npm · registry.npmjs.org

@kuwork/backlog.md

Install Lifecycle Remote Or Exec: postinstall="sh -c 'command -v bun2nix >/dev/null 2>&1 && bun2nix -o bun.nix || (command -v nix >/dev/null 2>&1 && nix --extra-experimental-features \"nix-command flakes\" run github:baileyluTCD/bun2nix/85d692d68a5345d868d3bb1158b953d2996d70f7 -- -o bun.nix || true)'"

Why PkgRadar flagged 1.45.2-CN

Severity	Signal	Evidence
high	Install Lifecycle Remote Or Exec	postinstall="sh -c 'command -v bun2nix >/dev/null 2>&1 && bun2nix -o bun.nix \|\| (command -v nix >/dev/null 2>&1 && nix --extra-experimental-features \"nix-command flakes\" run github:baileyluTCD/bun2nix/85d692d68a5345d868d3bb1158b953d2996d70f7 -- -o bun.nix \|\| true)'" · package.json
high	New Account With Lifecycle Hook	package first published 7 day(s) ago, 1 total version(s), has lifecycle hook · package.json
high	Install Lifecycle Suppresses Failure	postinstall="sh -c 'command -v bun2nix >/dev/null 2>&1 && bun2nix -o bun.nix \|\| (command -v nix >/dev/null 2>&1 && nix --extra-experimental-features \"nix-command flakes\" run github:baileyluTCD/bun2nix/85d692d68a5345d868d3bb1158b953d2996d70f7 -- -o bun.nix \|\| true)'" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.46.0-CN`	Low risk	0	2026-06-11
`1.45.2-CN`	High risk	55	2026-06-10

Block this in CI

PkgRadar gates @kuwork/backlog.md (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @kuwork/[email protected]

Start free — 25 scans / mo View full evidence