PkgRadar

npm · registry.npmjs.org

clerk

Manifest Codeless Dependency Stub: package ships no JS/TS source but declares 8 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape

Why PkgRadar flagged 2.0.1-canary.8bcd18c

SeveritySignalEvidence
mediumManifest Codeless Dependency Stubpackage ships no JS/TS source but declares 8 dependency(ies) (0 with loose/empty version specs) — dependency-confusion / install-chain loader shape · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
2.0.1-canary.8bcd18cReview42026-06-12
2.0.1-canary.c18409cReview42026-06-12
2.0.1-canary.ca44851Review42026-06-11
2.0.1-snapshot.9f8329dReview42026-06-10
2.0.1-snapshot.d637eb0Review42026-06-08
2.0.1-canary.4bd85a8Review42026-06-08
2.0.1-snapshot.10cbda5Review42026-06-02
2.0.1-snapshot.bdf8fafReview42026-06-02
2.0.1-canary.f95eca2Review42026-06-01
1.5.1-canary.g9604692Review42026-06-01
1.5.1-canary.2e6de6eReview42026-06-01
1.5.0Low risk02026-05-29
1.5.1-canary.2966cc5Low risk02026-05-29
1.5.1-snapshot.19caa25Low risk02026-05-29
1.5.1-snapshot.878b726Low risk02026-05-29
1.5.1-snapshot.5891fa2Low risk02026-05-28
1.4.1-canary.3ad74f5Low risk02026-05-25
1.4.1-canary.79b09a9Low risk02026-05-25

Block this in CI

PkgRadar gates clerk (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence