Packages scanned
545
Coverage maven
Maven repo1.maven.org
Java / JVM. Source jars are opportunistically downloaded for static analysis; bytecode-only releases get path + manifest + native-blob signals. Detection targets JNDI lookups (Log4Shell family), Class.forName-based reflection bypass, URLClassLoader.defineClass, and static-init side effects.
High risk
0
Review
7
High-severity findings
1
Last scan
9h ago
Install-time attack surface
static initializer blocks (run on first class load) + Maven plugin code (runs in the build JVM)
Supported lockfile formats
pom.xml
Spec format
pkgradar gate --ecosystem maven com.fasterxml.jackson.core:[email protected]Recent activity
The corpus-wide release feed lives on /campaigns. A per-ecosystem release feed for Maven is on the roadmap — the stats above are filtered to this ecosystem in the meantime.
Other ecosystems