Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 3,561Niche · −30% score
- Versions published
- 831Mature · −50% score
- First published
- Dec 2021
- Publisher
- john4818
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@esri/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@esri/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Obfuscation Density | package/dist/cdn/3Z7EYDFO.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts14
buildyarn copy:instant-app-component-assests && vite buildbuild:devyarn copy:instant-app-component-assests && NODE_ENV=development vite build --mode development --config vite.dev.config.jsclean./support/clean-dist.bat && ./support/clean-yarn-lock.bat && ./support/clean-yarn.batcopy:common-component-assestsncp node_modules/@arcgis/common-components/dist/assets src/assets && ncp node_modules/@arcgis/common-components/dist/assets src/demos/assetscopy:instant-app-component-assestsncp node_modules/@arcgis/instant-apps-components/dist/cdn/assets src/assets && ncp node_modules/@arcgis/instant-apps-components/dist/cdn/assets src/demos/assetslintlint-staged --config lint-staged.config.jsrelease:publishnpm publish --access public && node ./support/releaseToGitHub.mjsrelease:publish:nextnpm publish --access public --tag next && node ./support/releaseToGitHub.mjsstartvitetestyarn test-pre && vitest run --browser.headlesstest-debugvitest run --no-file-parallelism --no-isolate --inspecttest-preyarn playwright install --with-deps chromiumtest-watchyarn test-pre && vitestwatchyarn build-dev --watch
Dependencies25
@arcgis/ai-components~5.1.0-next@arcgis/ai-orchestrator~5.1.0-next@arcgis/app-components^4.15.40@arcgis/common-components~5.1.0-next@arcgis/components-utils>=5.0.0-next.1 <5.1@arcgis/lumina~5.1.0-next@emotion/css^11.13.5@esri/arcgis-html-sanitizer^4.1.0@esri/arcgis-rest-portal^4.10.2@esri/arcgis-rest-types^3.7.0@esri/solution-common~6.6.1-next@esri/solution-deployer~6.6.1-next@esri/telemetry9.1.1@esri/telemetry-amazon5.1.2@esri/telemetry-google-analytics3.1.1@langchain/core^1.1.47@langchain/langgraph^1.3.2@lit/context^1.1.5exifr^7.1.3fast-json-patch^3.1.1gojs^3.1.0jspdf^3.0.2lit^3.3.0tslib^2.8.1zod^4.4.3