Package evidence
@tidepool/[email protected]
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 1,805Niche · −30% score
- Versions published
- 811Mature · −50% score
- First published
- Jul 2016
- Publisher
- tidepool-robot
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@tidepool/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@tidepool/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 13 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Decode Then Exec | package/dist/print.js | base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. | 45 |
Manifest
Package metadata
Scripts15
apidocsyarn jsdoc2mdbrowser-testsNODE_ENV=test yarn karma start --browsers ChromebuildNODE_ENV=production npm run clean && NODE_ENV=production yarn webpack --config package.config.jsbuild-devnpm run clean && NODE_ENV=development yarn webpack --config package.config.js --progressbuild-docs./update-gh-pages.shbuild-storybooksyarn build-storybook -c storybook -o web/stories && yarn build-storybook -c storybookDatatypes -o web/diabetes-data-storiescleanNODE_ENV=production yarn rimraf ./dist/*lintNODE_ENV=test yarn eslint src/ stories/ storiesDatatypes/ test/ *.jsprepublishOnlyNODE_ENV=production yarn rimraf ./node_modules && yarn install --immutable && npm test && NODE_ENV=production npm run buildpretestNODE_ENV=test npm run lintstartNODE_ENV=development yarn webpack --config package.config.js --watch --progressstoriesNODE_OPTIONS="--max_old_space_size=4096" NODE_ENV=development yarn sb dev -c storybook -p 8083 --citestTZ=UTC NODE_ENV=test yarn jest --verbosetest-watchTZ=UTC NODE_ENV=test yarn jest --watchtypestoriesNODE_ENV=development yarn sb dev -c storybookDatatypes -p 8082 --ci
Dependencies51
bluebird3.7.2bows1.7.2browserify-zlib0.2.0buffer6.0.3classnames2.3.2crossfilter21.5.4d3-array3.2.4d3-format3.1.0d3-scale4.0.2d3-shape3.2.0d3-time3.1.0d3-time-format4.1.0emotion11.0.0events3.3.0fastest-validator0.6.10gsap3.12.2i18next23.6.0intl1.2.5intl-pluralrules2.0.1lodash4.17.21memorystream0.3.1moment2.29.4moment-timezone0.5.43parse-svg-path0.1.2pdfkit0.15.0process0.11.10prop-types15.8.1react16.14.0react-clipboard.js2.0.16react-collapse5.1.1- …and 21 more.