Package evidence

@tarojs/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 25,797Mainstream · −50% score
Versions published: 1,169Mature · −50% score
First published: Apr 2018
Publisher: defaultlee

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@tarojs/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@tarojs/[email protected]"],"fail_on":"review"}'

Publisherdefaultlee

Artifact bytes898,625

Previous version4.2.1-beta.0

Published2026-05-26T06:25:04.157Z

SHA-256732817dbf70f3b706876eb8edcc0349957fa5f2afcb1bee97364fbb053624745

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

22d agoLast checked

reviewRisk

12Score

4.2.1-beta.1Version

Status history (1 event)

new → available22d ago · risk review · score 12 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Obfuscation Density	package/dist/collection/components/movable-area/movable-view.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/collection/components/video/video.js	high encoded/escaped-token density	12

Manifest

Package metadata

Scripts20

buildcross-env NODE_ENV=production run-s build:components build:library
build:cicross-env NODE_ENV=production run-s build:components
build:componentsstencil build
build:librarypnpm --filter @tarojs/components-library-react --filter @tarojs/components-library-vue3 --filter @tarojs/components-library-solid run build
dev:componentscross-env NODE_ENV=development pnpm run build:components --watch
dev:library-reactcross-env NODE_ENV=development pnpm --filter @tarojs/components-library-react run dev
dev:library-solidcross-env NODE_ENV=development pnpm --filter @tarojs/components-library-solid run dev
dev:library-vue3cross-env NODE_ENV=development pnpm --filter @tarojs/components-library-vue3 run dev
generate:libmkdirp lib
generate:stencil-configesbuild ./scripts/stencil/stencil.config.ts --external:lightningcss --bundle --platform=node --outfile=stencil.config.js
prebuildrun-p generate:*
prebuild:cirun-p generate:*
pretest:cinode ./node_modules/puppeteer/install.js
prodpnpm run build:ci
sync:typespnpm run tsx --files scripts/json-schema-to-types.ts
testcross-env NODE_ENV=test stencil test --spec --e2e
test:cipnpm test -- --ci -i --coverage --silent --no-build
test:coveragepnpm test -- --ci --screenshot --coverage
test:watchpnpm test -- --screenshot --watch
tsxts-node --skipIgnore

Dependencies10

@stencil/core2.22.3
@tarojs/runtime4.2.1-beta.1
@tarojs/shared4.2.1-beta.1
@tarojs/taro4.2.1-beta.1
classnames^2.2.5
hammerjs^2.0.8
hls.js^1.1.5
resolve-pathname^3.0.0
swiper11.1.15
tslib^2.6.2