npm · registry.npmjs.org

@goodparty_org/sdk

Install Lifecycle Remote Or Exec: postinstall="node -e \"try { var p = require('path').join(__dirname, '.gitmodules'); if (require('fs').existsSync(p)) { require('child_process').execSync('git submodule update --init --recursive', { stdio: 'inherit', cwd: __dirname }); } } catch (e) { console.error('postinstall submodule init failed:', e.message); }\""

Why PkgRadar flagged 2.2.0

Severity	Signal	Evidence
high	New Lifecycle Script Vs Previous	postinstall added in 2.2.0 vs 2.1.0: "node -e \"try { var p = require('path').join(__dirname, '.gitmodules'); if (require('fs').existsSync(p)) { require('child_process').execSync('git submodule update --init --recursive', { stdio: 'inherit', cwd: __dirname }); } } catch (e) { console.error('postinstall submodule init failed:', e.message); }\"" · package.json
high	Install Lifecycle Remote Or Exec	postinstall="node -e \"try { var p = require('path').join(__dirname, '.gitmodules'); if (require('fs').existsSync(p)) { require('child_process').execSync('git submodule update --init --recursive', { stdio: 'inherit', cwd: __dirname }); } } catch (e) { console.error('postinstall submodule init failed:', e.message); }\"" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.2.0`	High risk	75	2026-06-10
`2.4.0`	Review	10	2026-06-05
`2.3.0`	Review	10	2026-06-03
`2.1.0`	Low risk	0	2026-06-02

Block this in CI

PkgRadar gates @goodparty_org/sdk (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @goodparty_org/[email protected]

Start free — 25 scans / mo View full evidence