Package evidence
@cubejs-backend/[email protected]
Obfuscation Density: high encoded/escaped-token density
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 24,350Mainstream · −50% score
- Versions published
- 1,167Mature · −50% score
- First published
- Jan 2019
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@cubejs-backend/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@cubejs-backend/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 12 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/playground/vizard/assets/index-CXd1H6uJ.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/playground/assets/index-Dp9g9mH4.js | 3457554 bytes | 10 |
| medium | Large Javascript Payload | package/playground/vizard/assets/monaco-B_IR9uhL.js | 3101115 bytes | 10 |
| medium | Large Javascript Payload | package/playground/vizard/assets/ts.worker-VACfgpbU.js | 4841300 bytes | 10 |
Manifest
Package metadata
Scripts7
buildrm -rf dist && npm run tsclinteslint src/* test/* --ext .ts,.jslint:fixeslint --fix src/* test/* --ext .ts,.jstestnpm run unittsctscunitjest --runInBand --forceExit --coverage dist/testwatchtsc -w
Dependencies31
@cubejs-backend/api-gateway1.6.50@cubejs-backend/base-driver1.6.50@cubejs-backend/cloud1.6.50@cubejs-backend/cubestore-driver1.6.50@cubejs-backend/dotenv^9.0.2@cubejs-backend/native1.6.50@cubejs-backend/query-orchestrator1.6.50@cubejs-backend/schema-compiler1.6.50@cubejs-backend/shared1.6.50@cubejs-backend/templates1.6.50codesandbox-import-utils^2.1.12cross-spawn^7.0.1fs-extra^8.1.0graphql^15.8.0http-proxy-agent^7.0.2https-proxy-agent^7.0.6is-docker^2.1.1joi^17.13.3jsonwebtoken^9.0.2lodash.clonedeep^4.5.0lru-cache^11.1.0moment^2.29.1node-fetch^2.6.0p-limit^3.1.0promise-timeout^1.3.0ramda^0.27.0semver^7.6.3serve-static^1.13.2sqlstring^2.3.1uuid^8.3.2- …and 1 more.