PkgRadar

npm · registry.npmjs.org

@vue/compat

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 3.6.0-beta.13

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/vue.cjs.js
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/vue.cjs.prod.js

Scanned versions

VersionVerdictScoreScanned (UTC)
3.5.38Low risk02026-06-11
3.6.0-beta.15Low risk02026-06-11
3.5.37Low risk02026-06-11
3.5.36Low risk02026-06-11
3.6.0-beta.14Low risk02026-06-05
3.6.0-beta.13Review152026-05-28
3.6.0-beta.12Low risk02026-05-27
3.5.35Low risk02026-05-27

Block this in CI

PkgRadar gates @vue/compat (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @vue/[email protected]
Start free — 25 scans / moView full evidence