PkgRadar

Package evidence

@jayree/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
2,000Niche · −30% score
Versions published
607Mature · −50% score
First published
Oct 2021
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@jayree/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@jayree/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes521,731
Previous version5.0.107
Published2026-05-28T03:21:46.308Z
SHA-2563f6afda24a0e5ebb2782d6cc9944aed8dc0d43a7c07eb5609f8ce95a72c1f072

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
3Score
5.0.108Version
Status history (1 event)
  1. newavailable · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/npm-shrinkwrap.jsonhigh encoded/escaped-token density12

Manifest

Package metadata

Scripts20
  • buildwireit
  • build-changelog-updateesbuild scripts/update-changelog/update-changelog.mjs --bundle --platform=node --format=cjs --outfile=scripts/update-changelog/dist/update-changelog.cjs
  • ci-docssf-ci-docs
  • cleansf-clean
  • clean-allsf-clean all
  • compare-hashesnode scripts/compare-filehash/compare.mjs
  • compilewireit
  • docssf-docs
  • fix-licenseeslint src test --fix --rule "header/header: [2]"
  • formatwireit
  • generate-hashesnode scripts/compare-filehash/generate.mjs
  • lintwireit
  • postpacksf-clean --ignore-signing-artifacts
  • prepacksf-prepack
  • preparepatch-package && sf-install && yarn compare-hashes
  • testwireit
  • test:nutsc8 mocha "**/*.nut.ts" --slow 4500 --timeout 600000 --parallel
  • test:nuts:localmocha "**/local/*.nut.ts" --slow 4500 --timeout 600000 --parallel
  • test:onlywireit
  • versionoclif readme --no-aliases
Dependencies13
  • @jayree/changelog^1.2.33
  • @oclif/core^4.11.4
  • @salesforce/core^8.31.0
  • @salesforce/kit^3.2.6
  • @salesforce/sf-plugins-core^12.2.21
  • @salesforce/source-deploy-retrieve12.35.10
  • @salesforce/source-tracking7.8.16
  • @salesforce/ts-types^2.0.12
  • fast-deep-equal^3.1.3
  • fast-xml-parser^5.8.0
  • fs-extra^11.3.4
  • graceful-fs^4.2.11
  • isomorphic-git1.38.1