PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
88
First published
Jan 2026
Publisher
nrslib

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishernrslib
Artifact bytes1,276,083
Previous version0.41.0
Published2026-05-20T05:14:14.130Z
SHA-256a2878a3851fe6ecfc315f2334552a38b0c128476bda4d1c488715cef53327b8e

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
0.42.0Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/dist/features/interactive/assistantInitFiles.jsmatched ".npmrc"5

Manifest

Package metadata

Scripts20
  • buildtsc && mkdir -p dist/shared/prompts/en dist/shared/prompts/ja dist/shared/i18n dist/core/runtime/presets && cp src/shared/prompts/en/*.md dist/shared/prompts/en/ && cp src/shared/prompts/ja/*.md dist/shared/prompts/ja/ && cp src/shared/i18n/labels_en.yaml src/shared/i18n/labels_ja.yaml dist/shared/i18n/ && cp src/core/runtime/presets/*.sh dist/core/runtime/presets/
  • check:releasenpm run build && npm run lint && npm run test && npm run test:e2e:all; code=$?; if [ "$code" -eq 0 ]; then msg='check:release passed'; else msg="check:release failed (exit=$code)"; fi; if command -v osascript >/dev/null 2>&1; then osascript -e "display notification \"$msg\" with title \"takt\" subtitle \"Release Check\"" >/dev/null 2>&1 || true; fi; echo "[takt] $msg"; exit $code
  • linteslint src/
  • prepublishOnlynpm run lint && npm run build && npm run test
  • testvitest run
  • test:e2etmp="$(mktemp -t takt-e2e.XXXXXX)"; npm run test:e2e:mock >"$tmp" 2>&1; code=$?; cat "$tmp"; if grep -q "error connecting to api.github.com" "$tmp"; then echo "[takt] GitHub connectivity error detected in E2E output"; code=1; fi; rm -f "$tmp"; if [ "$code" -eq 0 ]; then msg='test:e2e passed'; else msg="test:e2e failed (exit=$code)"; fi; if command -v osascript >/dev/null 2>&1; then osascript -e "display notification \"$msg\" with title \"takt\" subtitle \"E2E\"" >/dev/null 2>&1 || true; fi; echo "[takt] $msg"; exit $code
  • test:e2e:allnpm run test:e2e:mock && npm run test:e2e:provider
  • test:e2e:claudenpm run test:e2e:provider:claude
  • test:e2e:codexnpm run test:e2e:provider:codex
  • test:e2e:cursornpm run test:e2e:provider:cursor
  • test:e2e:mockTAKT_E2E_PROVIDER=mock vitest run --config vitest.config.e2e.mock.ts --outputFile.json=e2e/results/mock.json
  • test:e2e:opencodenpm run test:e2e:provider:opencode
  • test:e2e:providernpm run test:e2e:provider:claude && npm run test:e2e:provider:claude-sdk && npm run test:e2e:provider:codex && npm run test:e2e:provider:opencode
  • test:e2e:provider:claudeTAKT_E2E_PROVIDER=claude vitest run --config vitest.config.e2e.provider.ts --outputFile.json=e2e/results/claude.json
  • test:e2e:provider:claude-sdkTAKT_E2E_PROVIDER=claude-sdk vitest run --config vitest.config.e2e.provider.ts --outputFile.json=e2e/results/claude-sdk.json
  • test:e2e:provider:codexTAKT_E2E_PROVIDER=codex vitest run --config vitest.config.e2e.provider.ts --outputFile.json=e2e/results/codex.json
  • test:e2e:provider:cursorTAKT_AUTO_PR=false TAKT_E2E_PROVIDER=cursor vitest run --config vitest.config.e2e.cursor.ts --outputFile.json=e2e/results/cursor.json
  • test:e2e:provider:opencodeTAKT_E2E_PROVIDER=opencode TAKT_E2E_MODEL=${TAKT_E2E_MODEL:-opencode/big-pickle} vitest run --config vitest.config.e2e.provider.ts --outputFile.json=e2e/results/opencode.json
  • test:watchvitest
  • watchtsc --watch
Dependencies14
  • @anthropic-ai/claude-agent-sdk^0.2.119
  • @openai/codex-sdk^0.125.0
  • @opencode-ai/sdk^1.14.24
  • @opentelemetry/api^1.9.1
  • @opentelemetry/sdk-node^0.217.0
  • ajv^6.12.6
  • chalk^5.3.0
  • commander^12.1.0
  • faceted-prompting^0.1.0
  • traced-config^0.3.0
  • update-notifier^7.3.1
  • wanakana^5.3.1
  • yaml^2.8.3
  • zod^4.3.6