// npm package

@antv/vendor

Vendored dependencies to fix ERR_REQUIRE_ESM.

npmjs.com tarball repo homepage

versions

maintainers

license

MIT AND ISC

first publish

2025-01-22

publisher

bqxbqxbqx

tarball

1,259,276 B

AUTO-PUBLISHED·1 version indexed·latest published 2025-04-21

// publisher campaignby bqxbqxbqx

2 caught packages from this account

This is not an isolated catch. The same publisher has shipped 1 other package that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.

// offending code· @1.0.11· 2 files flagged

llm: benign · 0.85

→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).

@1.0.11·2025-04-21·AUTO-PUBLISHED·publisher: bqxbqxbqx

heuristic 75/100

static flags 3

llm benign (0.85) via ollama

mature-packageosv-flagged:MAL-2026-4093child-process-spawnlong-base64-literallong-hex-literal

→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).

// offending code· 2 files flaggedpatterns: 3

--- package/lib-vendor/d3-time-format/src/locale.js (excerpt) ---
"use strict";
Object.defineProperty(exports, "__esModule", {
    value: true
});
Object.defineProperty(exports, "default", {
    enumerable: true,
    get: function() {
        return formatLocale;
    }
});
var _index = require("../../d3-time/src/index.js");
function _instanceof(left, right) {
    if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
        return !!right[Symbol.hasInstance](left);
    } else {
        return left instanceof right;
    }
}
function localDate(d) {
    if (0 <= d.y && d.y < 100) {
        var date = new Date(-1, d.m, d.d, d.H, d.M, d.S, d.L);
        date.setFullYear(d.y);
        return date;
    }
    return new Date(d.y, d.m, d.d, d.H, d.M, d.S, d.L);
}
function utcDate(d) {
    if (0 <= d.y && d.y < 100) {
        var date = new Date(Date.UTC(-1, d.m, d.d, d.H, d.M, d.S, d.L));
        date.setUTCFullYear(d.y);
        return date;
    }
    return new Date(Date.UTC(d.y, d.m, d.d, d.H, d.M, d.S, d.L));
}
function newDate(y, m, d) {
    return {
        y: y,
        m: m,
        d: d,
        H: 0,
        M: 0,
        S: 0,
        L: 0
    };
}
function formatLocale(locale) {
    var locale_dateTime = locale.dateTime, locale_date = locale.date, locale_time = locale.time, locale_periods = locale.periods, locale_weekdays = locale.days, locale_shortWeekdays = locale.shortDays, locale_months = locale.months, locale_shortMonths = locale.shortMonths;
    var periodRe = formatRe(locale_periods), periodLookup = fo

--- package/lib-vendor/d3-scale-chromatic/src/sequential-multi/viridis.js (excerpt) ---
"use strict";
Object.defineProperty(exports, "__esModule", {
    value: true
});
function _export(target, all) {
    for(var name in all)Object.defineProperty(target, name, {
        enumerable: true,
        get: all[name]
    });
}
_export(exports, {
    default: function() {
        return _default;
    },
    inferno: function() {
        return inferno;
    },
    magma: function() {
        return magma;
    },
    plasma: function() {
        return plasma;
    }
});
var _colors = /*#__PURE__*/ _interop_require_default(require("../colors.js"));
function _interop_require_default(obj) {
    return obj && obj.__esModule ? obj : {
        default: obj
    };
}
function ramp(range) {
    var n = range.length;
    return function(t) {
        return range[Math.max(0, Math.min(n - 1, Math.floor(t * n)))];
    };
}
var _default = ramp((0, _colors.default)("44015444025645045745055946075a46085c460a5d460b5e470d60470e6147106347116447136548146748166848176948186a481a6c481b6d481c6e481d6f481f70482071482173482374482475482576482677482878482979472a7a472c7a472d7b472e7c472f7d46307e46327e46337f463480453581453781453882443983443a83443b84433d84433e85423f854240864241864142874144874045884046883f47883f48893e49893e4a893e4c8a3d4d8a3d4e8a3c4f8a3c508b3b518b3b528b3a538b3a548c39558c39568c38588c38598c375a8c375b8d365c8d365d8d355e8d355f8d34608d34618d33628d33638d32648e32658e31668e31678e31688e30698e306a8e2f6b8e2f6c8e2e6d8e2e6e8e2e6f8e2d708e2d718e2c718e2c728e2c738e2b748e2b758e2a768e2a778e2a788e29798e297a8e29

--- bundled output (OSV-MAL flagged — LLM scope expansion) ---

--- d3-dispatch.js (bundled) ---

// `@antv/vendor/d3-dispatch` (CommonJS)
// See upstream license: https://github.com/d3/d3-dispatch/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-dispatch");


--- d3-format.js (bundled) ---

// `@antv/vendor/d3-format` (CommonJS)
// See upstream license: https://github.com/d3/d3-format/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-format");


--- d3-geo-projection.js (bundled) ---

// `@antv/vendor/d3-geo-projection` (CommonJS)
// See upstream license: https://github.com/d3/d3-geo-projection/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-geo-projection");


--- d3-hierarchy.js (bundled) ---

// `@antv/vendor/d3-hierarchy` (CommonJS)
// See upstream license: https://github.com/d3/d3-hierarchy/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-hierarchy");


--- d3-interpolate.js (bundled) ---

// `@antv/vendor/d3-interpolate` (CommonJS)
// See upstream license: https://github.com/d3/d3-interpolate/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-interpolate");


--- d3-quadtree.js (bundled) ---

// `@antv/vendor/d3-quadtree` (CommonJS)
// See upstream license: https://github.com/d3/d3-quadtree/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-quadtree");


--- d3-random.js (bundled) ---

// `@antv/vendor/d3-random` (CommonJS)
// See upstream license: https://github.com/d3/d3-random/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-random");


--- d3-regression.js (bundled) ---

// `@antv/vendor/d3-regression` (CommonJS)
// See upstream license: git+https://github.com/HarryStevens/d3-regression/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-regression");


--- d3-scale-chromatic.js (bundled) ---

// `@antv/vendor/d3-scale-chromatic` (CommonJS)
// See upstream license: https://github.com/d3/d3-scale-chromatic/blob/main/LICENSE
//
// This file only exists for tooling that doesn't work yet with package.json:exports
// by proxying through the CommonJS version.
module.exports = require("./lib/d3-scale-chromatic");