Package evidence

@freesewing/[email protected]

Remote Payload: matched "cUrl "

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 35Mature · −50% score
First published: Mar 2025
Publisher: joostdecock

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@freesewing/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@freesewing/[email protected]"],"fail_on":"review"}'

Publisherjoostdecock

Artifact bytes438,998

Previous version4.7.2

Published2026-04-19T16:47:15.328Z

SHA-256f8eb7199496172f2538e924ab20d654d8ac9c7199d529fa0e53b5ffc66f28f96

Why flagged

What the scanner saw

Remote Payload: matched "cUrl "

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

23d agoLast checked

reviewRisk

10Score

4.8.0Version

Status history (1 event)

new → available23d ago · risk review · score 10 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/components/Account/Avatar.mjs	matched "cUrl "	12

Show all 4 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/components/Account/Avatar.mjs	matched "cUrl "	12
low	Obfuscation	package/components/Account/Import.mjs	matched "atob("	3
low	Obfuscation	package/components/Editor/components/menus/LayoutMenu.mjs	matched "\\u00A0"	3
low	Obfuscation	package/components/Editor/lib/export/plugin-tiler.mjs	matched "fromCharCode"	3

Manifest

Package metadata

Scripts2

linteslint 'components/**/*.mjs' 'hooks/**/*.mjs' 'lib/**/*.mjs' 'context/**/*.mjs' 'config/**/*.mjs'
prettiernpx prettier --write 'components/**/*.mjs' 'hooks/**/*.mjs' 'lib/**/*.mjs' 'context/**/*.mjs' 'config/**/*.mjs'

Dependencies23

@codemirror/lang-yaml^6.1.2
@uiw/codemirror-themes-all^4.23.12
@uiw/react-codemirror^4.23.8
d3-drag3.0.0
d3-selection3.0.0
diff^7.0.0
echarts^5.6.0
echarts-for-react^3.0.2
file-saver^2.0.5
highlight.js^11.11.1
html-react-parser^5.2.2
jotai^2.12.1
jotai-location^0.5.5
luxon^3.5.0
mustache^4.2.0
pdfkit^0.16.0
react-diff-viewer-continued^4.0.5
react-dropzone^14.3.5
react-zoom-pan-pinch^3.7.0
svg-to-pdfkit^0.1.8
use-local-storage-state^19.5.0
web-worker^1.5.0
yaml^2.7.0