PkgRadar

Package evidence

@uncinc/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
8
First published
May 2024
Publisher
uncinc_admin

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@uncinc/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@uncinc/[email protected]"],"fail_on":"review"}'
Publisheruncinc_admin
Artifact bytes162,170
Previous version1.2.0
Published2026-01-21T08:55:10.033Z
SHA-256d584dee06f542d0204bd7c7069b9bd811f20d8d4263c8cc9f6669d527432fb40

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
12Score
1.3.0Version
Status history (1 event)
  1. newavailable · risk review · score 12 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/build/static/js/uncinc-cookie.min.jshigh encoded/escaped-token density12

Manifest

Package metadata

Scripts7
  • buildyarn run build:default
  • build:defaultnode scripts/build.js
  • eslintNODE_ENV=development eslint './src/**/*.{js,jsx,ts,tsx}'
  • eslint-stagedNODE_ENV=development eslint $(git diff --staged --name-only --diff-filter=ACM -- '*.js' '*.jsx' '*.ts' '*.tsx')
  • eslint:fixNODE_ENV=development eslint --fix './src/**/*.{js,jsx,ts,tsx}'
  • preparehusky install && yarn run build
  • stylelintstylelint '**/*.scss' --allow-empty-input
Dependencies60
  • @babel/core^7.16.0
  • @babel/preset-env^7.0
  • @types/node^16.11.9
  • @uncinc/eslint-config^1.0.2
  • @uncinc/react-drupal-core^2.13.2
  • @uncinc/stylelint-config^1.0.2
  • @uncinc/uncinc-react-kitchen-sink^2.20.7
  • babel-core7.0.0-bridge.0
  • babel-jest^27.4.2
  • babel-loader^9.1.2
  • babel-plugin-named-asset-import^0.3.1
  • babel-preset-react-app^10.0.1
  • bfj^7.0.2
  • browserslist^4.18.1
  • bufferutil^4.0.7
  • camelcase^6.2.1
  • case-sensitive-paths-webpack-plugin^2.4.0
  • classnames^2.3.2
  • eslint^8.4.0
  • eslint-webpack-plugin^3.1.1
  • file-loader^6.2.0
  • fs-extra^10.0.0
  • html-webpack-plugin^5.5.0
  • http-proxy-middleware^1.0.5
  • identity-obj-proxy^3.0.0
  • ignore-loader^0.1.2
  • immutable^4.3.0
  • jest^27.4.3
  • jest-pnp-resolver1.0.2
  • jest-watch-typeahead^1.0.0
  • …and 30 more.