PkgRadar

npm · registry.npmjs.org

@devaloop/devalang

Install Lifecycle Remote Or Exec: postinstall="node -e \"try { require('./out-tsc/scripts/postinstall.js') } catch (e) { console.log('⚠\u{fe0f} Skipping postinstall (build first)') }\""

Why PkgRadar flagged 0.1.7

SeveritySignalEvidence
highInstall Lifecycle Remote Or Execpostinstall="node -e \"try { require('./out-tsc/scripts/postinstall.js') } catch (e) { console.log('⚠\u{fe0f} Skipping postinstall (build first)') }\"" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.0.1-alpha.13Low risk02026-06-11
0.0.1-alpha.14Low risk02026-06-11
0.0.1-alpha.15Low risk02026-06-11
0.1.7High risk242026-06-11
0.2.0High risk242026-06-11
0.1.9High risk242026-06-10
0.1.8High risk242026-06-10

Block this in CI

PkgRadar gates @devaloop/devalang (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @devaloop/[email protected]
Start free — 25 scans / moView full evidence