PkgRadar

Package evidence

[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
15,397Mainstream · −50% score
Versions published
207Mature · −50% score
First published
Nov 2015
Publisher
demiankatz

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherdemiankatz
Artifact bytes5,827,375
Previous version4.4.0-rc3
Published2026-06-09T13:54:31.455Z
SHA-2565eeffe8c7ad3fc8833d1cfbc6b0b628c5f0666c7140e5b464ca1ce22f9a49671

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
4.4.0Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowObfuscation Densitypackage/dist/umd/5108.7c2d3cc9317dacaf8556.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/5560.313850c17e9909186a50.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/6299.94f43c16649fbfae518e.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/6520.8ac5d910823add256c55.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/7086.0662b83a43e6ef1a56f4.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/8341.3409f6c4d3712b4a1d81.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/8557.ab1e0a9864129deb0877.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/882.017001aa3ff0346a742d.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts18
  • buildwebpack -c webpack.config.js
  • build-esnode ./esbuild.mjs
  • build-tsctsc --skipLibCheck --module CommonJS --esModuleInterop --declarationDir ./dist/cjs --declaration --outDir ./dist/cjs -p . && npm run copy-files
  • checkLocaleUsagenode scripts/validate_locale.ts checkLocaleUsage
  • copy-filescopyfiles -u 1 src/**/*.svg dist/cjs && copyfiles -u 1 src/**/*.gif dist/cjs && copyfiles -u 1 src/**/*.less dist/cjs && copyfiles -u 1 src/extensions/**/*.less dist/cjs && copyfiles -u 1 src/**/*.css dist/cjs
  • devnpm run start
  • docstypedoc --plugin typedoc-plugin-missing-exports ; echo docs.universalviewer.io > docs/CNAME
  • e2eservenpx serve dist -p 4444
  • findHardCodedLocaleStringsnode scripts/validate_locale.ts hardCodedStrings
  • findMissingTranslationsnode scripts/validate_locale.ts missingTranslations
  • fixnpm run lint && npm run prettify
  • lintnpm run lint-code && npm run lint-styles
  • lint-codeeslint --fix "./{__tests__,scripts,src}/**/*.{js,jsx,ts,tsx}"
  • lint-stylesstylelint --fix "./src/**/*.{less,css}"
  • prepublishOnlynpm run build && npm run build-tsc && npm run build-es
  • prettifyprettier --write "./{__tests__,scripts,src}/**/*.{js,jsx,json,css,less,ts,tsx}" --ignore-path .prettierignore
  • startnpx webpack serve -c webpack.dev-server.js
  • testjest
Dependencies31
  • @google/model-viewer^4.0.0
  • @iiif/base-component2.0.1
  • @iiif/iiif-av-component1.2.4
  • @iiif/manifold^2.3.0
  • @iiif/presentation-3^1.0.5
  • @iiif/vocabulary^1.0.31
  • @openseadragon-imaging/openseadragon-viewerinputhook^2.2.1
  • @universalviewer/aleph0.0.21
  • @universalviewer/uv-ebook-components1.0.2
  • @webcomponents/webcomponentsjs^2.4.3
  • classnames^2.3.1
  • clean-css^5.2.2
  • copyfiles^2.4.1
  • esbuild^0.25.0
  • esbuild-plugin-less^1.1.5
  • esbuild-plugin-svg^0.1.0
  • jquery3.5.0
  • jsviews1.0.15
  • less-plugin-clean-css^1.5.1
  • manifesto.js^4.3.0
  • mediaelement4.2.15
  • mediaelement-plugins5.0.0
  • openseadragon^6.0.0
  • pdfjs-dist3.11.174
  • pdfobject2.3.0
  • react^19.0.0
  • react-dom^19.0.0
  • react-intersection-observer^9.13.0
  • waveform-panel^1.2.0
  • xss1.0.15
  • …and 1 more.