PkgRadar

npm · registry.npmjs.org

sitespeed.io

Remote Dependency Spec: dependencies.waterfall-tools="https://codeload.github.com/pmeenan/waterfall-tools/tar.gz/e5415be"

Why PkgRadar flagged 41.1.0

SeveritySignalEvidence
highRemote Dependency Specdependencies.waterfall-tools="https://codeload.github.com/pmeenan/waterfall-tools/tar.gz/e5415be" · package.json
highDependency Changed To Remote Vs Previousdependencies.waterfall-tools changed to remote spec in 41.1.0 vs 41.0.1: "https://codeload.github.com/pmeenan/waterfall-tools/tar.gz/e5415be" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
41.1.0High risk292026-06-10
41.3.3Review32026-06-09
41.3.2Review32026-06-09
41.3.1Review32026-06-09
41.3.0Review12026-06-07
41.2.1Review12026-05-31
41.2.0Review152026-05-27

Related campaigns

Block this in CI

PkgRadar gates sitespeed.io (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence