Package evidence

@sanity/[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 717,897Ubiquitous · −70% score
Versions published: 3,877Mature · −50% score
First published: Sep 2016
Publisher: sanity-svc.npm

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@sanity/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@sanity/[email protected]"],"fail_on":"review"}'

Publishersanity-svc.npm

Artifact bytes1,014,281

Previous version0.0.0-20260527151743

Published2026-05-28T10:05:51.344Z

SHA-256f6ab7a6739325eacc475b925f35376466f79fe7343439e401e50e523e2d9d0ef

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

20d agoLast checked

reviewRisk

12Score

0.0.0-20260528100500Version

Status history (1 event)

new → available20d ago · risk review · score 12 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Js Split Join Obfuscation	package/dist/util/update/isInstalledUsingYarn.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40

Manifest

Package metadata

Scripts16

buildswc --delete-dir-on-start --strip-leading-paths --out-dir dist/ src --ignore '**/*.test.ts' --ignore '**/__tests__/**'
build:typespkg-utils build --emitDeclarationOnly
check:topic-aliasestsx scripts/check-topic-aliases.ts
check:typestsc --noEmit
linteslint .
manifest:generateoclif manifest
manifest:removerimraf oclif.manifest.json
postbuildpnpm run manifest:generate && pnpm run check:topic-aliases
posttestpnpm run lint
prewatchpnpm run manifest:remove
publintpublint
readmeoclif readme --tsconfig-path tsconfig.lib.json --no-source-links
testvitest run
test:coveragevitest run --coverage
test:watchvitest
watchswc --delete-dir-on-start --strip-leading-paths --out-dir dist/ --watch src

Dependencies67

@oclif/core^4.10.6
@oclif/plugin-help^6.2.45
@oclif/plugin-not-found^3.2.81
@sanity/cli-build^0.0.0-20260528100500
@sanity/cli-core^0.0.0-20260528100500
@sanity/client^7.22.0
@sanity/codegen^6.1.0
@sanity/descriptors^1.3.0
@sanity/export^6.1.0
@sanity/federation0.1.0-alpha.8
@sanity/generate-help-url^4.0.0
@sanity/id-utils^1.0.0
@sanity/import^6.0.1
@sanity/migrate^6.1.2
@sanity/runtime-cli^15.1.2
@sanity/schema^5.26.0
@sanity/telemetry^0.9.0
@sanity/template-validator^3.1.0
@sanity/types^5.26.0
@sanity/worker-channels^2.0.0
@vercel/frameworks3.21.1
@vitejs/plugin-react^5.2.0
chokidar^5.0.0
console-table-printer^2.15.0
date-fns^4.1.0
debug^4.4.3
dotenv^17.3.1
eventsource^4.1.0
execa^9.6.0
form-data^4.0.5
…and 37 more.