PkgRadar

Package evidence

@flowfuse/[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
9,883Niche · −30% score
Versions published
2,277Mature · −50% score
First published
Dec 2023
Publisher
flowfuse-user

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@flowfuse/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@flowfuse/[email protected]"],"fail_on":"review"}'
Publisherflowfuse-user
Artifact bytes8,821,293
Previous version2.30.2-81347a4-202605211456.0
Published2026-05-28T14:40:48.446Z
SHA-256983f74ab15a47fa232fd510c7331af720aebe8ed409f2d61074ae8d558a765bb

Why flagged

What the scanner saw

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
35Score
2.30.2-822dce4-202605281438.0Version
Status history (1 event)
  1. newavailable · risk review · score 35 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/frontend/dist/app/async-vendors.0adf0fcd3eff75f45942.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
mediumLarge Javascript Payloadpackage/frontend/dist/app/main.ef28b3d68c25c2d09ef0.js2448586 bytes10
mediumLarge Javascript Payloadpackage/frontend/dist/app/setup.a70424a5146df5e5351b.js2367696 bytes10
mediumLarge Javascript Payloadpackage/frontend/dist/app/vendors.ff001dc73335d13b60d8.js2403123 bytes10

Manifest

Package metadata

Scripts32
  • buildwebpack --mode=production -c ./config/webpack.config.js
  • build-watchwebpack --mode=development -c ./config/webpack.config.js --watch
  • covernpm-run-all --sequential cover:unit cover:system cover:report
  • cover:reportnyc report --reporter=html --reporter=json -t './coverage/reports'
  • cover:systemnyc --silent npm run test:system && nyc report --reporter=json --report-dir ./coverage/reports/system/ && mv ./coverage/reports/system/coverage-final.json ./coverage/reports/system-coverage.json
  • cover:unitnpm-run-all --sequential cover:unit:forge cover:unit:frontend
  • cover:unit:forgenyc --silent npm run test:unit:forge && nyc report --reporter=json --report-dir ./coverage/reports/forge/ && mv ./coverage/reports/forge/coverage-final.json ./coverage/reports/forge-coverage.json
  • cover:unit:frontendvitest --config ./config/vitest.config.ts run --coverage && mv ./coverage/reports/frontend/coverage-final.json ./coverage/reports/frontend-coverage.json
  • cy:open:eecypress open --config-file ./config/cypress-ee.config.js
  • cy:open:oscypress open --config-file ./config/cypress-os.config.js
  • cy:runnpm-run-all --parallel cy:run:os cy:run:ee
  • cy:run:eecypress run --config-file ./config/cypress-ee.config.js
  • cy:run:oscypress run --config-file ./config/cypress-os.config.js
  • cy:web-servernpm-run-all --parallel cy:web-server:os cy:web-server:ee
  • cy:web-server:eenode ./test/e2e/frontend/test_environment_ee
  • cy:web-server:osnode ./test/e2e/frontend/test_environment_os
  • generate:typesnode scripts/dump-openapi.js && openapi-typescript openapi.json -o frontend/src/types/generated.ts --root-types --root-types-no-schema-prefix
  • install-stacknode scripts/install-stack.js --
  • linteslint -c .eslintrc "forge/**/*.js" "frontend/**/*.js" "frontend/**/*.vue" "test/**/*.js" --ignore-pattern "frontend/dist/**"
  • lint:fixeslint -c .eslintrc "forge/**/*.js" "frontend/**/*.js" "frontend/**/*.vue" "test/**/*.js" --ignore-pattern "frontend/dist/**" --fix
  • replnode forge/app.js --repl
  • servenpm-run-all --parallel build-watch start-watch
  • serve-replnpm-run-all --parallel build-watch start-watch-repl
  • startnode forge/app.js
  • start-watchcross-env NODE_ENV=development nodemon -w forge -w ee/forge -i forge/containers/localfs_root forge/app.js
  • start-watch-replcross-env NODE_ENV=development nodemon -w forge -w ee/forge -i forge/containers/localfs_root forge/app.js --repl
  • testnpm-run-all --sequential lint test:unit test:system
  • test:docsnode test/e2e/docs/valid-links.js ./docs
  • test:systemmocha 'test/system/**/*_spec.js' --timeout 10000 --node-option=unhandled-rejections=strict
  • test:unitnpm-run-all --sequential test:unit:forge test:unit:frontend
  • …and 2 more.
Dependencies72
  • @aws-sdk/client-sesv2^3.916.0
  • @aws-sdk/credential-provider-node^3.352.0
  • @fastify/cookie^11.0.2
  • @fastify/csrf-protection^7.1.0
  • @fastify/formbody^8.0.2
  • @fastify/helmet^13.0.2
  • @fastify/multipart^9.3.0
  • @fastify/passport^3.0.2
  • @fastify/rate-limit^10.3.0
  • @fastify/routes^6.0.2
  • @fastify/static^9.1.2
  • @fastify/swagger^9.6.1
  • @fastify/swagger-ui^5.2.5
  • @fastify/websocket^11.2.0
  • @flowfuse/driver-localfs2.30.2-457c7ef-202605280601.0
  • @flowfuse/flow-renderer^0.5.1
  • @headlessui/vue1.7.19
  • @heroicons/vue1.0.6
  • @immobiliarelabs/fastify-sentry^9.0.1
  • @levminer/speakeasy^1.4.2
  • @node-red/util^4.0.2
  • @node-saml/passport-saml^5.0.0
  • @redis/client^5.11.0
  • @sentry/node^7.73.0
  • @sentry/profiling-node^1.2.1
  • @sentry/vue^7.91.0
  • @sentry/webpack-plugin^2.7.1
  • @vuepic/vue-datepicker^11.0.2
  • axios^1.4.0
  • bcrypt^6.0.0
  • …and 42 more.