Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1,814Mature · −50% score
- First published
- Jun 2021
- Publisher
- zhangzhenyu_125306
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Credential File Packaged: package/.env
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 17 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential File Packaged | package/.env | package/.env | 35 |
Show all 2 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Credential File Packaged | package/.env | package/.env | 35 |
| low | Large Javascript Payload | package/public/his/editor/vender/editor.js | 2617908 bytes | 0 |
Manifest
Package metadata
Scripts17
buildSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service buildbuild:previewvue-cli-service build --mode previewlintvue-cli-service lintlint:nofixvue-cli-service lint --no-fixmac-servevue-cli-service serve --no-eslint --mode hisserveSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslintserve:applySET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode applyserve:gaslinkSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode gaslinkserve:hisSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode hisserve:iotSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode iotserve:liuliSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode liuliserve:messageSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode messageserve:revenueSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode revenueserve:runtimeSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode runtimeserve:scadaSET NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve --no-eslint --mode scadatestjesttest:unitvue-cli-service test:unit
Dependencies52
@afwenming123/vue-easy-tree^1.0.1@afwenming123/vue-plugin-hiprint^0.0.70@amap/amap-jsapi-loader^1.0.1@antv/data-set^0.11.8@antv/g2plot^2.4.31@hufe921/canvas-editor^0.9.49@microsoft/fetch-event-source^2.0.1@vue/babel-preset-jsx^1.4.0animate.css^4.1.1ant-design-vuenpm:@afwenming123/[email protected]axios^0.27.2clipboard^2.0.11core-js^3.33.0crypto-js^4.1.1date-fns^2.29.3default-passive-events^2.0.0dotenv^16.3.1echarts^5.5.0enquire.js^2.1.6file-saver^2.0.5highlight.js^11.7.0html-to-image^1.11.13html2canvas^1.4.1js-base64^3.7.5js-cookie^2.2.1jsencrypt^3.3.2jspdf^2.5.1lodash.clonedeep^4.5.0lodash.debounce^4lodash.get^4.4.2- …and 22 more.