PyPI · pypi.org

skylos

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 4.24.2

Severity	Signal	Evidence
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · skylos-4.24.2/skylos/rules/config/cicd/github_actions.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · skylos-4.24.2/skylos/rules/config/cicd/gitlab_ci.py
medium	Py Import Time Subprocess	subprocess call — process spawning. · skylos-4.24.2/skylos/api/__init__.py
high	Py Import Time Network Call	Network call (urllib/requests/httpx/http.client) at install or import time. · skylos-4.24.2/skylos/api/__init__.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.24.2`	High risk	61	2026-06-15
`4.24.1`	High risk	36	2026-06-09
`4.24.0`	High risk	36	2026-06-09
`4.23.1`	High risk	34	2026-06-04
`4.23.0`	High risk	34	2026-06-03
`4.22.1`	High risk	34	2026-05-30
`4.22.0`	High risk	34	2026-05-30
`4.21.0`	High risk	31	2026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates skylos (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi skylos==4.24.2