Package evidence
[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 90,207Mainstream · −50% score
- Versions published
- 183Mature · −50% score
- First published
- Mar 2014
- Publisher
- ksen0
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/lib/p5.esm.min.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/lib/p5.min.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/lib/p5.esm.min.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/lib/p5.min.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| low | Large Javascript Payload | package/lib/p5.esm.js | 4260657 bytes | 0 |
| low | Large Javascript Payload | package/lib/p5.js | 4517536 bytes | 0 |
Manifest
Package metadata
Scripts11
benchvitest benchbench:reportvitest bench --reporter=verbosebuildrollup -cdevvite preview/dev:globalconcurrently -n build,server "rollup -c -w" "npx vite preview/global/"docsdocumentation build ./src/**/*.js ./src/**/**/*.js --shallow -o ./docs/data.json && node ./utils/convert.mjsgenerate-typesnpm run docs && node utils/typescript.mjslinteslint .lint:fixeslint --fix .testvitesttest:typestsc test/types/*.ts --noEmit --lib es2022,dom
Dependencies13
@davepagurek/bezier-path^0.0.7@japont/unicode-range^1.0.0acorn^8.15.0acorn-walk^8.3.4colorjs.io^0.6.0escodegen^2.1.0gifenc^1.0.3i18next^19.0.2i18next-browser-languagedetector^4.0.1libtess^1.2.2omggif^1.0.10pako^2.1.0zod^4.2.1