PkgRadar

npm · registry.npmjs.org

@spiffcommerce/core

Native Addon Gyp Action: binding.gyp runs a script or chains shell during node-gyp build (executes outside package.json lifecycle)

Why PkgRadar flagged 0.7.0

SeveritySignalEvidence
highNative Addon Gyp Actionbinding.gyp runs a script or chains shell during node-gyp build (executes outside package.json lifecycle) · package/node_modules/canvas/binding.gyp
mediumRemote Dependency Specdependencies.@spiffcommerce/papyrus="git+ssh://[email protected]:spiffdev/papyrus.git#1a8e96b62555d637eb10c14984c198d66e39564d" · package.json
mediumRemote Dependency Specdependencies.@spiffcommerce/preview="git+ssh://[email protected]:spiffdev/spiff-preview.git#a9ea43a83ef66df56bd6928a8a8686cb19325328" · package.json
highRemote Dependency Specdependencies.canvg="https://github.com/spiffdev/canvg.git#03bcd151b12441e88ecb552bb658356f5bbe92c4" · package.json
mediumNew Remote Dependency Vs Previousdependencies.@spiffcommerce/papyrus added in 0.7.0 vs 0.6.15: "git+ssh://[email protected]:spiffdev/papyrus.git#1a8e96b62555d637eb10c14984c198d66e39564d" · package.json
mediumNew Remote Dependency Vs Previousdependencies.@spiffcommerce/preview added in 0.7.0 vs 0.6.15: "git+ssh://[email protected]:spiffdev/spiff-preview.git#a9ea43a83ef66df56bd6928a8a8686cb19325328" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
42.0.1Review72026-06-17
35.0.3Review122026-06-16
0.7.0High risk952026-06-16
42.0.0Review72026-06-16
41.2.0Review72026-06-09
41.1.2-alpha.0Review72026-06-09
41.1.1Review72026-06-09
41.1.0Review72026-06-03
41.0.3-alpha.2Review72026-06-01
41.0.3-alpha.1Review72026-06-01
41.0.3-alpha.0Review72026-06-01
41.0.1Review102026-05-28
41.0.2Review102026-05-28

Campaign attribution

Part of the Miasma worm campaign.

Block this in CI

PkgRadar gates @spiffcommerce/core (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @spiffcommerce/[email protected]
Start free — 25 scans / moView full evidence