npm · registry.npmjs.org

@ministryofjustice/hmpps-digital-prison-reporting-frontend

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 6.4.1

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/cjs/node_modules/@flipt-io/flipt-client-js/dist/node/index.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`6.7.0`	Low risk	0	2026-06-12
`6.6.5`	Low risk	0	2026-06-12
`6.6.4`	Low risk	0	2026-06-10
`4.13.14`	Low risk	0	2026-06-10
`4.13.15`	Low risk	0	2026-06-10
`4.13.13`	Low risk	0	2026-06-10
`6.6.3`	Low risk	0	2026-06-09
`6.6.2`	Low risk	0	2026-06-08
`6.6.1`	Low risk	0	2026-06-03
`6.6.0`	Low risk	0	2026-05-29
`6.5.0`	Low risk	0	2026-05-29
`6.4.1`	Review	13	2026-05-28
`6.4.0`	Low risk	0	2026-05-27
`6.3.3`	Low risk	0	2026-05-26
`6.3.1`	Low risk	0	2026-05-25
`6.3.2`	Low risk	0	2026-05-25

Block this in CI

PkgRadar gates @ministryofjustice/hmpps-digital-prison-reporting-frontend (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @ministryofjustice/[email protected]