Package evidence

@nasa-terra/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 349
Versions published: 176Mature · −50% score
First published: Aug 2024
Publisher: joncarlson

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@nasa-terra/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@nasa-terra/[email protected]"],"fail_on":"review"}'

Publisherjoncarlson

Artifact bytes8,494,449

Previous version0.0.192

Published2026-05-27T18:29:46.898Z

SHA-25631927f4076a5d59a1bf01d84dd7bc2482b87b3e9f92e51c95c7d9ab928cd1850

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

15Score

0.0.193Version

Status history (1 event)

new → available16d ago · risk review · score 15 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Obfuscation Density	package/cdn/chunks/chunk.LWXRUSS3.js	high encoded/escaped-token density	12
medium	Large Javascript Payload	package/cdn/chunks/chunk.NPCTDW7V.js	7435859 bytes	10
medium	Remote Dependency Spec	package.json	devDependencies.heroicons="github:tailwindlabs/heroicons"	8

Manifest

Package metadata

Scripts24

buildnode scripts/build.js
build:pythonhatch build
createplop component --plopfile scripts/plop/plopfile.js
create-widgetplop create-widget --plopfile scripts/plop/plopfile.js
list-outdated-dependenciesnpm-check-updates --format repo --peer
postpublishnpm run publish:python
postversionnode scripts/bump-python-version.js
prebuildnpm run token-docs
preparenpx playwright install
prepublishOnlynpm run verify && npm run build:python
prettierprettier --write --log-level=warn .
prettier:checkprettier --check --log-level=warn .
publish:pythonhatch publish
servenode scripts/build.js --serve
spellcheckcspell "**/*.{js,ts,json,html,css,md}" --no-progress
startnpm run serve
start:python./.venv/bin/jupyter lab
testweb-test-runner --group default
test:componentweb-test-runner -- --group
test:watchweb-test-runner --watch --group default
token-docsnode scripts/generate-token-docs.js
update-dependenciesnpm-check-updates --peer -u && npm install
update-widgetplop update-widget --plopfile scripts/plop/plopfile.js
verifynpm run prettier && npm run build && echo 'should run tests here'

Dependencies16

@floating-ui/dom^1.7.4
@lit/react^1.0.8
@lit/task^1.0.0
@tanstack/query-core^5.96.0
@tanstack/query-persist-client-core^5.96.0
@turf/turf^7.3.5
ag-grid-community^34.2.0
colormap^2.3.2
composed-offset-position^0.0.6
date-fns^3.6.0
fuse.js^7.0.0
idb^8.0.0
lit^3.0.0
nouislider^15.8.1
ol^10.8.0
plotly.js-dist-min^2.30.1