PkgRadar

npm · registry.npmjs.org

@stupidloud/codegraph

Install-time lifecycle script: postinstall="node scripts/postinstall.js"

Why PkgRadar flagged 0.10.0

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspostinstall added in 0.10.0 vs 0.9.14: "node scripts/postinstall.js" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
1.0.2Low risk02026-06-15
0.9.16Low risk02026-06-11
0.9.15Low risk02026-06-10
0.10.0High risk452026-06-10
0.9.14Low risk02026-06-07
0.9.13Low risk02026-06-06
0.9.12Low risk02026-06-06
0.9.11Low risk02026-06-06
0.10.1Review52026-06-05
0.9.9Low risk02026-06-05
0.8.1Review302026-05-24
0.9.5Review542026-05-24

Campaign attribution

Part of the asteroiddao npm campaign campaign.

Block this in CI

PkgRadar gates @stupidloud/codegraph (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @stupidloud/[email protected]
Start free — 25 scans / moView full evidence