Package evidence

@esri/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 4,073Niche · −30% score
Versions published: 807Mature · −50% score
First published: Dec 2021
Publisher: john4818

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@esri/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@esri/[email protected]"],"fail_on":"review"}'

Publisherjohn4818

Artifact bytes17,655,181

Previous version5.1.0-next.135

Published2026-05-28T02:48:27.942Z

SHA-2562e0b7f97510f29d0015d6ea8ea570d1bdd5962bd92f78e0da5bb5e6532f67097

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

6Score

5.1.0-next.136Version

Status history (1 event)

new → available16d ago · risk review · score 6 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Obfuscation Density	package/dist/cdn/JSQHZGE3.js	high encoded/escaped-token density	12

Manifest

Package metadata

Scripts14

buildyarn copy:instant-app-component-assests && vite build
build:devyarn copy:instant-app-component-assests && NODE_ENV=development vite build --mode development --config vite.dev.config.js
clean./support/clean-dist.bat && ./support/clean-yarn-lock.bat && ./support/clean-yarn.bat
copy:common-component-assestsncp node_modules/@arcgis/common-components/dist/assets src/assets && ncp node_modules/@arcgis/common-components/dist/assets src/demos/assets
copy:instant-app-component-assestsncp node_modules/@arcgis/instant-apps-components/dist/cdn/assets src/assets && ncp node_modules/@arcgis/instant-apps-components/dist/cdn/assets src/demos/assets
lintlint-staged --config lint-staged.config.js
release:publishnpm publish --access public && node ./support/releaseToGitHub.mjs
release:publish:nextnpm publish --access public --tag next && node ./support/releaseToGitHub.mjs
startvite
testyarn test-pre && vitest run --browser.headless
test-debugvitest run --no-file-parallelism --no-isolate --inspect
test-preyarn playwright install --with-deps chromium
test-watchyarn test-pre && vitest
watchyarn build-dev --watch

Dependencies25

@arcgis/ai-components~5.1.0-next
@arcgis/ai-orchestrator~5.1.0-next
@arcgis/app-components^4.15.40
@arcgis/common-components~5.1.0-next
@arcgis/components-utils>=5.0.0-next.1 <5.1
@arcgis/lumina~5.1.0-next
@emotion/css^11.13.5
@esri/arcgis-html-sanitizer^4.1.0
@esri/arcgis-rest-portal^4.10.2
@esri/arcgis-rest-types^3.7.0
@esri/solution-common~6.6.1-next
@esri/solution-deployer~6.6.1-next
@esri/telemetry9.1.1
@esri/telemetry-amazon5.1.2
@esri/telemetry-google-analytics3.1.1
@langchain/core^1.1.47
@langchain/langgraph^1.3.2
@lit/context^1.1.5
exifr^7.1.3
fast-json-patch^3.1.1
gojs^3.1.0
jspdf^3.0.2
lit^3.3.0
tslib^2.8.1
zod^4.4.3