PkgRadar

Package evidence

@roomstay/[email protected]

Large Javascript Payload: 3072927 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,018Niche · −30% score
Versions published
327Mature · −50% score
First published
Sep 2022
Publisher
rob.ellis

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@roomstay/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@roomstay/[email protected]"],"fail_on":"review"}'
Publisherrob.ellis
Artifact bytes3,376,833
Previous version2.9.1-2
Published2026-05-24T23:46:40.125Z
SHA-256243cf0a8d5c8814ee91cb4bc823cfce03e441cd45ecc86b722535dc8247c215e

Why flagged

What the scanner saw

Large Javascript Payload: 3072927 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
40Score
2.9.1Version
Status history (2 events)
  1. availableavailable · risk review · score 40 · status available -> available, risk high -> review, score 142 -> 40
  2. newavailable · risk high · score 142 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPstale

Install Lifecycle Suppresses Failure — prepare="husky install > /dev/null"

2 members · evidence strength 70

Evidence

Static findings

24 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/vendors.bundle.js3072927 bytes10
Show all 24 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumLarge Javascript Payloadpackage/dist/vendors.bundle.js3072927 bytes10
lowCredential file accesspackage/dist/535.bundle.jsmatched ".AWS"5
lowObfuscationpackage/dist/326.bundle.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/535.bundle.jsmatched "fromCharCode"3
lowObfuscationpackage/dist/main.bundle.jsmatched "\\u0600"3
lowObfuscationpackage/dist/test.bundle.jsmatched "\\u0600"3
lowObfuscationpackage/dist/src/util/Validation.jsmatched "\\u0600"3
lowObfuscationpackage/dist/src/components/summary/BEMobileSummary.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/summary/BEMobileSummaryModal.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/summary/BESummaryAddonRow.jsmatched "\\u00D7"3
lowObfuscationpackage/dist/src/pages/findReservation/ReservationRow.jsmatched "\\u2022"3
lowObfuscationpackage/dist/src/pages/findReservation/ReservationRowModal.jsmatched "\\u2022"3
lowObfuscationpackage/dist/src/components/User/Forms/SignInForm.jsmatched "\\u2022"3
lowObfuscationpackage/dist/src/components/steps/confirmation/AccountDetails.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/steps/confirmation/RoomContactDetails.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/steps/date/PeoplePickerRow.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/steps/date/StepOneStatusPeople.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/pages/account/ChangePassword/AccountChangePasswordPage.jsmatched "\\u2022"3
lowObfuscationpackage/dist/src/pages/account/Reservations/AccountReservationSinglePage.jsmatched "\\u2022"3
lowObfuscationpackage/dist/src/components/pages/Account/Card/MemberCardItem.jsmatched "\\u2022"3
lowObfuscationpackage/dist/src/components/steps/room/UserSearchSummary/UserSearchSummaryRow.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/steps/room/roomBuilderProgress/RoomBuilderProgressRow.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/steps/room/roomDetails/roomRates/PriceBreakdownBlock.jsmatched "\\u00A0"3
lowObfuscationpackage/dist/src/components/steps/room/roomDetails/unavailableRoom/UnavailableRoom.jsmatched "\\u2014"3

Manifest

Package metadata

Scripts24
  • buildrm -rf ./dist/; tsc;resolve-tspaths --src ./; env-cmd -f .env.prod webpack --mode production
  • build-storybookbuild-storybook
  • build:releaserm -rf ./dist/; tsc;resolve-tspaths --src ./; env-cmd -f .env.release webpack --mode production
  • build:stagingrm -rf ./dist/; env-cmd -f .env.staging webpack --mode production
  • clientsenv-cmd -f .env.local webpack-dev-server --open --mode development --hot --config 'webpack-clients.config.js'
  • devenv-cmd -f .env.local webpack-dev-server --open --mode development --hot --config 'webpack-local.config.js'
  • preparehusky install > /dev/null
  • prepublishOnly./rsbundler pack-for-release; echo 0;
  • releasenp
  • startnpm run dev
  • storybookenv-cmd -f .env.local start-storybook -p 6006
  • testnpm run test:prettier
  • test:coveragejest --coverage
  • test:linteslint 'src/**/*.{ts,tsx}' --quiet
  • test:lint-fixeslint --fix 'src/**/*.{ts,tsx}'
  • test:playwrightyarn playwright test
  • test:playwright:clientsCLIENTS=true yarn playwright test
  • test:playwright:reportyarn playwright show-report
  • test:playwright:uiyarn playwright test --ui
  • test:playwright:ui:clientsCLIENTS=true yarn playwright test --ui
  • test:prettierprettier --check 'src/**/*.{tsx,ts}' -c ./.prettierrc
  • test:prettier-fixprettier --write 'src/**/*.{tsx,ts}' -c ./.prettierrc
  • test:tsctsc --project ./tsconfig.json --noEmit
  • test:wdiodocker-compose -f docker-compose.test.yml up --build
Dependencies40
  • @adyen/adyen-web^6.8.0
  • @aws-amplify/auth^4.5.10
  • @googlemaps/react-wrapper^1.1.35
  • @juggle/resize-observer^3.4.0
  • @paypal/react-paypal-js^8.9.2
  • @planpay/web^1.1.2
  • @popperjs/core^2.11.6
  • @react-spring/web^9.4.4
  • @roomstay/core0.1.85
  • @roomstay/gc-frontend^1.0.10
  • @roomstay/ui^0.0.15
  • @sentry/browser^5.21.0
  • @sentry/types^5.26.0
  • @stripe/react-stripe-js^5.2.0
  • @stripe/stripe-js^8.0.0
  • @types/base-64^1.0.0
  • @types/react-helmet^6.1.11
  • @vgs/collect-js^0.6.1
  • base-64^1.0.0
  • classnames^2.2.6
  • csstype^3.1.3
  • dayjs^1.11.7
  • fslightbox-react^1.4.9
  • husky^8.0.3
  • i18next^19.6.3
  • lint-staged^13.1.1
  • react^16.12.0
  • react-dom^16.12.0
  • react-gtm-module^2.0.10
  • react-helmet^6.1.0
  • …and 10 more.