Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 409
- Versions published
- 4
- First published
- May 2026
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
39 static · 0 from release diff · showing high-signal first.
Showing 30 of 39 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/locale/ar-dz.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ar-ly.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ar.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/be.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/bn-bd.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/bn.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/bo.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/el.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/gom-deva.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/gu.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/hi.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/hy-am.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ka.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/kn.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ku.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ml.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/mn.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/mr.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ne.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/pa-in.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ru.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/sr-cyrl.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ta.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/tg.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ug-cn.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/uk.cjs | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ar-ly.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/ar.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/be.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/locale/bo.js | high encoded/escaped-token density | 12 |
Manifest
Package metadata
Scripts49
audit:staticbun run knip && bun run fallowbenchbun test/bench.tsbench:guardbun test/bench-regression.ts && bun test/bench-parse-eval.ts && bun test/bench-lookup.tsbench:membun test/bench-mem.tsbuildrm -rf dist/entry && mkdir -p packages/timezone/node_modules && ln -sfn ../../.. packages/timezone/node_modules/mmntjs && for dir in test/kibana-compat test/grafana-compat; do mkdir -p "$dir/node_modules" && ln -sfn ../../../dist/index.js "$dir/node_modules/moment" && ln -sfn ../../../dist/index.js "$dir/node_modules/mmntjs" && ln -sfn ../../../packages/timezone/dist/index.js "$dir/node_modules/moment-timezone"; done && bun scripts/generate-timezone-data.ts && tsup && bun scripts/copy-dts.ts && bun scripts/generate-locale-auto.ts && rm -rf dist/locale/test-locales* && rm -f dist/locale/*.map && rm -rf dist/entry && bun -e "require('fs').readdirSync('dist',{recursive:true}).filter(f=>f.endsWith('.map')).forEach(f=>{const p='dist/'+f;const m=JSON.parse(require('fs').readFileSync(p,'utf8'));delete m.sourcesContent;require('fs').writeFileSync(p,JSON.stringify(m))})" && (cd packages/timezone && bun run build || true)cibun run lint && TZ=UTC bun run test:hard && bun run test:tz && bun run build && bun run knip && bun run fallowcoverage:checkbun scripts/check-coverage.tscoverage:heatmapbun run test:coverage && bun run fuzz:heatmapdocs:buildastro build --root sitedocs:checkbun run scripts/check-site-doc-drift.tsdocs:devastro dev --root sitedocs:previewastro preview --root sitefallowfallowfmtoxfmt src testfuzzbun run build && jazzer test/fuzz/parse.fuzz.js --sync -i dist/ -- -max_total_time=60 -minimize_crash=1fuzz:corpus:initbun run scripts/fuzz-corpus-init.tsfuzz:corpus:minimizebun run scripts/fuzz-corpus-minimize.tsfuzz:corpus:replaybun run scripts/fuzz-corpus-replay.tsfuzz:ddminbun test/fuzz/delta-debug.mjsfuzz:diffjazzer test/fuzz/diff-datefns.fuzz.js --sync -i dist/ -- -runs=500 -max_len=16 && jazzer test/fuzz/diff-luxon.fuzz.js --sync -i dist/ -- -runs=500 -max_len=16 && jazzer test/fuzz/diff-dayjs.fuzz.js --sync -i dist/ -- -runs=500 -max_len=16fuzz:grammarbun run build && jazzer test/fuzz/grammar.fuzz.js --sync -i dist/ -- -runs=10000 -max_len=48fuzz:grammar:quickbun run build && jazzer test/fuzz/grammar.fuzz.js --sync -i dist/ -- -runs=500 -max_len=48fuzz:heatmapbun run scripts/fuzz-coverage-heatmap.tsfuzz:nightlybash scripts/fuzz-nightly.shfuzz:nightly:longbash scripts/fuzz-nightly.sh 600fuzz:quickbun run build && jazzer test/fuzz/parse.fuzz.js --sync -i dist/ -- -runs=500 -max_len=64 && jazzer test/fuzz/format.fuzz.js --sync -i dist/ -- -runs=500 -max_len=64 && jazzer test/fuzz/duration.fuzz.js --sync -i dist/ -- -runs=500 -max_len=32 && jazzer test/fuzz/operations.fuzz.js --sync -i dist/ -- -runs=500 -max_len=32 && jazzer test/fuzz/array-input.fuzz.js --sync -i dist/ -- -runs=500 -max_len=32 && jazzer test/fuzz/utc.fuzz.js --sync -i dist/ -- -runs=500 -max_len=64 && jazzer test/fuzz/object-input.fuzz.js --sync -i dist/ -- -runs=500 -max_len=32 && jazzer test/fuzz/reltime.fuzz.js --sync -i dist/ -- -runs=500 && jazzer test/fuzz/diff-datefns.fuzz.js --sync -i dist/ -- -runs=500 -max_len=16 && jazzer test/fuzz/diff-luxon.fuzz.js --sync -i dist/ -- -runs=500 -max_len=16 && jazzer test/fuzz/diff-dayjs.fuzz.js --sync -i dist/ -- -runs=500 -max_len=16fuzz:regression:addbun run scripts/fuzz-regression-add.tsfuzz:regression:generatebun run scripts/fuzz-regression-generate-tests.tsfuzz:regression:importbun run scripts/fuzz-regression-import-crashes.tsfuzz:regression:replaybun run scripts/fuzz-regression-replay.ts- …and 19 more.