PkgRadar

Package evidence

@quantumblack/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
226
Versions published
95Mature · −50% score
First published
Jul 2019
Publisher
rashidamk

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@quantumblack/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@quantumblack/[email protected]"],"fail_on":"review"}'
Publisherrashidamk
Artifact bytes3,823,882
Previous version12.2.0
Published2026-01-29T19:35:10.262Z
SHA-256e0c08cba2dc3892993ce1517ac6a59c40e1e4a388a3e255d90e2d0f8696b6185

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
28Score
12.3.0Version
Status history (1 event)
  1. newavailable · risk review · score 28 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/lib/chunks/chunk-B4BG7PRW.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/lib/chunks/flowDiagram-NV44I4VS.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/lib/chunks/chunk-B4BG7PRW.mjshigh encoded/escaped-token density12
mediumLarge Javascript Payloadpackage/lib/chunks/index.js2138250 bytes10
mediumLarge Javascript Payloadpackage/lib/chunks/index.mjs2790545 bytes10

Manifest

Package metadata

Scripts30
  • buildvite build && cp ./dist/index.html ./dist/404.html
  • build:esmrm -rf esm && vite build --config vite.esm.config.js
  • cy:ci./cypress/support/cy.start.sh ci
  • cy:devcypress open
  • cy:test./cypress/support/cy.start.sh local
  • devvite
  • formatprettier --write "src/**/*.{js,jsx,ts,tsx,json,css,scss,md}"
  • libnpm-run-all -s lib:clean lib:copy lib:vite lib:prune
  • lib-testnpm-run-all -s lib lib-test:setup lib-test:serve
  • lib-test:servenode ./tools/test-lib/serve.js
  • lib-test:setupnode ./tools/test-lib/setup.js
  • lib:cleanrm -rf lib
  • lib:copycp -rf src lib
  • lib:prunefind lib -type f -name '*.test.*' -delete && find lib -type f -name '*.scss' -delete && find lib -type f -name '*.jsx' -delete && rm -f lib/utils/worker.js lib/utils/worker.blob.js lib/utils/graph-worker.js
  • lib:vitevite build --config vite.lib.config.js
  • lintnpm-run-all -p lint:js lint:scss
  • lint:jseslint src/ --fix
  • lint:scssstylelint 'src/**/*.scss' --fix
  • prepublishOnlynpm-run-all -s test:ci lint build lib
  • previewvite preview
  • snyk-protectsnyk protect
  • snyk-testsnyk test -prune-repeated-subdependencies
  • startREACT_APP_DATA_SOURCE=$DATA NODE_OPTIONS="--dns-result-order=ipv4first" npm-run-all -p dev start:lib
  • start:devrm -rf node_modules/.cache && npm run start
  • start:librm -rf lib && babel src --out-dir lib --copy-files --watch
  • testjest src --env=jsdom
  • test:cinpm test -- --watchAll=false --maxWorkers=2
  • test:coveragenpm test -- --coverage --watchAll=false
  • test:debugnode --inspect-brk node_modules/.bin/jest --runInBand --no-cache
  • test:watchjest --watch src --env=jsdom
Dependencies39
  • @emotion/react^11.10.6
  • @emotion/styled^11.10.6
  • @mui/icons-material^5.11.9
  • @mui/material^5.11.10
  • @mui/system^5.14.18
  • @mui/x-tree-view^6.17.0
  • @reduxjs/toolkit^2.8.2
  • batching-toposort^1.2.0
  • classnames^2.3.1
  • d3^7.6.1
  • d3-fetch^2.0.0
  • d3-interpolate^2.0.1
  • d3-interpolate-path^2.2.3
  • d3-selection^2.0.0
  • d3-shape^2.1.0
  • d3-transition^2.0.0
  • d3-zoom^2.0.0
  • dayjs^1.10.7
  • deepmerge^4.2.2
  • highlight.js^10.7.3
  • isomorphic-dompurify^2.28.0
  • kiwi.js^1.1.3
  • lodash^4.17.21
  • mermaid^11.12.2
  • plotly.js-dist-min^2.26.0
  • react-custom-scrollbars-2^4.5.0
  • react-json-view^1.21.3
  • react-plotly.js^2.5.1
  • react-redux^8.1.3
  • react-router-dom^5.3.0
  • …and 9 more.