npm · registry.npmjs.org

querysub

Remote Dependency Spec: dependencies.js-sha256="https://github.com/sliftist/js-sha256"

Why PkgRadar flagged 0.475.0

Severity	Signal	Evidence
high	Remote Dependency Spec	dependencies.js-sha256="https://github.com/sliftist/js-sha256" · package.json
high	Remote Dependency Spec	dependencies.node-forge="https://github.com/sliftist/forge#e618181b469b07bdc70b968b0391beb8ef5fecd6" · package.json
medium	Credential file access	matched ".ssh/" · package/src/4-deploy/git.ts

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.475.0`	High risk	19	2026-06-17
`0.474.0`	High risk	19	2026-06-16
`0.473.0`	High risk	19	2026-06-10
`0.472.0`	High risk	19	2026-06-10
`0.471.0`	High risk	19	2026-06-10
`0.470.0`	High risk	19	2026-06-10
`0.468.0`	High risk	19	2026-06-10
`0.469.0`	High risk	19	2026-06-10
`0.467.0`	High risk	19	2026-06-10
`0.462.0`	Review	19	2026-05-30
`0.461.0`	Review	19	2026-05-30
`0.460.0`	Review	19	2026-05-30
`0.459.0`	Review	19	2026-05-30
`0.458.0`	Review	19	2026-05-30
`0.456.0`	Review	19	2026-05-30
`0.457.0`	Review	19	2026-05-30
`0.454.0`	Review	19	2026-05-30
`0.455.0`	Review	19	2026-05-30
`0.466.0`	Review	19	2026-05-30
`0.464.0`	Review	19	2026-05-29
`0.465.0`	Review	19	2026-05-29

Block this in CI

PkgRadar gates querysub (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]