PkgRadar

Package evidence

[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
14,162Mainstream · −50% score
Versions published
206Mature · −50% score
First published
Nov 2015
Publisher
demiankatz

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherdemiankatz
Artifact bytes5,827,552
Previous version4.4.0-rc1
Published2026-05-22T17:47:39.924Z
SHA-256c5cb868205d90e0675d9b7db6b41f247d46455ae470f2fdc50027fae05476ce9

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
18Score
4.4.0-rc2Version
Status history (1 event)
  1. newavailable · risk review · score 18 · status changed

Evidence

Static findings

9 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumObfuscation Densitypackage/dist/umd/5108.7c2d3cc9317dacaf8556.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/umd/5560.313850c17e9909186a50.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/umd/6299.94f43c16649fbfae518e.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/umd/6520.f497cf2f483f812ed69b.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/umd/7086.0662b83a43e6ef1a56f4.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/umd/8341.3409f6c4d3712b4a1d81.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/umd/8557.ab1e0a9864129deb0877.jshigh encoded/escaped-token density12
mediumObfuscation Densitypackage/dist/umd/882.017001aa3ff0346a742d.jshigh encoded/escaped-token density12
mediumRemote Payloadpackage/dist/cjs/locales/cy-GB.jsonmatched "iwr "12

Manifest

Package metadata

Scripts18
  • buildwebpack -c webpack.config.js
  • build-esnode ./esbuild.mjs
  • build-tsctsc --skipLibCheck --module CommonJS --esModuleInterop --declarationDir ./dist/cjs --declaration --outDir ./dist/cjs -p . && npm run copy-files
  • checkLocaleUsagenode scripts/validate_locale.ts checkLocaleUsage
  • copy-filescopyfiles -u 1 src/**/*.svg dist/cjs && copyfiles -u 1 src/**/*.gif dist/cjs && copyfiles -u 1 src/**/*.less dist/cjs && copyfiles -u 1 src/extensions/**/*.less dist/cjs && copyfiles -u 1 src/**/*.css dist/cjs
  • devnpm run start
  • docstypedoc --plugin typedoc-plugin-missing-exports ; echo docs.universalviewer.io > docs/CNAME
  • e2eservenpx serve dist -p 4444
  • findHardCodedLocaleStringsnode scripts/validate_locale.ts hardCodedStrings
  • findMissingTranslationsnode scripts/validate_locale.ts missingTranslations
  • fixnpm run lint && npm run prettify
  • lintnpm run lint-code && npm run lint-styles
  • lint-codeeslint --fix "./{__tests__,scripts,src}/**/*.{js,jsx,ts,tsx}"
  • lint-stylesstylelint --fix "./src/**/*.{less,css}"
  • prepublishOnlynpm run build && npm run build-tsc && npm run build-es
  • prettifyprettier --write "./{__tests__,scripts,src}/**/*.{js,jsx,json,css,less,ts,tsx}" --ignore-path .prettierignore
  • startnpx webpack serve -c webpack.dev-server.js
  • testjest
Dependencies31
  • @google/model-viewer^4.0.0
  • @iiif/base-component2.0.1
  • @iiif/iiif-av-component1.2.4
  • @iiif/manifold^2.3.0
  • @iiif/presentation-3^1.0.5
  • @iiif/vocabulary^1.0.31
  • @openseadragon-imaging/openseadragon-viewerinputhook^2.2.1
  • @universalviewer/aleph0.0.21
  • @universalviewer/uv-ebook-components1.0.2
  • @webcomponents/webcomponentsjs^2.4.3
  • classnames^2.3.1
  • clean-css^5.2.2
  • copyfiles^2.4.1
  • esbuild^0.25.0
  • esbuild-plugin-less^1.1.5
  • esbuild-plugin-svg^0.1.0
  • jquery3.5.0
  • jsviews1.0.15
  • less-plugin-clean-css^1.5.1
  • manifesto.js^4.3.0
  • mediaelement4.2.15
  • mediaelement-plugins5.0.0
  • openseadragon^6.0.0
  • pdfjs-dist3.11.174
  • pdfobject2.3.0
  • react^19.0.0
  • react-dom^19.0.0
  • react-intersection-observer^9.13.0
  • waveform-panel^1.2.0
  • xss1.0.15
  • …and 1 more.