ANT
ANT
Level 1 — Immediate
How old is this version? Have earlier releases of this library ever had CVEs filed against them? Returns in under 500 ms.
Level 2 — Async
Did a new contributor appear for this version? When was their account created? Have they touched this project before? Arrives as a PR comment update within seconds.
Level 3 — Deep
What is the actual difference between this version and the last known-safe one? Does the code now reach out to addresses it never reached before?
In practice
20 Nov 2018 — Day 0
A new contributor, right9ctrl, publishes flatmap‑stream@0.1.1. Account created that month. Only project on GitHub. event‑stream@3.3.6 adds it as a dependency within hours.
20 Nov 2018 — Day 0
ANT flags it. L2 signal: new contributor, single-repository account, no prior activity in this ecosystem. Score moves to FLAG. PR comment updated immediately.
26 Nov 2018 — Day 6
Researchers discover the payload stealing bitcoin wallet keys. npm advisory 737 filed. Millions of installs have already downloaded the compromised version.
26 Nov 2018 — Day 6
Every CVE-database tool — Snyk, Dependabot, all of them — learns about the attack now. Six days after it began.
ANT detection window: 6 days of advance warning. CVE-database tools: 0.
Setup
Try it
L1 returns instantly · L2 contributor analysis cached on repeat scans
| Package | Version | Score | Status | Signals |
|---|