npm · registry.npmjs.org

autoevals

Install Lifecycle Remote Or Exec: preinstall="node -e \"const userAgent = process.env.npm_config_user_agent || ''; if (process.env.INIT_CWD === process.cwd() && !userAgent.includes('pnpm/')) { console.error('Use pnpm in this repo.'); process.exit(1); }\""

Why PkgRadar flagged 0.3.0

Severity	Signal	Evidence
high	New Lifecycle Script Vs Previous	preinstall added in 0.3.0 vs 0.0.132: "node -e \"const userAgent = process.env.npm_config_user_agent \|\| ''; if (process.env.INIT_CWD === process.cwd() && !userAgent.includes('pnpm/')) { console.error('Use pnpm in this repo.'); process.exit(1); }\"" · package.json
high	Install Lifecycle Remote Or Exec	preinstall="node -e \"const userAgent = process.env.npm_config_user_agent \|\| ''; if (process.env.INIT_CWD === process.cwd() && !userAgent.includes('pnpm/')) { console.error('Use pnpm in this repo.'); process.exit(1); }\"" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.3.0`	High risk	75	2026-06-10
`0.0.130`	Low risk	0	2026-06-09
`0.0.131`	Low risk	0	2026-06-09
`0.0.132`	Low risk	0	2026-06-09

Block this in CI

PkgRadar gates autoevals (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]

Start free — 25 scans / mo View full evidence