Package evidence
@convex-dev/[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 86,215Mainstream · −50% score
- Versions published
- 93Established · −30% score
- First published
- Jun 2025
- Publisher
- erquhart
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@convex-dev/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@convex-dev/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 25 · status changed
Evidence
Static findings
2 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/client/create-schema.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/src/client/create-schema.ts | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Manifest
Package metadata
Scripts15
alphanpm version prerelease --preid alpha && npm publish --tag alpha && git push --follow-tagsbuildtsc --project tsconfig.build.jsonbuild:cleanrm -rf dist *.tsbuildinfo && npm run build:codegenbuild:codegencd examples/react && npx convex codegen --component-dir ../../src/component && cd ../.. && npm run builddevnpm run build && cd examples/react && npm run devlinteslint .preversionnpm ci && npm run build:clean && npm run test && npm run lint && npm run typecheckreleasenpm version patch && npm publish && git push --follow-tagstestvitest run --typechecktest:coveragevitest run --coverage --coverage.reporter=texttest:debugvitest --inspect-brk --no-file-parallelismtest:e2enpm run build && cd e2e && npm run testtest:watchvitest --typecheck --clearScreen falsetypechecktsc --noEmit && tsc -p examples/next && tsc -p examples/next/convex && tsc -p examples/react && tsc -p examples/react/convex && tsc -p examples/tanstack && tsc -p examples/tanstack/convexversion(npm whoami || npm login) && node scripts/sync-version.mjs && vim -c 'normal o' -c 'normal o## '$npm_package_version CHANGELOG.md && prettier -w CHANGELOG.md && git add CHANGELOG.md src/version.ts
Dependencies8
@better-fetch/fetch^1.1.18common-tags^1.8.2convex-helpers^0.1.95jose^6.1.0remeda^2.32.0semver^7.7.3type-fest^5.0.0zod^4.0.0