PkgRadar

Package evidence

[email protected]

Credential file access: matched ".ssh/"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
26
Versions published
10Established · −30% score
First published
Jul 2025
Publisher
steipete

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishersteipete
Artifact bytes8,735,658
Previous version1.0.0-beta.14.1
Published2025-08-02T00:38:40.223Z
SHA-2561c218cf0025700e20a36a0cd5a9ed6c99ba57b9644e8c51f655fa66a7a51d347

Why flagged

What the scanner saw

Credential file access: matched ".ssh/"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
7Score
1.0.0-beta.15Version
Status history (1 event)
  1. newavailable · risk review · score 7 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/public/bundle/client-bundle.jsmatched ".ssh/"5
lowInstall-time lifecycle scriptpackage.jsonpostinstall="node scripts/postinstall-npm.js"5
lowLarge Javascript Payloadpackage/public/monaco-editor/vs/editor/editor.main.js3766654 bytes0
lowObfuscation Densitypackage/public/monaco-editor/vs/basic-languages/freemarker2/freemarker2.jshigh encoded/escaped-token density0
lowLarge Javascript Payloadpackage/public/monaco-editor/vs/language/typescript/tsWorker.js5749518 bytes0

Manifest

Package metadata

Scripts44
  • buildnode scripts/build.js
  • build:cinode scripts/build-ci.js
  • build:npmnode scripts/build-npm.js
  • check./scripts/check-all.sh
  • check:fix./scripts/check-fix-sequential.sh
  • cleannode scripts/clean.js
  • devnode scripts/dev.js
  • dev:clientnode scripts/dev.js --client-only
  • dev:servertsx watch src/cli.ts --no-auth
  • formatbiome format src --write
  • format:checkbiome format src
  • lintconcurrently -n biome,tsc-server,tsc-client,tsc-sw "biome check src" "tsc --noEmit --project tsconfig.server.json" "tsc --noEmit --project tsconfig.client.json" "tsc --noEmit --project tsconfig.sw.json"
  • lint:biomebiome check src
  • lint:fixbiome check src --write
  • postinstallnode scripts/postinstall-npm.js
  • prebuildecho 'Skipping prebuild - handled by build-npm.js'
  • prebuild:uploadecho 'Skipping prebuild:upload - not used'
  • precommitpnpm run format && pnpm run lint:fix && pnpm run typecheck
  • preparehusky
  • prepublishOnlynpm run build:npm
  • pretestnode scripts/ensure-native-modules.js
  • prettierprettier --write src --experimental-cli
  • prettier:checkprettier --check src --experimental-cli
  • prettier:fastPRETTIER_EXPERIMENTAL_CLI=1 prettier --write src
  • testvitest
  • test:cinpm run pretest && vitest run --reporter=verbose
  • test:clientvitest run --mode=client
  • test:client:coveragevitest run --mode=client --coverage
  • test:coveragevitest run --coverage
  • test:e2eplaywright test
  • …and 14 more.
Dependencies29
  • @codemirror/commands^6.8.1
  • @codemirror/lang-css^6.3.1
  • @codemirror/lang-html^6.4.9
  • @codemirror/lang-javascript^6.2.4
  • @codemirror/lang-json^6.0.2
  • @codemirror/lang-markdown^6.3.3
  • @codemirror/lang-python^6.2.1
  • @codemirror/state^6.5.2
  • @codemirror/theme-one-dark^6.1.3
  • @codemirror/view^6.38.1
  • @xterm/headless^5.5.0
  • authenticate-pam^1.0.5
  • bonjour-service^1.3.0
  • chalk^5.4.1
  • compression^1.8.1
  • express^5.1.0
  • helmet^8.1.0
  • http-proxy-middleware^3.0.5
  • jsonwebtoken^9.0.2
  • lit^3.3.1
  • mime-types^3.0.1
  • monaco-editor^0.52.2
  • multer^2.0.2
  • node-ptyfile:node-pty
  • postject1.0.0-alpha.6
  • signal-exit^4.1.0
  • web-push^3.6.7
  • ws^8.18.3
  • zod^4.0.14