Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 93
- Versions published
- 3
- First published
- Jun 2026
- Publisher
- box-npm
Recommended action
Looks clean — keep monitoringNo high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk low · score 0 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Obfuscation Density | package/dist/lib/third-party/text/2.65.0/remarkable.min.js | high encoded/escaped-token density | 0 |
Manifest
Package metadata
Scripts33
buildyarn setup && yarn clean && yarn build:i18n && yarn build:devbuild:ciyarn setup && yarn webpack --progress --config build/webpack.config.jsbuild:devBABEL_ENV=dev NODE_ENV=dev yarn webpack --progress --config build/webpack.config.jsbuild:i18nmojito-rb-gen -s src/i18n -o src/i18n/json -b en-US.propertiesbuild:libyarn build:i18n && yarn build:lib:js && yarn build:lib:typesbuild:lib:jsBABEL_ENV=production NODE_ENV=production yarn webpack --config build/webpack.config.lib.jsbuild:lib:typescp build/lib-types/index.d.ts dist/lib/index.d.tsbuild:prodBABEL_ENV=production NODE_ENV=production node --max_old_space_size=4096 ./node_modules/webpack/bin/webpack.js --progress --config build/webpack.config.jscleanrm -rf dist && rm -rf reports/coverage && rm -rf src/i18n/jsoncy:openyarn cy:wait; yarn cypress opency:runyarn cy:wait; yarn cypress run --spec test/integration/**/*.test.jscy:waitwait-on http-get://127.0.0.1:8000lintnpm-run-all lint:*lint:cssNODE_ENV=dev yarn stylelint 'src/lib/**/*.scss' 'src/components/**/*.scss' 'src/hooks/**/*.scss'lint:jsNODE_ENV=dev yarn eslint src/lib src/components src/hookslint:tstsc && eslint --ext=.tsx,.ts --max-warnings=0 .releaseyarn setup && yarn clean && yarn build:i18n && yarn lint && yarn test && yarn build:prodrelease:major./build/release.sh -mrelease:minor./build/release.sh -nrelease:patch./build/release.sh -psetupyarn installstartyarn setup && yarn build:dev --watchstart:devyarn build:i18n && LANGUAGE=en-US BABEL_ENV=dev NODE_ENV=dev yarn webpack-dev-server --config build/webpack.config.jsstart:dev:linkedyarn link box-annotations && IS_LINKED=1 yarn start:devstart:linkedyarn link box-annotations && IS_LINKED=1 yarn starttest./build/verify_custom_updates.sh yarn setup && NODE_ENV=test yarn jesttest:ciyarn test --ci --maxWorkers=4test:e2enpm-run-all -p -r start:dev cy:runtest:e2e:opennpm-run-all -p -r start:dev cy:opentest:watchyarn test --watch- …and 3 more.
Dependencies2
axios^0.24.0pdfjs-dist6.0.227