npm · registry.npmjs.org

@kohaku-eth/tornado-cash

Remote Dependency Spec: dependencies.snarkjs="git+https://github.com/tornadocash/snarkjs.git#869181cfaf7526fe8972073d31655493a04326d5"

Why PkgRadar flagged 0.0.2-alpha.8

Severity	Signal	Evidence
medium	Remote Dependency Spec	dependencies.snarkjs="git+https://github.com/tornadocash/snarkjs.git#869181cfaf7526fe8972073d31655493a04326d5" · package.json
medium	Remote Dependency Spec	dependencies.websnark="git+https://github.com/tornadocash/websnark.git#4c0af6a8b65aabea3c09f377f63c44e7a58afa6d" · package.json
medium	New Remote Dependency Vs Previous	dependencies.snarkjs added in 0.0.2-alpha.8 vs 0.0.1: "git+https://github.com/tornadocash/snarkjs.git#869181cfaf7526fe8972073d31655493a04326d5" · package.json
medium	New Remote Dependency Vs Previous	dependencies.websnark added in 0.0.2-alpha.8 vs 0.0.1: "git+https://github.com/tornadocash/websnark.git#4c0af6a8b65aabea3c09f377f63c44e7a58afa6d" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.0.1`	Low risk	0	2026-06-09
`0.0.2-alpha.8`	Review	48	2026-06-09

Block this in CI

PkgRadar gates @kohaku-eth/tornado-cash (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @kohaku-eth/[email protected]