PkgRadar

Package evidence

[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
15,397Mainstream · −50% score
Versions published
207Mature · −50% score
First published
Nov 2015
Publisher
demiankatz

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherdemiankatz
Artifact bytes5,821,484
Previous version4.3.0
Published2026-05-18T09:06:22.730Z
SHA-256d0bd1a8376b5bcb35f5fcd33b8f2be8088b65611118a4b77878532663ce58cc9

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low
Last checked
lowRisk
0Score
4.4.0-rc1Version
Status history (1 event)
  1. newavailable · risk low · score 0 · status changed

Evidence

Static findings

8 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 8 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowObfuscation Densitypackage/dist/umd/5108.9cb00ad2754a4b122ee6.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/5560.12f9cfddae843be841d5.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/6299.7d53ff61ebf4116d95ff.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/6520.496f06465a8af136900f.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/7086.0986d074672ff28cb0ab.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/8341.0ee1dfdffce4ec8d6c84.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/8557.ad7ba79609caafbb959d.jshigh encoded/escaped-token density0
lowObfuscation Densitypackage/dist/umd/882.4bdf53fc242d685d3153.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts18
  • buildwebpack -c webpack.config.js
  • build-esnode ./esbuild.mjs
  • build-tsctsc --skipLibCheck --module CommonJS --esModuleInterop --declarationDir ./dist/cjs --declaration --outDir ./dist/cjs -p . && npm run copy-files
  • checkLocaleUsagenode scripts/validate_locale.ts checkLocaleUsage
  • copy-filescopyfiles -u 1 src/**/*.svg dist/cjs && copyfiles -u 1 src/**/*.gif dist/cjs && copyfiles -u 1 src/**/*.less dist/cjs && copyfiles -u 1 src/extensions/**/*.less dist/cjs && copyfiles -u 1 src/**/*.css dist/cjs
  • devnpm run start
  • docstypedoc --plugin typedoc-plugin-missing-exports ; echo docs.universalviewer.io > docs/CNAME
  • e2eservenpx serve dist -p 4444
  • findHardCodedLocaleStringsnode scripts/validate_locale.ts hardCodedStrings
  • findMissingTranslationsnode scripts/validate_locale.ts missingTranslations
  • fixnpm run lint && npm run prettify
  • lintnpm run lint-code && npm run lint-styles
  • lint-codeeslint --fix "./{__tests__,scripts,src}/**/*.{js,jsx,ts,tsx}"
  • lint-stylesstylelint --fix "./src/**/*.{less,css}"
  • prepublishOnlynpm run build && npm run build-tsc && npm run build-es
  • prettifyprettier --write "./{__tests__,scripts,src}/**/*.{js,jsx,json,css,less,ts,tsx}" --ignore-path .prettierignore
  • startnpx webpack serve -c webpack.dev-server.js
  • testjest
Dependencies31
  • @google/model-viewer^4.0.0
  • @iiif/base-component2.0.1
  • @iiif/iiif-av-component1.2.4
  • @iiif/manifold^2.3.0
  • @iiif/presentation-3^1.0.5
  • @iiif/vocabulary^1.0.31
  • @openseadragon-imaging/openseadragon-viewerinputhook^2.2.1
  • @universalviewer/aleph0.0.21
  • @universalviewer/uv-ebook-components1.0.2
  • @webcomponents/webcomponentsjs^2.4.3
  • classnames^2.3.1
  • clean-css^5.2.2
  • copyfiles^2.4.1
  • esbuild^0.25.0
  • esbuild-plugin-less^1.1.5
  • esbuild-plugin-svg^0.1.0
  • jquery3.5.0
  • jsviews1.0.15
  • less-plugin-clean-css^1.5.1
  • manifesto.js^4.3.0
  • mediaelement4.2.15
  • mediaelement-plugins5.0.0
  • openseadragon^6.0.0
  • pdfjs-dist3.11.174
  • pdfobject2.3.0
  • react^19.0.0
  • react-dom^19.0.0
  • react-intersection-observer^9.13.0
  • waveform-panel^1.2.0
  • xss1.0.15
  • …and 1 more.