PkgRadar

npm · registry.npmjs.org

create-nextjs-cms

Credential File Packaged: package/templates/default/.env

Why PkgRadar flagged 0.5.54

SeveritySignalEvidence
highCredential File Packagedpackage/templates/default/.env · package/templates/default/.env
highNative Addon Gyp Actionbinding.gyp runs a script or chains shell during node-gyp build (executes outside package.json lifecycle) · package/templates/default/apps/cms/node_modules/next/node_modules/sharp/src/binding.gyp
highNative Addon Gyp Actionbinding.gyp runs a script or chains shell during node-gyp build (executes outside package.json lifecycle) · package/templates/default/apps/cms/node_modules/sharp/src/binding.gyp

Scanned versions

VersionVerdictScoreScanned (UTC)
0.5.54High risk592026-06-10
0.5.45High risk592026-06-10
0.5.48High risk592026-06-10
0.9.36High risk282026-06-10
0.9.35High risk282026-06-10
0.9.33High risk282026-06-10
0.9.34High risk282026-06-10

Block this in CI

PkgRadar gates create-nextjs-cms (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence