
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
evalguardai-sdk
Advanced tools
DEPRECATED — install '@evalguard/sdk' instead. This package is a thin re-export shim kept so existing installs keep working; the canonical name is @evalguard/sdk.
⚠️ This package is deprecated. Install
@evalguard/sdkinstead.
npm install @evalguard/sdk
The evalguardai-sdk slot is kept so existing installs keep working — it
re-exports everything from @evalguard/sdk and emits a one-time
deprecation warning on first import.
The legacy name embedded the .ai TLD into the package handle. Industry
convention (openai, @anthropic-ai/sdk, stripe, @vercel/*) keeps
package names brand-only. Switching now — before customer integrations
lock in the wrong name — avoids a future forced migration.
Replace:
import { EvalGuard } from "evalguardai-sdk";
with:
import { EvalGuard } from "@evalguard/sdk";
API surface is identical. No code changes needed beyond the import.
The canonical @evalguard/sdk is published with cryptographic provenance
(npm OIDC trusted publisher + Sigstore). Verify after install:
npm install @evalguard/sdk
npm audit signatures
Issues, PRs, and security reports go to the monorepo: https://github.com/EvalGuardAi/evalguard/issues
FAQs
DEPRECATED — install '@evalguard/sdk' instead. This package is a thin re-export shim kept so existing installs keep working; the canonical name is @evalguard/sdk.
The npm package evalguardai-sdk receives a total of 26 weekly downloads. As such, evalguardai-sdk popularity was classified as not popular.
We found that evalguardai-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.