npm · registry.npmjs.org

weapp-tailwindcss

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 5.0.0-next.26

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/runtime-registry-CdCV3Opt.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`5.0.0-next.37`	Low risk	0	2026-06-03
`5.0.0-next.36`	Low risk	0	2026-06-03
`5.0.0-next.35`	Low risk	0	2026-06-03
`5.0.0-next.33`	Low risk	0	2026-06-02
`5.0.0-next.32`	Low risk	0	2026-06-01
`5.0.0-next.31`	Low risk	0	2026-06-01
`5.0.0-next.30`	Low risk	0	2026-06-01
`5.0.0-next.29`	Low risk	0	2026-06-01
`5.0.0-next.28`	Low risk	0	2026-05-31
`5.0.0-next.27`	Low risk	0	2026-05-31
`5.0.0-next.26`	Review	13	2026-05-29
`5.0.0-next.25`	Low risk	0	2026-05-28
`5.0.0-next.24`	Low risk	0	2026-05-26
`5.0.0-next.23`	Low risk	0	2026-05-25
`5.0.0-next.22`	Low risk	0	2026-05-25
`5.0.0-next.21`	Low risk	0	2026-05-25
`5.0.0-next.20`	Low risk	0	2026-05-25
`5.0.0-next.19`	Low risk	0	2026-05-24
`5.0.0-next.18`	Low risk	0	2026-05-24

Block this in CI

PkgRadar gates weapp-tailwindcss (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]