Package evidence

[email protected]

Credential file access: matched "AWS_ACCESS_KEY"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 500,807Ubiquitous · −70% score
Versions published: 6,271Mature · −50% score
First published: Jan 2017
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes2,762,084

Previous version43.227.1

Published2026-06-17T10:54:34.813Z

SHA-2561082b61d23011b11330cf8768ca92ea926d272b268355863deecb4d3c05b8919

Why flagged

What the scanner saw

Credential file access: matched "AWS_ACCESS_KEY"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

2h agoLast checked

reviewRisk

17Score

43.228.0Version

Status history (1 event)

new → available2h ago · risk review · score 17 · status changed

Evidence

Static findings

12 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 12 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Credential file access	package/dist/modules/platform/codecommit/codecommit-client.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/modules/manager/npm/detect.js	matched ".npmrc"	5
low	Credential file access	package/dist/workers/repository/update/branch/execute-post-upgrade-commands.js	matched ".npmrc"	5
low	Credential file access	package/dist/config/options/index.js	matched ".npmrc"	5
low	Credential file access	package/dist/modules/manager/npm/post-update/index.js	matched ".npmrc"	5
low	Credential file access	package/dist/workers/global/index.js	matched "AWS_SECRET_ACCESS_KEY"	5
low	Credential file access	package/dist/workers/repository/init/merge.js	matched ".npmrc"	5
low	Credential file access	package/dist/modules/manager/npm/post-update/npm.js	matched ".npmrc"	5
low	Credential file access	package/dist/modules/manager/npm/npmrc.js	matched ".npmrc"	5
low	Credential file access	package/dist/modules/datasource/maven/util.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/modules/manager/npm/utils.js	matched ".npmrc"	5
low	Credential file access	package/renovate-schema.json	matched ".npmrc"	3

Manifest

Package metadata

Scripts59

biomebiome check .
biome-cibiome check --reporter=github .
biome-fixbiome check --write .
buildrun-s clean 'generate:*' 'compile:*' create-json-schema
build:dockernode tools/docker.ts
build:docsnode tools/generate-docs.ts
checknode tools/check/index.ts
cleanrimraf dist tmp
clean-cachenode tools/clean-cache.mjs
compile:tstsdown
config-validatornode lib/config-validator.ts
create-json-schemanode tools/generate-schema.ts && prettier --write --cache 'renovate-schema.json' renovate-inherited-schema.json renovate-global-schema.json
debugnode --inspect-brk lib/renovate.ts
doc-fence-checknode tools/check-fenced-code.ts
doc-fixrun-s markdown-lint-fix prettier-fix
doc-fix-everythingrun-s doc-fix doc-fence-check lint-documentation
generaterun-s 'generate:*'
generate:importsnode tools/generate-imports.mjs
git-checknode tools/check-git-version.mjs
jestGIT_ALLOW_PROTOCOL=file GIT_CONFIG_GLOBAL=/dev/null GIT_CONFIG_SYSTEM=/dev/null LOG_LEVEL=fatal vitest run --logHeapUsage
labels:checknode tools/sync-module-labels.ts && node tools/sync-org-issue-fields.ts
labels:show-commandsnode tools/sync-module-labels.ts --show-commands
lintrun-s ls-lint type-check oxlint biome prettier markdown-lint git-check doc-fence-check
lint-documentationvitest run --coverage false test/docs/**.spec.ts
lint-fixrun-s oxlint-fix biome-fix prettier-fix markdown-lint-fix
lint-othervitest run --coverage false test/other/**.spec.ts
ls-lintls-lint
markdown-lintmarkdownlint-cli2
markdown-lint-fixmarkdownlint-cli2 --fix
mkdocsnode tools/mkdocs.ts
…and 29 more.

Dependencies117

@aws-sdk/client-codecommit3.1053.0
@aws-sdk/client-ec23.1053.0
@aws-sdk/client-ecr3.1053.0
@aws-sdk/client-eks3.1053.0
@aws-sdk/client-rds3.1053.0
@aws-sdk/client-s33.1053.0
@aws-sdk/credential-providers3.1053.0
@baszalmstra/rattler0.2.1
@breejs/later4.2.0
@cdktf/hcl2json0.21.0
@opentelemetry/api1.9.1
@opentelemetry/context-async-hooks2.7.1
@opentelemetry/exporter-trace-otlp-http0.218.0
@opentelemetry/instrumentation0.218.0
@opentelemetry/instrumentation-bunyan0.63.0
@opentelemetry/instrumentation-http0.218.0
@opentelemetry/instrumentation-redis0.66.0
@opentelemetry/resource-detector-aws2.18.0
@opentelemetry/resource-detector-azure0.26.0
@opentelemetry/resource-detector-gcp0.53.0
@opentelemetry/resource-detector-github0.32.0
@opentelemetry/resources2.7.1
@opentelemetry/sdk-trace-base2.7.1
@opentelemetry/sdk-trace-node2.7.1
@opentelemetry/semantic-conventions1.41.1
@pnpm/parse-overrides1001.0.4
@qnighy/marshal0.1.3
@redis/client5.12.1
@renovatebot/detect-tools4.0.8
@renovatebot/good-enough-parser2.0.1
…and 87 more.

Optional dependencies2

openpgp6.3.1
re21.24.1