PkgRadar

Package evidence

@takeoff-ui/[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
88Mature · −50% score
First published
Apr 2025
Publisher
harundemir

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@takeoff-ui/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@takeoff-ui/[email protected]"],"fail_on":"review"}'
Publisherharundemir
Artifact bytes35,723,452
Previous version0.11.4
Published2026-05-07T14:12:02.639Z
SHA-25637ebb2abae3d9d75339789050174e31155ceb0b917ff16461aac4d7af3a4d941

Why flagged

What the scanner saw

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
25Score
0.11.5Version
Status history (1 event)
  1. newavailable · risk review · score 25 · status changed

Evidence

Static findings

6 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/dist/core/p-3fdab647.entry.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/components/p-DqEwPyAi.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
Show all 6 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/dist/core/p-3fdab647.entry.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/components/p-DqEwPyAi.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
lowLarge Javascript Payloadpackage/dist/core/p-7CJlQei_.js4411434 bytes0
lowLarge Javascript Payloadpackage/dist/cjs/tk-table-DLnEsP-f.js4690900 bytes0
lowLarge Javascript Payloadpackage/dist/esm/tk-table-Vd_jjd9W.js4688904 bytes0
lowLarge Javascript Payloadpackage/components/tk-table.js5724909 bytes0

Manifest

Package metadata

Scripts6
  • buildstencil build
  • generatestencil generate
  • startstencil build --dev --watch --serve
  • teststencil test --spec --e2e --detectOpenHandles --silent
  • test.coveragestencil test --spec --coverage --detectOpenHandles --silent
  • test.watchstencil test --spec --watchAll --detectOpenHandles --silent
Dependencies25
  • @floating-ui/dom^1.7.0
  • @tiptap/core^2.11.0
  • @tiptap/extension-character-count^2.27.1
  • @tiptap/extension-font-family^2.1.12
  • @tiptap/extension-image^2.11.0
  • @tiptap/extension-link^2.11.0
  • @tiptap/extension-placeholder^2.11.9
  • @tiptap/extension-text-align^2.11.0
  • @tiptap/extension-text-style^2.1.12
  • @tiptap/extension-underline^2.11.0
  • @tiptap/starter-kit^2.11.0
  • @types/cleave.js^1.4.12
  • chart.js^4.4.9
  • classnames^2.5.1
  • cleave.js^1.6.0
  • d3-org-chart^3.1.1
  • date-fns^3.6.0
  • exceljs^4.4.0
  • filesize^10.1.6
  • json-server^1.0.0-beta.2
  • jspdf^4.2.1
  • jspdf-autotable^5.0.7
  • lodash-es^4.18.1
  • mime^4.0.6
  • uuid^14.0.0