PkgRadar

npm · registry.npmjs.org

@automattic/vip

Remote Dependency Spec: dependencies.cli-table="github:automattic/cli-table#7b14232"

Why PkgRadar flagged 2.0.0-dev1

SeveritySignalEvidence
mediumRemote Dependency Specdependencies.cli-table="github:automattic/cli-table#7b14232" · package.json
mediumRemote Dependency SpecdevDependencies.eslint-config-wpvip="github:automattic/eslint-config-wpvip#39d3482" · package.json
mediumDependency Changed To Remote Vs PreviousdevDependencies.eslint-config-wpvip changed to remote spec in 2.0.0-dev1 vs 1.12.1: "github:automattic/eslint-config-wpvip#39d3482" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
2.0.0-dev1High risk332026-06-20
2.0.0-dev2Review72026-06-19
2.0.0-dev3Review72026-06-19
4.0.1Review52026-06-19
4.0.2Review52026-06-19
4.0.3Review52026-06-19
4.0.5Review52026-06-19

Block this in CI

PkgRadar gates @automattic/vip (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @automattic/[email protected]
Start free — 25 scans / moView full evidence