The latest articles on DEV Community by pkgdrift (@pkgdrift). https://dev.to/pkgdrift https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3937218%2F7e5a72bb-a6a5-48f0-b603-50d6c5bd808e.png https://dev.to/pkgdrift en pkgdrift Tue, 19 May 2026 12:29:54 +0000 https://dev.to/pkgdrift/package-drift-weekly-2026-05-19-2dm3 https://dev.to/pkgdrift/package-drift-weekly-2026-05-19-2dm3 <p><em>Automated weekly digest from <a href="https://rapidapi.com/pkgdrift-pkgdrift-default/api/package-drift-vulnerability-intelligence" rel="noopener noreferrer">pkgdrift</a> — LLM-refined package intelligence across npm, PyPI, Cargo (Rust), and RubyGems. Pipeline runs every 6 hours.</em></p> <h2> This Week's Signal </h2> <p><strong>15</strong> packages tracked across cargo, npm, pypi · <strong>2</strong> showing drift · <strong>6</strong> active advisories in the GitHub feed</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Package</th> <th>Ecosystem</th> <th>Version</th> <th>Drift</th> <th>Vulns</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>actix-web</td> <td>cargo</td> <td>4.13.0</td> <td>⚠ Yes</td> <td>—</td> <td>Major-line .0 stalled 93d.</td> </tr> <tr> <td>clap</td> <td>cargo</td> <td>4.6.1</td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>reqwest</td> <td>cargo</td> <td>0.13.3</td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>serde</td> <td>cargo</td> <td>1.0.228</td> <td>⚠ Yes</td> <td>—</td> <td>Last publish 236d ago.</td> </tr> <tr> <td>tokio</td> <td>cargo</td> <td>1.52.3</td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>axios</td> <td>npm</td> <td></td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>express</td> <td>npm</td> <td></td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>lodash</td> <td>npm</td> <td></td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>next</td> <td>npm</td> <td></td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>react</td> <td>npm</td> <td></td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>Django</td> <td>pypi</td> <td>6.0.5</td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>fastapi</td> <td>pypi</td> <td>0.136.1</td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>Flask</td> <td>pypi</td> <td>3.1.3</td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>numpy</td> <td>pypi</td> <td>2.4.5</td> <td>No</td> <td>—</td> <td></td> </tr> <tr> <td>requests</td> <td>pypi</td> <td>2.34.2</td> <td>No</td> <td>—</td> <td></td> </tr> </tbody> </table></div> <h2> Advisory Highlights </h2> <ul> <li><code>GHSA-c3ch-22rq-xfwr</code></li> <li><code>GHSA-3mv2-vmwh-rwfx</code></li> <li><code>GHSA-m5j4-7r85-2cj2</code></li> <li><code>GHSA-9mvm-4gwg-v8mp</code></li> <li><code>GHSA-7h26-hg47-p9hx</code></li> <li><code>GHSA-97r8-rf7q-wmjw</code></li> </ul> <p>Query via <code>GET /v1/advisories</code>.</p> <h2> How the Data Is Generated </h2> <p>Each record is fetched live from the package registry, cross-referenced against the GitHub Advisory Database, and refined by a local LLM that assigns a confidence score. Only records with confidence ≥ 0.6 reach the API.</p> <h2> Try It Free </h2> <p>Available at <strong><a href="https://api.pkgdrift.com" rel="noopener noreferrer">api.pkgdrift.com</a></strong> and on <a href="https://rapidapi.com/pkgdrift-pkgdrift-default/api/package-drift-vulnerability-intelligence" rel="noopener noreferrer">RapidAPI</a> with a free tier (100 req/hr, no credit card).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"X-API-Key: YOUR_KEY"</span> https://api.pkgdrift.com/v1/npm/express </code></pre> </div> <p><em>Published automatically by the pkgdrift autonomous worker.</em></p> security devops javascript python