PkgRadar

npm · registry.npmjs.org

@coder/code-server-pr

Remote Payload: matched "curl "

Why PkgRadar flagged 0.0.0-5997-e73a1448eb90d47c3afde03d26091aaf400ee1ba

SeveritySignalEvidence
mediumRemote Payloadmatched "curl " · package/postinstall.sh

Scanned versions

VersionVerdictScoreScanned (UTC)
0.0.0-5997-e73a1448eb90d47c3afde03d26091aaf400ee1baReview72026-06-11
0.0.0-beta-026879b78c2ce7f18cf258c237122eb08827e1d6Review72026-06-11
0.0.0-beta-6e1b9131e908da782fa9c89eb8d3ade71e2bf1edReview72026-06-11
0.0.0-beta-776d57b12bc791ca5db5b47b82c351f83bacf199Review72026-06-11
4.1.0-4972-4f800181a0de4ee60389f9d90200bb088e7d8a2eReview62026-06-11

Block this in CI

PkgRadar gates @coder/code-server-pr (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @coder/code-server-pr@0.0.0-5997-e73a1448eb90d47c3afde03d26091aaf400ee1ba
Start free — 25 scans / moView full evidence