PkgRadar

npm · registry.npmjs.org

@velora-dex/widget

Remote Dependency Spec: dependencies.@velora-dex/sdk="github:VeloraDEX/sdk#chore/order_refund_field"

Why PkgRadar flagged 0.8.5-dev.0

SeveritySignalEvidence
mediumRemote Dependency Specdependencies.@velora-dex/sdk="github:VeloraDEX/sdk#chore/order_refund_field" · package.json
mediumDependency Changed To Remote Vs Previousdependencies.@velora-dex/sdk changed to remote spec in 0.8.5-dev.0 vs 0.8.4: "github:VeloraDEX/sdk#chore/order_refund_field" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
0.8.5-dev.0Review242026-06-15
0.8.4Low risk02026-06-02
0.8.4-dev.0Low risk02026-05-29
0.8.3Low risk02026-05-28
0.8.3-dev.0Low risk02026-05-25
0.8.3-dev.1Low risk02026-05-25

Block this in CI

PkgRadar gates @velora-dex/widget (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @velora-dex/[email protected]
Start free — 25 scans / moView full evidence