Package evidence
@contentful/[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 685Mature · −50% score
- First published
- Feb 2020
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@contentful/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@contentful/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/cjs/plugins/PasteHTML/utils/sanitizeAnchors.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/esm/plugins/PasteHTML/utils/sanitizeAnchors.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Manifest
Package metadata
Scripts12
buildyarn build:types && yarn build:cjs && yarn build:esmbuild:cjsswc src --config-file ../../.swcrc -d dist/cjs -C module.type=commonjsbuild:esmswc src --config-file ../../.swcrc -d dist/esmbuild:typestsc --outDir dist/types --emitDeclarationOnlylinteslint ./src --ext .js,.jsx,.ts,.tsxtestvitesttest:civitest runtsctsc -p ./ --noEmitwatchyarn concurrently "yarn:watch:*"watch:cjsyarn build:cjs -wwatch:esmyarn build:esm -wwatch:typesyarn build:types --watch
Dependencies37
@contentful/app-sdk^4.42.0@contentful/contentful-slatejs-adapter^16.1.6@contentful/f36-components^6.7.1@contentful/f36-icon^6.7.1@contentful/f36-icons^6.7.1@contentful/f36-tokens^6.1.2@contentful/f36-utils^6.1.0@contentful/field-editor-reference^8.3.2@contentful/field-editor-shared^4.4.1@contentful/rich-text-plain-text-renderer^17.0.0@contentful/rich-text-types^17.2.5@emotion/css^11.13.5@popperjs/core^2.11.5@udecode/plate-basic-marks36.0.0@udecode/plate-break36.0.0@udecode/plate-common36.5.9@udecode/plate-core36.5.9@udecode/plate-list36.0.0@udecode/plate-paragraph36.0.0@udecode/plate-reset-node36.0.0@udecode/plate-select36.0.0@udecode/plate-serializer-docx36.0.10@udecode/plate-table36.5.9@udecode/plate-trailing-block36.0.0constate^3.3.2date-fns^2.30.0fast-deep-equal^3.1.3is-hotkey^0.2.0is-plain-obj^3.0.0lodash^4.17.21- …and 7 more.