PkgRadar

npm · registry.npmjs.org

@dcloudio/uni-app-plus

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 2.0.2-alpha-5010220260529001

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/view.umd.js

Scanned versions

VersionVerdictScoreScanned (UTC)
2.0.2-alpha-5010320260611001Low risk02026-06-11
2.0.2-5000720260410001Low risk02026-06-11
3.0.0-alpha-5010320260611001Low risk02026-06-11
2.0.2-alpha-5010220260604002Low risk02026-06-05
3.0.0-alpha-5010220260604001Low risk02026-06-05
3.0.0-alpha-5010220260529001Low risk02026-05-29
2.0.2-alpha-5010220260529001Review132026-05-29
2.0.2-alpha-5010120260525001Low risk02026-05-26
3.0.0-alpha-5010120260525001Low risk02026-05-26
3.0.0-alpha-1000920260525813Low risk02026-05-25
2.0.2-alpha-5010120260522001Review122026-05-25
3.0.0-alpha-1000920260525733Low risk02026-05-25

Block this in CI

PkgRadar gates @dcloudio/uni-app-plus (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @dcloudio/[email protected]
Start free — 25 scans / moView full evidence