Package evidence

@tight-embedded/[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 234
Versions published: 16Established · −30% score
First published: Oct 2025
Publisher: jnoowin

Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@tight-embedded/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@tight-embedded/[email protected]"],"fail_on":"review"}'

Publisherjnoowin

Artifact bytes2,234,162

Previous version6.4.0

Published2026-05-12T22:00:17.894Z

SHA-256bbf6e8edafc61ff87bac3c9483b3a253ea4ac90af75201b1603322236f6db887

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

18d agoLast checked

reviewRisk

28Score

6.5.0Version

Status history (1 event)

new → available18d ago · risk review · score 28 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Js Split Join Obfuscation	package/dist/index.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40

Manifest

Package metadata

Scripts17

analyze./scripts/analyze.sh
api-update./scripts/api-update.sh
build./scripts/build.sh
build:lab./scripts/buildLab.sh
build:playground../../apps/playground/scripts/buildPlayground.sh
build:playgroundComponents./scripts/buildPlaygroundComponents.sh
check-coverage./scripts/check-coverage.sh
coverage./scripts/coverage.sh
cypress:componentcypress run --component --config screenshotOnRunFailure=false
cytestcypress open
devpnpm run setup && pnpm install && panda codegen --clean && vite dev --port 5353
dev:playgroundComponentsvite dev -c vite.playgroundComponents.config.ts
lint./scripts/lint.sh
setupchmod -R +x ./scripts
testvitest run --reporter=default --reporter=html --outputFile=./vitest/output/index.html
typecheck./scripts/typecheck.sh -w false
vitest-coveragevitest run --coverage

Dependencies25

@figma/code-connect^1.3.12
@floating-ui/react^0.27.4
@microsoft/fetch-event-source^2.0.1
@tanstack/devtools-vite^0.3.12
@tanstack/query-sync-storage-persister^5.64.1
@tanstack/react-devtools^0.8.4
@tanstack/react-form^1.23.8
@tanstack/react-form-devtools^0.1.7
@tanstack/react-query^5.64.1
@tanstack/react-query-devtools^5.64.1
@tanstack/react-query-persist-client^5.64.1
@tanstack/react-table^8.21.3
big.js^7.0.1
fuse.js^7.1.0
idb^8.0.2
lodash-es^4.17.21
motion^12.35.0
react-confirm^0.4.0
react-dropzone^14.3.8
react-number-format^5.4.4
recharts^3.1.2
uuid^11.1.0
yocto-queue^1.1.1
zod^4.1.9
zustand^5.0.3