npm · registry.npmjs.org

@huggingface/tasks

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Why PkgRadar flagged 0.21.10

Severity	Signal	Evidence
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/dist/commonjs/local-apps.js
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/dist/esm/local-apps.js
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/dist/commonjs/local-apps.spec.js
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/dist/esm/local-apps.spec.js
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/src/local-apps.spec.ts
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · package/src/local-apps.ts

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.21.10`	Review	15	2026-06-08
`0.21.9`	Review	15	2026-06-08
`0.21.8`	Review	15	2026-06-04
`0.21.7`	Review	15	2026-06-03
`0.21.6`	Review	15	2026-06-03
`0.21.5`	Review	15	2026-06-02
`0.21.4`	Review	15	2026-06-01
`0.21.3`	Review	15	2026-06-01
`0.21.1`	Low risk	0	2026-05-27
`0.21.2`	Low risk	0	2026-05-27

Block this in CI

PkgRadar gates @huggingface/tasks (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @huggingface/[email protected]

Start free — 25 scans / mo View full evidence