Package evidence
@chromatic-com/[email protected]
Known Indicator Filename: package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/scripts/bundle.js
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@chromatic-com/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@chromatic-com/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Known Indicator Filename: package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/scripts/bundle.js
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 71 · status changed
Evidence
Static findings
195 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/scripts/bundle.js | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/scripts/bundle.js | 45 |
| medium | Remote Payload | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/dist/ajv.bundle.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/embedded/node_modules/webpack/lib/runtime/GetChunkFilenameRuntimeModule.js | matched "cUrl " | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/html-minifier-terser/src/htmlparser.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/@babel/helper-validator-identifier/lib/identifier.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/cjs-module-lexer/lexer.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/terser/lib/parse.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/embedded/node_modules/webpack/lib/url/URLParserPlugin.js | matched "cUrl " | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.min.mjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.mjs | high encoded/escaped-token density | 12 |
Show all 195 findings (low-signal and informational)
Showing 60 of 195 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Known Indicator Filename | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/scripts/bundle.js | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/scripts/bundle.js | 45 |
| medium | Remote Payload | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/dist/ajv.bundle.js | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | package/embedded/node_modules/webpack/lib/runtime/GetChunkFilenameRuntimeModule.js | matched "cUrl " | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/html-minifier-terser/src/htmlparser.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/@babel/helper-validator-identifier/lib/identifier.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.min.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/cjs-module-lexer/lexer.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/terser/lib/parse.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/embedded/node_modules/webpack/lib/url/URLParserPlugin.js | matched "cUrl " | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.min.mjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/embedded/node_modules/json5/dist/index.mjs | high encoded/escaped-token density | 12 |
| low | Obfuscation | package/embedded/node_modules/eslint-scope/dist/eslint-scope.cjs | matched "eval(" | 3 |
| low | Obfuscation | package/embedded/node_modules/colorette/index.cjs | matched "\\x1b" | 3 |
| low | Obfuscation | package/embedded/node_modules/@storybook/builder-webpack5/node_modules/es-module-lexer/dist/lexer.cjs | matched "Buffer.from(A,\"base64" | 3 |
| low | Obfuscation | package/embedded/node_modules/es-module-lexer/dist/lexer.cjs | matched "Buffer.from(A,\"base64" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_asciiWords.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_createCompounder.js | matched "\\u2019" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_deburrLetter.js | matched "\\xc0" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_escapeStringChar.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_hasUnicode.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_unicodeSize.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_unicodeToArray.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/_unicodeWords.js | matched "\\ud800" | 3 |
| low | Obfuscation | package/embedded/node_modules/acorn/dist/acorn.js | matched "\\u200c" | 3 |
| low | Obfuscation | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/dist/ajv.bundle.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/dist/ajv.min.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/renderkid/lib/AnsiPainter.js | matched "\\x1b" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack/lib/asset/AssetGenerator.js | matched "Buffer.from(content, \"base64" | 3 |
| low | Obfuscation | package/embedded/node_modules/yaml/browser/dist/schema/yaml-1.1/binary.js | matched "atob(" | 3 |
| low | Obfuscation | package/embedded/node_modules/yaml/dist/schema/yaml-1.1/binary.js | matched "Buffer.from(src, 'base64" | 3 |
| low | Obfuscation | package/embedded/node_modules/source-map-support/browser-source-map-support.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/embedded/node_modules/terser/dist/bundle.min.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack/lib/cli.js | matched "\\u001B" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack-hot-middleware/client.js | matched "\\uD83D" | 3 |
| low | Obfuscation | package/embedded/node_modules/ajv/dist/compile/codegen/code.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/embedded/node_modules/anymatch/node_modules/picomatch/lib/constants.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/braces/lib/constants.js | matched "\\u00A0" | 3 |
| low | Obfuscation | package/embedded/node_modules/picomatch/lib/constants.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/readdirp/node_modules/picomatch/lib/constants.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/cssesc/cssesc.js | matched "\\x20" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack/lib/css/CssParser.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/embedded/node_modules/yaml/browser/dist/parse/cst.js | matched "\\x02" | 3 |
| low | Obfuscation | package/embedded/node_modules/yaml/dist/parse/cst.js | matched "\\x02" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack/lib/util/dataURL.js | matched "Buffer.from(body, \"base64" | 3 |
| low | Obfuscation | package/embedded/node_modules/lodash/deburr.js | matched "\\xc0" | 3 |
| low | Obfuscation | package/embedded/node_modules/entities/lib/decode_codepoint.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/embedded/node_modules/@webassemblyjs/utf8/esm/decoder.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/embedded/node_modules/@webassemblyjs/utf8/lib/decoder.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/embedded/node_modules/@webassemblyjs/utf8/src/decoder.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack/lib/stats/DefaultStatsPrinterPlugin.js | matched "\\u001B" | 3 |
| low | Obfuscation | package/embedded/node_modules/cosmiconfig/node_modules/yaml/dist/Document-9b4560a1.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/terser/tools/domprops.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/embedded/node_modules/entities/lib/encode.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack/lib/EvalDevToolModulePlugin.js | matched "eval(" | 3 |
| low | Obfuscation | package/embedded/node_modules/webpack/lib/EvalSourceMapDevToolPlugin.js | matched "eval(" | 3 |
| low | Obfuscation | package/embedded/node_modules/terser/lib/compress/evaluate.js | matched "eval(" | 3 |
| low | Obfuscation | package/embedded/node_modules/ajv-formats/dist/formats.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/fork-ts-checker-webpack-plugin/node_modules/ajv/lib/compile/formats.js | matched "\\x00" | 3 |
| low | Obfuscation | package/embedded/node_modules/javascript-stringify/dist/function.js | matched "\\xA0" | 3 |
Manifest
Package metadata
Scripts5
buildyarn prebuild && tsupcleanrimraf ./dist ./embeddedprebuildyarn cleantest:playwrightplaywright testtest:unityarn workspace @chromaui/chromatic-e2e test:unit --project Playwright
Dependencies3
@chromaui/rrweb-snapshot2.0.0-alpha.19-noAbsolute@segment/analytics-node2.1.3storybook10.2.13