credentialsscoped
Your npm token is used only to fetch staged release evidence, never exposed to package contents.
Release confidence for npm maintainers
See exactly what your next publish ships.
A publish-level diff of the staged tarball, with deterministic risk signals pinned to the hunks that triggered them — without executing package code or exposing credentials to untrusted package contents.
What a review looks like
@acme/cli
scan_01HXY5K9PNQE34.2.0 → 4.3.017 files4 changedcomplete
block manual approvalrelease critical2 findings
findings by severity2 total
- critical · 1
- medium · 1
modified
v4.2.0 → v4.3.0package.json| 3 | 3 | "version": "4.3.0", | |
| 4 | 4 | "main": "lib/index.js", | |
| 5 | 5 | "scripts": { | |
| 6 | 6 | "build": "tsc -p .", | |
| 7 | + | "postinstall": "node lib/install.js", | |
| 7 | 8 | "test": "vitest" | |
| 8 | 9 | }, |
criticallifecycle script added · line 7
postinstall now executes during npm install, invoking lib/install.js — a newly added file in this release. Inspect before approving.
retentionredacted
Reports keep redacted review evidence, not raw release archives.
approvalhuman
Maintainers approve in npm with normal 2FA. We never publish on their behalf.
How it protects releases
Credentials stay protected
Connect npm once. Reviews can fetch staged releases without exposing your token to untrusted package contents.
Changes take center stage
See the release delta that matters: scripts, dependencies, entrypoints, new files, binaries, and suspicious code paths.
Assistant that knows its place
The reviewer treats package contents as evidence, not instructions — adding context without overriding hard safety signals.