Package evidence
@wimi/[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 53Established · −30% score
- First published
- Dec 2025
- Publisher
- tujianglin2
Effective trust discount applied: −30% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@wimi/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@wimi/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 28 · status changed
Evidence
Static findings
6 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/index-CKPshlZ8.mjs | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Show all 6 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/index-CKPshlZ8.mjs | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| low | Large Javascript Payload | package/dist/monaco-editor/min/vs/editor/editor.main.js | 4476075 bytes | 0 |
| low | Obfuscation Density | package/dist/monaco-editor/min/vs/basic-languages/freemarker2/freemarker2.js | high encoded/escaped-token density | 0 |
| low | Large Javascript Payload | package/dist/index.umd.js | 4047690 bytes | 0 |
| low | Large Javascript Payload | package/dist/monaco-editor/min/vs/language/typescript/tsWorker.js | 6697004 bytes | 0 |
| low | Large Javascript Payload | package/dist/index-D8PEnyCh.mjs | 3874886 bytes | 0 |
Manifest
Package metadata
Scripts12
buildvite build && vue-tsc --project ./tsconfig.build.jsonbuild:watchvite build --watchdevdumi devdev:cssnpx @tailwindcss/cli -i ./tailwind.css -o ./src/styles/index.css --watchdocs:builddumi builddocs:previewdumi previewlintnpm run lint:es && npm run lint:csslint:cssstylelint "{src,test}/**/*.{css,less}"lint:eseslint "{src,test}/**/*.{js,jsx,ts,tsx,vue}"preparehuskystartnpm run devtypecheckvue-tsc --noEmit
Dependencies37
@ant-design/icons-vue^7.0.1@ctrl/tinycolor^4.1.0@iconify/vue^4.3.0@interactjs/types^1.10.27@juggle/resize-observer^3.4.0@monaco-editor/loader^1.5.0@tailwindcss/vite^4.1.18@vee-validate/zod4.15.0@vue-styled-components/core^1.10.0@vue/shared^3.5.13@vueuse/core^13.0.0@wangeditor/editor^5.1.23@wangeditor/editor-for-vue^5.1.12class-variance-authority^0.7.1colorjs.io^0.5.2dayjs^1.11.13defu^6.1.4echarts^6.0.0interactjs^1.10.27lodash-es^4.17.21lucide-vue-next^0.487.0monaco-editor^0.52.2naive-ui^2.41.0reka-ui^2.1.1seemly^0.3.10sortablejs^1.15.6tailwindcss^4.1.0theme-colors^0.1.0treemate^0.3.11tw-animate-css^1.2.5- …and 7 more.