Package evidence

@corva/[email protected]

Large Javascript Payload: 2688769 bytes

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 9,322Niche · −30% score
Versions published: 3,317Mature · −50% score
First published: Sep 2020
Publisher: corva-devops-automation

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Looks clean — keep monitoring

No high-signal indicators in the stored static report. PkgRadar will re-check on the next ingest pass.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@corva/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@corva/[email protected]"],"fail_on":"review"}'

Publishercorva-devops-automation

Artifact bytes7,054,097

Previous version3.63.0-5

Published2026-06-10T17:13:57.384Z

SHA-2569bdd0d89b7c3cf701928c3da9809eef8161faba331a6ceb061bf0a30ed8a1337

Why flagged

What the scanner saw

Large Javascript Payload: 2688769 bytes

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

low

4d agoLast checked

lowRisk

0Score

3.63.0-6Version

Status history (1 event)

new → available4d ago · risk low · score 0 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 1 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
low	Large Javascript Payload	package/mcp-server/server.mjs	2688769 bytes	0

Manifest

Package metadata

Scripts36

buildyarn generate-css-themes && cross-env SHELL=sh ./scripts/build.sh production
build-devyarn generate-css-themes && cross-env SHELL=sh ./scripts/build.sh development
build-storybookyarn generate-css-themes && IS_STORYBOOK_BUILD=true storybook build -c storybook --docs
build-watchyarn generate-css-themes && cross-env SHELL=sh ./scripts/build.sh development --watch
check-duplicationsecho "👀 Checking code duplications" && jscpd src --silent
choreyarn release -- --prerelease
figma:dry-runfigma connect publish --dry-run
figma:dry-run-filefigma connect publish --dry-run --file
figma:publishfigma connect publish
figma:publish-filefigma connect publish --file
figma:unpublishfigma connect unpublish
figma:unpublish-filefigma connect unpublish --file
figma:unpublish-node-forcenode scripts/figma-unpublish-node-force.mjs
generate-css-themesnode ./scripts/generateCssThemesVariables.mjs
get-changelogconventional-changelog -r 2 -p angular
helper-clinpx @corva/fe-dev-helper-cli@latest
linteslint --cache ./src/
lint-stagedlint-staged
mcp:buildyarn mcp:generate-data && yarn mcp:generate-prompts && yarn mcp:bundle
mcp:bundlerollup -c rollup.mcp.config.js && chmod 755 dist/mcp-server/server.mjs dist/mcp-server/setup.mjs
mcp:devyarn --silent mcp:generate-data && yarn --silent mcp:generate-prompts && tsx mcp-server/bin/mcp-server.ts
mcp:generate-datatsx mcp-server/src/data-generator/index.ts
mcp:generate-promptstsx mcp-server/src/prompts-generator/index.ts
mcp:inspectyarn --silent mcp:generate-data && yarn --silent mcp:generate-prompts && npx @modelcontextprotocol/inspector tsx mcp-server/bin/mcp-server.ts
mcp:report-missed-lookupstsx mcp-server/uptrace/missed-lookups/report-missed-lookups.ts
mcp:testyarn --silent mcp:generate-prompts && jest --config mcp-server/jest.config.js
mcp:test:watchyarn --silent mcp:generate-prompts && jest --config mcp-server/jest.config.js --watch
releasegit fetch --tags && git add -A && standard-version -a
startyarn generate-css-themes && cross-env NODE_ENV=local rollup -c -w
storybookyarn generate-css-themes && IS_STORYBOOK_BUILD=true storybook dev -p 6006 -c storybook --docs
…and 6 more.

Dependencies99

@apidevtools/swagger-parser^12.1.0
@badgateway/oauth2-client2.2.4
@date-io/moment1.3.13
@icon-park/react^1.4.2
@mapbox/mapbox-gl-draw^1.5.1
@mapbox/tilebelt^2.0.3
@material-ui/core4.11.2
@material-ui/icons4.9.1
@material-ui/lab4.0.0-alpha.57
@material-ui/pickers3.2.10
@modelcontextprotocol/sdk^1.29.0
@opentelemetry/api~1.9.0
@opentelemetry/exporter-metrics-otlp-http~0.57.0
@opentelemetry/exporter-trace-otlp-http~0.57.0
@opentelemetry/resources~1.30.0
@opentelemetry/sdk-metrics~1.30.0
@opentelemetry/sdk-trace-node~1.30.0
@opentelemetry/semantic-conventions~1.30.0
@rollbar/react^0.11.1
@tanstack/react-query4.35.3
@turf/bbox^7.3.0
@turf/circle^7.3.0
@vis.gl/react-mapbox^8.1.0
auth0-js^9.14.0
chalk4.1.1
chroma-js1.4.1
classnames2.2.6
corva-convert-units1.32.0
dompurify3.2.4
dotenv^10.0.0
…and 69 more.