Payloadpackage/dist/src/app/assets/index-Ds4vCZJ5.js2278876 bytes0

Manifest

Package metadata

Scripts57
  • architecture:baselinetsx scripts/regenerateEdgeBaseline.ts
  • architecture:checktsx scripts/checkArchitectureBoundaries.ts
  • audit:fixnpm audit fix && npm audit fix --prefix src/app && npm audit fix --prefix site
  • bindist/src/entrypoint.js
  • buildconcurrently -g --kill-others-on-fail "npm run tsc" "NODE_OPTIONS='--max-old-space-size=8192' tsdown" "npm run build:app"
  • build:appnpm run build --prefix src/app
  • build:cleanshx rm -rf dist
  • build:watchNODE_OPTIONS='--max-old-space-size=8192' tsdown --watch
  • changelog:releasenode scripts/update-changelog-version.cjs
  • check:typescript-coveragetsx scripts/checkTypeScriptCoverage.ts
  • citation:generatetsx scripts/generateCitation.ts
  • db:generatenpx drizzle-kit generate
  • db:migratetsx src/migrate.ts
  • db:studionpx drizzle-kit studio
  • depcheckdepcheck --ignores="@types/*,@biomejs/biome,prettier,shx,concurrently,madge,knip,vite,typescript,tshy,gcp-metadata,@opencode-ai/sdk,@actions/core,@actions/exec,@actions/github,@octokit/rest,nock,@vitest/coverage-v8,langium,block-no-verify" --ignore-dirs="dist,site,examples"
  • deps:ownershiptsx scripts/reportDependencyOwnership.ts
  • devconcurrently "npm run dev:server" "npm run dev:app"
  • dev:appnpm run dev --prefix src/app
  • dev:servertsx watch src/server/index.ts
  • fgit diff --name-only --diff-filter=ACMRTUXB origin/main | grep -E '\.(js|jsx|mjs|cjs|ts|tsx|json)$' | xargs npx @biomejs/biome check --write && git diff --name-only --diff-filter=ACMRTUXB origin/main | grep -E '\.(css|scss|html|md|mdc|mdx|yaml|yml)$' | xargs prettier --write
  • formatnpx @biomejs/biome check --write . && prettier --write '**/*.{css,scss,html,md,mdc,mdx,yaml,yml}'
  • format:checknpx @biomejs/biome check && prettier --check '**/*.{css,scss,html,md,mdc,mdx,yaml,yml}'
  • format:check:prettierprettier --check '**/*.{css,scss,html,md,mdc,mdx,yaml,yml}'
  • jsonSchema:generatenpx -y tsx scripts/generateJsonSchema.ts > site/static/config-schema.json && npx @biomejs/biome format --write site/static/config-schema.json
  • knipknip
  • lgit diff --name-only --diff-filter=ACMRTUXB origin/main | grep -E '\.(js|ts|tsx)$' | xargs npx @biomejs/biome lint --write
  • lintnpm run lint:src
  • lint:cinpx @biomejs/biome ci .
  • lint:sitenpx @biomejs/biome lint site
  • lint:srcnpx @biomejs/biome lint src
  • …and 27 more.
Dependencies78
  • @anthropic-ai/sdk0.101.0
  • @apidevtools/json-schema-ref-parser^15.3.1
  • @inquirer/checkbox^5.1.0
  • @inquirer/confirm^6.0.8
  • @inquirer/core^11.1.5
  • @inquirer/editor^5.0.8
  • @inquirer/input^5.0.8
  • @inquirer/search^4.1.8
  • @inquirer/select^5.1.0
  • @libsql/client^0.17.3
  • @opentelemetry/api^1.9.0
  • @opentelemetry/core2.8.0
  • @opentelemetry/exporter-trace-otlp-http^0.218.0
  • @opentelemetry/resources^2.6.0
  • @opentelemetry/sdk-trace-base^2.6.0
  • @opentelemetry/sdk-trace-node^2.6.0
  • @opentelemetry/semantic-conventions^1.40.0
  • @types/ws^8.18.1
  • ai^6.0.190
  • ajv^8.18.0
  • ajv-formats^3.0.1
  • async^3.2.6
  • binary-extensions^3.1.0
  • cache-manager^7.2.8
  • chalk^5.6.2
  • chokidar5.0.0
  • cli-progress^3.12.0
  • cli-table3^0.6.5
  • commander^14.0.3
  • compression^1.8.1
  • …and 48 more.
Optional dependencies43
  • @anthropic-ai/claude-agent-sdk0.3.167
  • @aws-sdk/client-bedrock-agent-runtime^3.1045.0
  • @aws-sdk/client-bedrock-runtime^3.1045.0
  • @aws-sdk/client-s3^3.1003.0
  • @aws-sdk/client-sagemaker-runtime^3.1045.0
  • @aws-sdk/credential-provider-sso^3.972.16
  • @azure/ai-projects^2.1.1
  • @azure/identity^4.13.0
  • @azure/msal-node^5.2.0
  • @azure/openai-assistants^1.0.0-beta.6
  • @azure/storage-blob^12.31.0
  • @fal-ai/client~1.10.1
  • @googleapis/sheets^13.0.1
  • @huggingface/transformers^4.0.0
  • @ibm-cloud/watsonx-ai^1.7.13
  • @ibm-generative-ai/node-sdk^3.2.4
  • @modelcontextprotocol/sdk^1.29.0
  • @openai/agents^0.11.3
  • @openai/codex-sdk^0.130.0
  • @opencode-ai/sdk^1.14.33
  • @playwright/browser-chromium^1.60.0
  • @rollup/rollup-linux-x64-gnu^4.61.0
  • @slack/web-api^7.15.2
  • @smithy/node-http-handler^4.4.14
  • @swc/core^1.15.18
  • @swc/core-darwin-arm64^1.15.18
  • @swc/core-darwin-x64^1.15.18
  • @swc/core-linux-x64-gnu^1.15.18
  • @swc/core-linux-x64-musl^1.15.18
  • @swc/core-win32-x64-msvc^1.15.18
  • …and 13 more.