Package evidence
[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 101
- Versions published
- 205Mature · −50% score
- First published
- Jan 2024
- Publisher
- GitHub ActionsTrusted automation · −70% score
Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 15 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/index.cjs.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/index.es.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/index.iife.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/index.umd.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Manifest
Package metadata
Scripts9
buildtsc && vite buildbuild:typesdts-bundle-generator --config ./dts-bundle-generator.config.tsdevtsc && vite build --watchformat:scriptsprettier . --writeformat:stylesstylelint ./**/*.{css,scss} --fixlint:scriptseslint . --ext .tslint:stylesstylelint ./**/*.{css,scss}startvite --host --openupgrade-all-packagesbun update --latest
Dependencies54
@emotion/react^11.14.0@emotion/styled^11.14.1@eslint/js^9.9.0@hookform/resolvers^5.2.2@marsidev/react-turnstile^1.3.1@mui/icons-material7.3.4@mui/joy^5.0.0-beta.52@mui/material7.3.4@mui/x-data-grid8.14.1@originjs/vite-plugin-federation^1.3.5@tanstack/react-query^5.90.5@tanstack/react-query-devtools^5.55.4@types/js-cookie^3.0.6@types/qs^6.9.15@types/react18.3.1@types/react-dom^18.3.0@typescript-eslint/eslint-plugin^8.5.0@typescript-eslint/parser^8.5.0@vitejs/plugin-react^4.3.1@vitejs/plugin-react-swc^3.8.0ajv^8.0.0axios^1.7.7clsx^2.1.1dotenv^16.4.5dts-bundle-generator^9.5.1eslint^9.10.0eslint-config-prettier^9.1.0eslint-plugin-prettier^5.2.1eslint-plugin-react-hooks^4.6.2eslint-plugin-react-refresh^0.4.11- …and 24 more.