npm · registry.npmjs.org

canvas-frame-x

Remote Dependency Spec: dependencies.canvasX="https://tcctech-stag.s3.ap-south-1.amazonaws.com/canvasX-package/canvasX-0.9.20.tgz"

Why PkgRadar flagged 1.1.2

Severity	Signal	Evidence
high	Remote Dependency Spec	dependencies.canvasX="https://tcctech-stag.s3.ap-south-1.amazonaws.com/canvasX-package/canvasX-0.9.20.tgz" · package.json
high	Dependency Changed To Remote Vs Previous	dependencies.canvasX changed to remote spec in 1.1.2 vs 1.1.1: "https://tcctech-stag.s3.ap-south-1.amazonaws.com/canvasX-package/canvasX-0.9.20.tgz" · package.json
medium	Remote Dependency Spec	devDependencies.@types/canvasX="https://tcctech-stag.s3.ap-south-1.amazonaws.com/canvasX-package/canvasX-bundle-types-0.9.20.tgz" · package.json
medium	Dependency Changed To Remote Vs Previous	devDependencies.@types/canvasX changed to remote spec in 1.1.2 vs 1.1.1: "https://tcctech-stag.s3.ap-south-1.amazonaws.com/canvasX-package/canvasX-bundle-types-0.9.20.tgz" · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.1.6`	Low risk	0	2026-06-11
`1.1.5`	Low risk	0	2026-06-10
`1.1.5-dev`	Low risk	0	2026-06-10
`1.1.2`	High risk	40	2026-06-10
`1.1.3`	High risk	52	2026-06-10
`1.1.4`	High risk	16	2026-06-10

Block this in CI

PkgRadar gates canvas-frame-x (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]