PkgRadar

Package evidence

@amirjalili1374/[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
193Established · −30% score
First published
Nov 2025
Publisher
amirvue95

Effective trust discount applied: 30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@amirjalili1374/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@amirjalili1374/[email protected]"],"fail_on":"review"}'
Publisheramirvue95
Artifact bytes5,577,738
Previous version1.5.91
Published2026-05-31T10:31:21.893Z
SHA-256a5441875f726f7952d17c4bb898f0e0f3a0dd8b2b5e88761ed94e1d45b21cb23

Why flagged

What the scanner saw

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
28Score
1.5.92Version
Status history (1 event)
  1. newavailable · risk review · score 28 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/dist/ui-kit.cjs.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/dist/ui-kit.cjs.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
lowLarge Javascript Payloadpackage/dist/ui-kit.es.js2080885 bytes0

Manifest

Package metadata

Scripts31
  • buildnpm run typecheck && vite build --mode dev
  • build:analyzenpm run build && npx vite-bundle-analyzer dist/stats.html
  • build:demonpm run typecheck && vite build --mode demo
  • build:devnpm run typecheck && vite build --mode dev
  • build:libcross-env BUILD_LIB=true vite build && npm run build:types
  • build:livenpm run typecheck && vite build --mode live
  • build:prelivenpm run typecheck && vite build --mode prelive
  • build:typesvue-tsc --declaration --emitDeclarationOnly --project tsconfig.lib.json --skipLibCheck || echo 'Type generation completed with warnings'
  • cleanrimraf dist node_modules/.vite
  • devvite --mode dev
  • dev:demovite --mode demo
  • dev:livevite --mode live
  • dev:prelivevite --mode prelive
  • formatprettier --write "src/**/*.{js,ts,vue,scss,css,json}"
  • format:checkprettier --check "src/**/*.{js,ts,vue,scss,css,json}"
  • linteslint . --fix
  • lint:checkeslint .
  • prepublishOnlynpm run build:lib
  • previewvite preview --port 5050 --host
  • preview:demovite preview --port 9090 --host
  • preview:devvite preview --port 5050 --host
  • preview:livevite preview --port 5050 --host
  • preview:prelivevite preview --port 5050 --host
  • publish:currentnpm publish --access public
  • release:majornpm version major && npm publish --access public
  • release:minornpm version minor && npm publish --access public
  • release:patchnpm version patch && npm publish --access public
  • servevue-cli-service serve
  • testecho "No tests specified" && exit 0
  • typecheckvue-tsc --noEmit
  • …and 1 more.
Dependencies32
  • @amirjalili1374/ui-kit^1.2.1
  • @dsb-norge/vue-keycloak-js^3.0.0
  • @mdi/js^7.4.47
  • @tabler/icons-vue^3.33.0
  • @tsconfig/node2020.1.4
  • @typescript-eslint/parser^7.8.0
  • @vueuse/core^13.0.0
  • apexcharts3.49.1
  • axios^1.8.0
  • axios-mock-adapter^1.22.0
  • chance1.1.11
  • date-fns3.6.0
  • jalaali-js^1.2.8
  • jspdf^3.0.0
  • lodash4.17.21
  • lodash-es^4.17.21
  • lottie-web^5.12.2
  • pinia2.1.7
  • remixicon4.2.0
  • vee-validate4.12.8
  • vite-plugin-vuetify^2.1.2
  • vue^3.3.0
  • vue-router^4.3.0
  • vue3-apexcharts1.5.2
  • vue3-lottie^3.3.1
  • vue3-perfect-scrollbar2.0.0
  • vue3-persian-datetime-picker^1.2.2
  • vue3-print-nb0.1.4
  • vuetify^3.10.0
  • webpack-plugin-vuetify^3.1.2
  • …and 2 more.