npm · registry.npmjs.org

@feathery/react

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 2.39.1

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/umd/index.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.46.0`	Low risk	0	2026-06-12
`2.45.1`	Low risk	0	2026-06-12
`2.45.0`	Low risk	0	2026-06-12
`2.44.0`	Low risk	0	2026-06-10
`2.43.0`	Low risk	0	2026-06-10
`2.42.0`	Low risk	0	2026-06-09
`2.41.1`	Low risk	0	2026-06-09
`2.41.0`	Low risk	0	2026-06-09
`2.40.2`	Low risk	0	2026-06-08
`2.40.1`	Low risk	0	2026-06-05
`2.40.0`	Low risk	0	2026-06-05
`2.39.5`	Low risk	0	2026-06-04
`2.39.4`	Low risk	0	2026-06-04
`2.39.3`	Low risk	0	2026-06-02
`2.39.2`	Low risk	0	2026-05-30
`2.39.1`	Review	13	2026-05-29
`2.39.0`	Review	9	2026-05-28
`2.37.4`	Review	9	2026-05-26
`2.38.0`	Review	9	2026-05-26

Block this in CI

PkgRadar gates @feathery/react (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @feathery/[email protected]