PkgRadar

PyPI · pypi.org

astrbot

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 4.26.0b4

SeveritySignalEvidence
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · astrbot-4.26.0b4/astrbot/core/agent/mcp_client.py

Scanned versions

VersionVerdictScoreScanned (UTC)
4.26.0b4High risk252026-06-17
4.26.0b3High risk252026-06-16
4.26.0b2High risk252026-06-16
4.26.0b1High risk252026-06-15
4.25.5Review52026-06-08
4.25.4Review52026-06-07
4.25.3Review52026-06-05
4.25.2Review52026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates astrbot (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi astrbot==4.26.0b4
Start free — 25 scans / moView full evidence