PkgRadar

Package evidence

@supabase/[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
19,918,901Ubiquitous · −70% score
Versions published
738Mature · −50% score
First published
Jan 2020
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@supabase/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@supabase/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes167,262
Previous version2.106.3-canary.0
Published2026-05-28T13:18:31.297Z
SHA-25697b22111a77ddb8c51a309d92a474973f51e008d100b48523d2a3268a25a273e

Why flagged

What the scanner saw

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
2.106.3-canary.1Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/dist/cors.cjsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/dist/cors.mjsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/src/cors.tsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40

Manifest

Package metadata

Scripts30
  • buildtsdown
  • build:watchtsdown --watch
  • docstypedoc --entryPoints src/index.ts --entryPoints src/cors.ts --out docs/v2
  • docs:jsontypedoc --entryPoints src/index.ts --entryPoints src/cors.ts --json docs/v2/spec.json --excludeExternals
  • serve:coveragepnpm nx test:coverage supabase-js && pnpm dlx serve test/coverage
  • testnpm run test:types && npm run test:run
  • test:allnpm run test:types && npm run test:run && npm run test:integration && npm run test:integration:browser
  • test:buncd test/integration/bun && bun install && bun test
  • test:cjsnode test/module-resolution.test.cjs && node test/module-resolution-cors.test.cjs
  • test:coveragejest --runInBand --coverage --testPathIgnorePatterns="test/integration|test/deno|\.[mc]js$"
  • test:denocd test/deno && npm run test
  • test:edge-functionscd test/deno && npm run test:edge-functions
  • test:esmnode test/module-resolution.test.mjs && node test/module-resolution-cors.test.mjs
  • test:expocd test/integration/expo && npm test
  • test:exportsattw --pack . --ignore-rules no-resolution
  • test:hermes-compatnode test/bundle-hermes-compat.test.cjs
  • test:integrationjest --runInBand --detectOpenHandles test/integration.test.ts
  • test:integration:browserdeno test --allow-all --node-modules-dir=auto test/integration.browser.test.ts
  • test:module-resolutionnpm run test:exports && npm run test:esm && npm run test:cjs && npm run test:hermes-compat
  • test:nextcd test/integration/next && npm test
  • test:node:playwrightcd test/integration/node-browser && npm install && cp ../../../dist/umd/supabase.js . && npm run test
  • test:runjest --runInBand --detectOpenHandles
  • test:typestsd --files test/types/index.test-d.ts && tsd --typings dist/cors.d.cts --files test/types/cors.test-d.ts && jsr publish --dry-run --allow-dirty
  • test:unitjest --runInBand --detectOpenHandles test/unit
  • test:watchjest --watch --verbose false --silent false
  • update:test-depspnpm run update:test-deps:expo && pnpm run update:test-deps:next && pnpm run update:test-deps:deno && pnpm run update:test-deps:bun
  • update:test-deps:buncd test/integration/bun && bun install
  • update:test-deps:denocd test/deno && pnpm install --ignore-workspace
  • update:test-deps:expocd test/integration/expo && pnpm install --ignore-workspace
  • update:test-deps:nextcd test/integration/next && pnpm install --ignore-workspace
Dependencies5
  • @supabase/auth-js2.106.3-canary.1
  • @supabase/functions-js2.106.3-canary.1
  • @supabase/postgrest-js2.106.3-canary.1
  • @supabase/realtime-js2.106.3-canary.1
  • @supabase/storage-js2.106.3-canary.1