PkgRadar

Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
102Established · −30% score
First published
Sep 2025
Publisher
rivet-design

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherrivet-design
Artifact bytes1,618,816
Previous version0.11.6
Published2026-06-17T16:01:51.935Z
SHA-2565037cf5ff07ba22a860323562b6758659dd1543695787542452b45c1d089b85b

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
0.11.7Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/services/StaticPreviewServer.jsmatched ".ssh/"5

Manifest

Package metadata

Scripts35
  • benchtsx benchmarks/bench.ts
  • bench:listtsx benchmarks/list.ts
  • bench:reviewtsx benchmarks/review/server.ts
  • bench:runtsx benchmarks/runner.ts
  • buildtsc && npm run build:assets && npm run build:ui && npm run build:bin
  • build-storybook:uiyarn workspace @rivet/ui build-storybook
  • build:assetsmkdir -p dist/services/templates/designmd && cp src/services/templates/designmd/*.md dist/services/templates/designmd/
  • build:binmkdir -p bin && cp src/bin-template.js bin/rivet.js && chmod +x bin/rivet.js
  • build:uicd src/ui && vite build
  • check:pre-commitnpx lint-staged && yarn build && cd src/ui && yarn typecheck && cd ../.. && cd src/proxy && yarn build && cd ../.. && cd desktop/renderer && yarn build && cd ../..
  • check:pre-pushyarn test
  • cleanrm -rf dist src/ui/dist bin
  • deadcodeknip
  • deadcode:fixknip --fix
  • deploy:supabase:functionsbash scripts/deploy-supabase-functions.sh
  • desktopyarn build && cd desktop && yarn dev
  • devtsc --watch
  • docs:syncnode scripts/sync-external-docs.js
  • formatprettier --write .
  • format:checkprettier --check .
  • linteslint . --ext ts,tsx,js,jsx
  • lint:fixeslint . --ext ts,tsx,js,jsx --fix
  • packnpm run build && npm pack
  • pack:verifynpm run pack && tar -tzf rivet-design-*.tgz | sort && echo ' ✓ Package contents listed above'
  • postpublishgit checkout README.md
  • preparehusky
  • prepublishOnlygit rev-parse --abbrev-ref HEAD | grep -qx main || (echo 'ERROR: npm publish must be run from the main branch' && exit 1) && cp README.npm.md README.md && npm run build || (git checkout README.md && exit 1)
  • ratchettsx scripts/ratchet.ts
  • smoke:mcpnode scripts/smoke-mcp-tools.mjs
  • start:hosted-demonode dist/hosted-demo.js
  • …and 5 more.
Dependencies52
  • @anthropic-ai/claude-agent-sdk^0.1.42
  • @contextcompany/claude^1.0.0
  • @modelcontextprotocol/sdk1.27.1
  • @phosphor-icons/react^2.1.10
  • @radix-ui/react-accordion^1.2.11
  • @radix-ui/react-popover^1.1.15
  • @radix-ui/react-select^2.2.6
  • @radix-ui/react-tabs^1.1.13
  • @radix-ui/react-toast^1.2.14
  • @radix-ui/react-tooltip^1.2.8
  • @react-aria/color^3.1.2
  • @react-aria/focus^3.21.2
  • @react-aria/i18n^3.12.13
  • @react-stately/color^3.9.2
  • @sentry/node10.44.0
  • @types/cors^2.8.19
  • @types/express^5.0.3
  • @types/node^25.4.0
  • @types/react^18.2.43
  • @types/react-dom^18.2.17
  • @vitejs/plugin-react^4.2.1
  • autoprefixer^10.4.16
  • bippy^0.5.8
  • chroma-js^3.2.0
  • class-variance-authority^0.7.1
  • clsx^2.1.1
  • cors^2.8.5
  • dotenv^17.4.2
  • express^5.2.1
  • glob^11.0.3
  • …and 22 more.