npm · registry.npmjs.org

@koordinates/mapnik

Remote Payload: matched "curl "

Why PkgRadar flagged 4.99.35

Severity	Signal	Evidence
medium	Remote Payload	matched "curl " · package/deps/wagyu/mason.sh
high	Remote Dependency Spec	dependencies.mapnik-vector-tile="https://github.com/mapbox/mapnik-vector-tile/tarball/98ace1c737c6c9a80058835d41de233621394678" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.99.35`	High risk	22	2026-06-10
`4.99.38`	Review	14	2026-05-30
`4.99.39`	Review	14	2026-05-29

Block this in CI

PkgRadar gates @koordinates/mapnik (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @koordinates/[email protected]