PkgRadar

Package evidence

[email protected]

Credential file access: matched ".npmrc"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
1
First published
Jun 2026
Publisher
vybezcodetel

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishervybezcodetel
Artifact bytes6,316,364
Previous versionnone
Published2026-06-12T19:14:42.994Z
SHA-256aec11b29e6fed734d0a39f8cccbe30b83ca398b2eefb81461ebdb2e165d6eacd

Why flagged

What the scanner saw

Credential file access: matched ".npmrc"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
3.1.2Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowCredential file accesspackage/src/config/defaults.tsmatched ".npmrc"5

Manifest

Package metadata

Scripts66
  • audit-depsnode scripts/audit-dependencies.js
  • build:webviewcd webview && pnpm build
  • check:bundle-budgetnode scripts/check-bundle-budgets.js
  • check:bundle-sizenode scripts/check-bundle-size.js
  • collect-load-metricsnode scripts/collect-load-metrics.js
  • compilepnpm run build:webview && doppler run --project vreko-shared --config prd -- node esbuild.config.cjs --production
  • compile:ciSKIP_ENV_VALIDATION=true node esbuild.config.cjs --production
  • compile:skip-checkdoppler run --project vreko-shared --config prd -- node esbuild.config.cjs --production
  • compile:teststsc -p tsconfig.e2e.json
  • demo-readinessbash scripts/demo-readiness.sh
  • deploypnpm run validate:ip && node scripts/package-vsix.cjs && doppler run --project vreko-shared --config prd -- npx @vscode/vsce publish --no-dependencies --packagePath vreko-vscode-*.vsix
  • devpnpm run package-vsix && code --install-extension vreko-vscode-*.vsix --force
  • dev-workflownode scripts/dev-workflow.cjs
  • dev:cleanrm -rf ~/.cursor/extensions/marcelle-labs.vreko-vscode-* && pnpm run dev
  • dev:extnode scripts/dev-ext.cjs
  • enforce-performance-budgetnode scripts/enforce-performance-budget.js
  • execute-runlistnode scripts/execute-runlist.js
  • formatbiome format --write .
  • launch-demobash scripts/launch-demo-vscode.sh
  • lintbiome lint .
  • lint:fixbiome lint --fix .
  • lint:manifestnode -e "const fs=require('fs');const pkg=JSON.parse(fs.readFileSync('package.json','utf8'));const cmds=pkg.contributes.commands;const missing=cmds.filter(c=>!c.command);if(missing.length>0){console.error('\x1b[31m✗ ERROR\x1b[0m Commands missing command property:',missing.length);process.exit(1)}const props=Object.keys(pkg.contributes.configuration.properties);const commentProps=props.filter(p=>p.startsWith('comment'));if(commentProps.length>0){console.error('\x1b[31m✗ ERROR\x1b[0m Configuration properties with comment prefix:',commentProps.length);process.exit(1)}console.log('\x1b[32m✓ OK\x1b[0m package.json manifest validation passed');"
  • monitor-vsix-sizenode scripts/monitor-vsix-size.js
  • package-and-installnode scripts/package-and-install.cjs
  • package-vscenpx @vscode/vsce package
  • package-vsce-no-depsnpx @vscode/vsce package --no-dependencies
  • package-vsixnode scripts/package-vsix.cjs
  • package-with-changesetcd ../.. && npx changeset version && cd apps/vscode && pnpm run package-vsce-no-deps
  • pre-demobash scripts/pre-demo.sh
  • pretest:e2epnpm run compile:skip-check && pnpm run compile:tests
  • …and 36 more.
Dependencies20
  • @vreko/auth0.1.2
  • @vreko/contracts1.1.0
  • @vreko/core0.2.2
  • @vreko/local-service-client1.0.1
  • @vreko/mcp-client0.1.2
  • @vreko/workspace-identity0.0.1
  • ajv8.17.1
  • ajv-formats^2.1.1
  • async-mutex0.5.0
  • base64url3.0.1
  • node-machine-id1.1.12
  • pathe2.0.3
  • proper-lockfile4.1.2
  • semver7.6.3
  • ts-brand0.0.2
  • tweetnacl1.0.3
  • vscode-languageclient9.0.1
  • vscode-languageserver9.0.1
  • vscode-languageserver-textdocument1.0.12
  • zod3.25.76
Optional dependencies4
  • @huggingface/transformers^3.0.0
  • @vreko/sentry-privacy0.0.1
  • onnxruntime-node^1.21.0
  • sql.js^1.10.0