PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
9,718Niche · −30% score
Versions published
115Mature · −50% score
First published
Aug 2015
Publisher
tramsing

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishertramsing
Artifact bytes125,041
Previous version0.23.1
Published2026-06-12T07:59:40.347Z
SHA-2562598b7badbdf48ca439e31f9ecc425399014e8bf16d30715f82312be7e712135

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
1Score
0.23.2Version
Status history (1 event)
  1. newavailable · risk review · score 1 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/_build/package.jsonmatched ".npmrc"3
lowCredential file accesspackage/package.jsonmatched ".npmrc"3

Manifest

Package metadata

Scripts21
  • buildtsc -p .
  • build:teststsc -p tsconfig.tests.json
  • cleanrimraf _build && rimraf _tests
  • install-credprovidernpm install --global @microsoft/artifacts-npm-credprovider --registry https://pkgs.dev.azure.com/artifacts-public/23934c1b-a3b5-4b70-9dd3-d1bef4cc72a0/_packaging/AzureArtifacts/npm/registry/
  • npmauthartifacts-npm-credprovider -c .npmrc
  • postbuildncp app/tfx-cli.js _build/tfx-cli.js && ncp package.json _build/package.json && ncp app/exec/build/tasks/_resources _build/exec/build/tasks/_resources
  • postbuild:testsncp tests/build-samples _tests/build-samples && ncp tests/extension-samples _tests/extension-samples
  • prepublishOnlynpm run build
  • testnpm run build:tests && mocha "_tests/tests/**/*.js"
  • test:build-consolidatednpm run test:build-local && npm run test:build-server-integration
  • test:build-localnpm run build:tests && mocha "_tests/tests/build-local-tests.js"
  • test:build-server-integrationnpm run build:tests && mocha "_tests/tests/build-server-integration-tests.js"
  • test:cinpm run build:tests && mocha "_tests/tests/**/*.js" --reporter mocha-multi-reporters --reporter-options configFile=.mocha-multi-reporters.json
  • test:commandlinenpm run build:tests && mocha "_tests/tests/commandline.js"
  • test:extension-consolidatednpm run test:extension-local && npm run test:extension-server-integration
  • test:extension-localnpm run build:tests && mocha "_tests/tests/extension-local-tests.js"
  • test:extension-server-integrationnpm run build:tests && mocha "_tests/tests/extension-server-integration-tests.js"
  • test:focused-loginnpm run build:tests && mocha "_tests/tests/focused-login-test.js"
  • test:server-integrationnpm run build:tests && mocha "_tests/tests/server-integration-*.js"
  • test:server-integration-loginnpm run build:tests && mocha "_tests/tests/server-integration-login.js"
  • test:server-integration-workitemnpm run build:tests && mocha "_tests/tests/server-integration-workitem.js"
Dependencies24
  • app-root-path1.0.0
  • archiver^7.0.1
  • azure-devops-node-api^14.0.0
  • clipboardy^4.0.0
  • colors~1.3.0
  • glob^11.1.0
  • jju^1.4.0
  • json-in-place^1.0.1
  • jszip^3.10.1
  • lodash^4.17.21
  • minimist^1.2.6
  • mkdirp^1.0.4
  • onecolor^2.5.0
  • os-homedir^1.0.1
  • prompt^1.3.0
  • read^1.0.6
  • shelljs^0.10.0
  • tmp^0.2.4
  • tracer0.7.4
  • util.promisify^1.0.0
  • uuid^13.0.0
  • validator^13.15.23
  • winreg0.0.12
  • xml2js^0.5.0