Package evidence

[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 6,648Niche · −30% score
Versions published: 354Mature · −50% score
First published: May 2017
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes836,995

Previous version5.135.0

Published2026-05-28T05:39:30.114Z

SHA-256e609d4fab13aa794303993aefc94042279fd82d95c319dbb81c52f9e39d9bce5

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

20d agoLast checked

reviewRisk

9Score

5.136.0Version

Status history (1 event)

new → available20d ago · risk review · score 9 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Obfuscation Density	package/dist/cli/fsl-render.cjs	high encoded/escaped-token density	12
medium	Large Javascript Payload	package/dist/cdn/instance.js	4224516 bytes	10
medium	Large Javascript Payload	package/dist/cdn/viz.js	4242991 bytes	10

Manifest

Package metadata

Scripts56

audittext_audit -r -t major MAJOR wasteful WASTEFUL any mixed fixme FIXME checkme CHECKME testme TESTME stochable STOCHABLE todo TODO comeback COMEBACK whargarbl WHARGARBL -g ./src/ts/**/*.{js,ts}
bennynode ./src/buildjs/benchmark.cjs
benny:allnpm run benny && npm run benny:scaling
benny:scalingnode ./src/buildjs/benchmark_scaling.cjs
buildnpm run vet && npm run test && npm run site && npm run make_cookbook && npm run site_fsl_tools && npm run changelog && npm run docs && npm run cloc && npm run readme
build:cemcustom-elements-manifest analyze --config custom-elements-manifest.config.mjs
build:shootoutnode src/buildjs/build_shootout.mjs
changelogrm -f CHANGELOG.md && rm -f ./src/doc_md/CHANGELOG.md && better_git_changelog -b && cp CHANGELOG.* ./src/doc_md/
ci_buildnpm run vet && npm run test
ci_profilenode ./src/buildjs/ci_profile.cjs
cleanrm -rf dist && rm -rf docs && cd coverage && rm -rf cloc && cd .. && rm -f src/ts/fsl_parser.ts && rm -f src/ts/version.ts && rm -f src/ts/tests/generated/*.docex.ts && rm -f *.d.ts && mkdir dist && cd dist && mkdir wc && mkdir cdn && cd .. && mkdir docs && cd coverage && mkdir cloc && cd .. && rm -f ./src/tools/jssm.es5.iife.nonmin.js
clean_benchnpm run test && npm run benny
cloccloc --quiet ./src/** --exclude-list-file=./.clocignore --3 --json --out=./coverage/cloc/report_wt.json && cloc --quiet ./src/** --exclude-list-file=./.clocignore --exclude-dir=tests --3 --json --out=./coverage/cloc/report_nt.json && node ./src/buildjs/cloc_report.cjs
docstypedoc src/ts/jssm.ts src/ts/jssm_viz.ts src/ts/jssm_types.ts src/ts/jssm_constants.ts src/ts/jssm_error.ts src/ts/jssm_util.ts src/ts/version.ts --options typedoc-options.cjs
eslinteslint --color src/ts/jssm.ts src/ts/jssm_types.ts src/ts/tests/*.ts
makenpm run clean && npm run makever && npm run peg && npm run build:cem && npm run typescript && npm run make_doctests && npm run make_core && npm run make_deno && npm run make_viz && npm run make_wc_viz_es6 && npm run make_wc_viz_cdn && npm run make_wc_instance_es6 && npm run make_wc_instance_cdn && npm run typecheck_cli && npm run make_cli && npm run minify && npm run min_iife && npm run min_es6 && npm run min_cjs && npm run min_deno && npm run min_viz_iife && npm run min_viz_es6 && npm run min_viz_cjs && npm run min_cli && rm ./dist/es6/*.nonmin.js
make_clirollup -c rollup.config.cli.js
make_cookbooknode src/fsl.tools/site/scripts/build.cjs
make_corerollup -c rollup.config.core.js
make_denorollup -c rollup.config.deno.js && cp dist/es6/*.d.ts dist/deno
make_doctestsnode src/buildjs/extract_examples.cjs
make_vizrollup -c rollup.config.viz.js
make_wc_instance_cdnrollup -c rollup.config.wc.instance.cdn.js
make_wc_instance_es6rollup -c rollup.config.wc.instance.es6.js
make_wc_viz_cdnrollup -c rollup.config.wc.viz.cdn.js
make_wc_viz_es6rollup -c rollup.config.wc.viz.es6.js
makevernode src/buildjs/makever.cjs
min_cjsmv dist/jssm.es5.cjs.js dist/jssm.es5.nonmin.cjs && terser dist/jssm.es5.nonmin.cjs > dist/jssm.es5.cjs
min_cliterser dist/cli/fsl.cjs -o dist/cli/fsl.cjs --comments=/^#!/ && terser dist/cli/fsl-render.cjs -o dist/cli/fsl-render.cjs --comments=/^#!/ && terser dist/cli/lib.cjs -o dist/cli/lib.cjs && terser dist/cli/lib.mjs -o dist/cli/lib.mjs
min_denoterser dist/deno/jssm.deno-esm.nonmin.js > dist/deno/jssm.js
…and 26 more.

Dependencies2

circular_buffer_js^1.10.0
reduce-to-639-1^1.1.0

Optional dependencies2

@resvg/resvg-wasm^2.6.0
@viz-js/viz^3.26.0