PkgRadar

Package evidence

[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
938
Versions published
529Mature · −50% score
First published
Oct 2015
Publisher
cedric.alfonsi

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishercedric.alfonsi
Artifact bytes13,852,399
Previous version5.12.1
Published2026-05-12T07:32:53.270Z
SHA-2568cae3b1665b9073c4a86cc194e21ab80572d937082f5784f59495d8ca2ef229b

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
24Score
5.13.0-alpha.0Version
Status history (1 event)
  1. newavailable · risk review · score 24 · status changed

Evidence

Static findings

11 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/build/js/dist/api-vendors.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/.devcontainer/post-start.shmatched "curl "12
mediumRemote Payloadpackage/ci-scripts/bin/slack-status-messages.shmatched "curl "12
mediumRemote Dependency Specpackage.jsondependencies.react-list="github:passbolt/react-list#v0.8.18"12
Show all 11 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/build/js/dist/api-vendors.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/.devcontainer/post-start.shmatched "curl "12
mediumRemote Payloadpackage/ci-scripts/bin/slack-status-messages.shmatched "curl "12
mediumRemote Dependency Specpackage.jsondependencies.react-list="github:passbolt/react-list#v0.8.18"12
lowCredential file accesspackage/build/js/dist/api-app.jsmatched ".aws"5
lowCredential file accesspackage/src/shared/components/Table/CellUris.jsmatched ".SSH"5
lowCredential file accesspackage/src/react-extension/components/Resource/DisplayResourceUrisBadge/DisplayResourceUrisBadge.jsmatched ".SSH"5
lowCredential file accesspackage/src/react-extension/components/AuthenticationLogin/Login/Login.test.page.jsmatched ".azure"5
lowCredential file accesspackage/src/react-extension/components/Administration/ManageSmtpAdministrationSettings/SmtpProviders.data.jsmatched ".aws"5
lowCredential file accesspackage/src/react-extension/components/AuthenticationLogin/SsoLogin/SsoLogin.test.page.jsmatched ".azure"5
lowCredential file accesspackage/.github/workflows/storybook.ymlmatched "GITHUB_TOKEN"3

Manifest

Package metadata

Scripts20
  • buildnpm run build-api-app
  • build-api-appwebpack --config webpack-api.config.js
  • build:clean:allnpm run build:clean:css && rimraf ./build/css/*
  • build:clean:cssrimraf ./src/css/*
  • deploy-storybookstorybook-to-ghpages --remote github
  • dev:build:custom-themenpx grunt build_custom_theme
  • dev:storybook:buildNODE_OPTIONS=--max_old_space_size=2048 storybook build
  • dev:storybook:install./scripts/installStorybookDependencies.sh
  • dev:storybook:startSTORYBOOK_DEV=true storybook dev -p 6006
  • dev:watch:custom-themenpx grunt watch_custom_theme
  • i18n:externalizei18next -c ./i18next-parser.config.js
  • lintnpm run lint:lockfile && npm run lint:eslint
  • lint:eslinteslint src --max-warnings 0
  • lint:eslint-fixeslint --fix src
  • lint:lockfilelockfile-lint --path package-lock.json --allowed-hosts npm github.com --allowed-schemes "https:" "git+ssh:" --empty-hostname false
  • testnpm run test:unit
  • test:ci:coveragenpm run test:coverage -- --runInBand
  • test:coveragejest --no-cache ./src --coverage
  • test:storybooktest-storybook
  • test:unitjest --no-cache ./src
Dependencies24
  • debounce-promise^3.1.2
  • downloadjs^1.4.7
  • grapheme-splitter^1.0.4
  • html5-qrcode^2.3.8
  • i18next^25.4.0
  • i18next-http-backend^3.0.5
  • ip-regex^5.0.0
  • jssha^3.2.0
  • luxon^3.4.4
  • memoize-one^6.0.0
  • otpauth^9.1.4
  • prop-types^15.7.2
  • qrcode^1.5.0
  • react^18.3.1
  • react-color^2.19.3
  • react-dom^18.3.1
  • react-i18next^14.0.0
  • react-listgithub:passbolt/react-list#v0.8.18
  • react-router-dom^5.2.0
  • react-transition-group^4.4.1
  • uuid^14.0.0
  • validator^13.15.26
  • webextension-polyfill^0.10.0
  • xregexp^5.1.2