First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
11
Score
100/100
Findings (11)
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @cavos/cli Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.