Package evidence
@eventcatalog/[email protected]
Obfuscation Density: high encoded/escaped-token density
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 451
- Versions published
- 14
- First published
- May 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@eventcatalog/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@eventcatalog/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 41 · status changed
Evidence
Static findings
38 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/ui/assets/chunk-4TB4RGXK-CoA4OFgU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ui/assets/flowDiagram-DWJPFMVM-BV0RGHv2.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/ui/assets/index-C_djnMnc.js | 3551738 bytes | 10 |
Show all 38 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/ui/assets/chunk-4TB4RGXK-CoA4OFgU.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ui/assets/flowDiagram-DWJPFMVM-BV0RGHv2.js | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/ui/assets/index-C_djnMnc.js | 3551738 bytes | 10 |
| low | Credential file access | package/dist/ui/assets/ssh-config-_ykCGR6B.js | matched ".ssh" | 5 |
| low | Obfuscation | package/dist/ui/assets/ara-BRHolxvo.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/ui/assets/blade-BjGOyj-B.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/ui/assets/blockDiagram-DXYQGD6D-Cpi_MvvZ.js | matched "\\u000D" | 3 |
| low | Obfuscation | package/dist/ui/assets/c4Diagram-AHTNJAMY-NG37x4pY.js | matched "eVal(" | 3 |
| low | Obfuscation | package/dist/ui/assets/chunk-4TB4RGXK-CoA4OFgU.js | matched "\\u00AA" | 3 |
| low | Obfuscation | package/dist/ui/assets/coffee-Ch7k5sss.js | matched "fromCharCode" | 3 |
| low | Obfuscation | package/dist/ui/assets/crystal-DNxU26gB.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/ui/assets/css-CLj8gQPS.js | matched "\\uFEFF" | 3 |
| low | Obfuscation | package/dist/ui/assets/cytoscape.esm-BiciSPf8.js | matched "\\u200b" | 3 |
| low | Obfuscation | package/dist/ui/assets/erDiagram-SMLLAGMA-Dnn92IwY.js | matched "\\u00C0" | 3 |
| low | Obfuscation | package/dist/ui/assets/flowDiagram-DWJPFMVM-BV0RGHv2.js | matched "\\u00AA" | 3 |
| low | Obfuscation | package/dist/ui/assets/glimmer-js-ByusRIyA.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/ui/assets/glimmer-ts-BfAWNZQY.js | matched "\\x08" | 3 |
| low | Obfuscation | package/dist/ui/assets/hack-i7_Ulhet.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/ui/assets/html-pp8916En.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/cli/index.js | matched "\\u00a0" | 3 |
| low | Obfuscation | package/dist/server/index.js | matched "\\u00a0" | 3 |
| low | Obfuscation | package/dist/ui/assets/journeyDiagram-VCZTEJTY-DLx7M7wN.js | matched "eVal(" | 3 |
| low | Obfuscation | package/dist/ui/assets/julia-CxzCAyBv.js | matched "\\x01" | 3 |
| low | Obfuscation | package/dist/ui/assets/katex-DkKDou_j.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/less-B1dDrJ26.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/php-R6g_5hLQ.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/ui/assets/puppet-BMWR74SV.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/ui/assets/ruby-Wjq7vjNf.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/sankeyDiagram-XADWPNL6-BXcwjZgZ.js | matched "\\u000D" | 3 |
| low | Obfuscation | package/dist/ui/assets/scss-D5BDwBP9.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/sequenceDiagram-FGHM5R23-DompGe_9.js | matched "eVal(" | 3 |
| low | Obfuscation | package/dist/ui/assets/stata-BH5u7GGu.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/stylus-BEDo0Tqx.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/twig-xg9kU7Mw.js | matched "\\x7F" | 3 |
| low | Obfuscation | package/dist/ui/assets/typst-DHCkPAjA.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/vue-D2xRrEX4.js | matched "\\x00" | 3 |
| low | Obfuscation | package/dist/ui/assets/wardley-RL74JXVD-CbJtEN1u.js | matched "\\u2028" | 3 |
| low | Obfuscation | package/dist/ui/assets/wasm-CG6Dc4jp.js | matched "atob(" | 3 |
Manifest
Package metadata
Scripts20
buildnpm-run-all build:ui build:serverbuild:servertsupbuild:uivite buildchangesetchangesetdevEVENTCATALOG_EDITOR_UI_DEV_SERVER=http://localhost:5173 npm-run-all -p dev:server:my-catalog dev:uidev:exampleEVENTCATALOG_EDITOR_UI_DEV_SERVER=http://localhost:5173 npm-run-all -p dev:server:example dev:uidev:servertsx watch src/cli/index.ts --no-opendev:server:exampletsx watch src/cli/index.ts --catalog /Users/dboyne/Dev/eventcatalog/eventcatalog/examples/default --no-opendev:server:my-catalogtsx watch src/cli/index.ts --catalog /Users/dboyne/Dev/eventcatalog/tmp/my-catalog --no-opendev:uiviteformatprettier --write .format:diffprettier --check .lintbiome lint .releasechangeset publishstartnode ./bin/eventcatalog-editor.js --catalog ./test-catalogtestvitest runtest:civitest runtest:e2eplaywright testtest:watchvitesttypechecktsc -p tsconfig.server.json --noEmit && tsc -p tsconfig.ui.json --noEmit
Dependencies35
@babel/parser^7.29.2@eventcatalog/sdk^2.21.0@eventcatalog/visualiser^3.20.0@floating-ui/dom^1.7.6@heroicons/react^2.2.0@hono/node-server^1.13.0@monaco-editor/react^4.7.0@radix-ui/react-dialog^1.1.15@radix-ui/react-switch^1.2.6@tanstack/react-table^8.21.3@tiptap/extension-collaboration^3.22.5@tiptap/extension-drag-handle^3.22.5@tiptap/extension-node-range^3.22.5@tiptap/pm^3.22.5@tiptap/suggestion^3.22.4@tiptap/y-tiptap^3.0.3@types/js-yaml^4.0.9@xyflow/react^12.10.2gray-matter^4.0.3hono^4.6.0js-yaml^4.1.1mermaid^11.14.0minisearch^7.1.0monaco-editor^0.55.1open^10.1.0posthog-js^1.372.9react-hotkeys-hook^5.3.2recast^0.23.11semver^7.7.3shiki^4.0.2- …and 5 more.