npm · registry.npmjs.org

@genaiscript/core

Remote Dependency Spec: optionalDependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz"

Why PkgRadar flagged 2.4.1

Severity	Signal	Evidence
high	Remote Dependency Spec	optionalDependencies.xlsx="https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz" · package.json
medium	Remote Payload	matched "raw.githubusercontent.com" · package/dist/browser/githubclient.js
medium	Remote Payload	matched "raw.githubusercontent.com" · package/dist/esm/githubclient.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.4.1`	High risk	41	2026-06-10
`2.5.0`	High risk	51	2026-06-10
`2.5.1`	High risk	51	2026-06-10
`2.4.0`	High risk	41	2026-06-10

Block this in CI

PkgRadar gates @genaiscript/core (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @genaiscript/[email protected]