publish

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The publish scripts call "npx wrangler" (e.g., for r2 object put and whoami), which at runtime will fetch and execute the Wrangler package from the npm registry (https://registry.npmjs.org/) and is required for uploads, so remote code is fetched and executed during runtime.