Packages scanned
164.5K
Coverage maven
repo1.maven.orgJava / JVM, including Android. Both `.jar` and Android `.aar` releases are fetched and walked — an `.aar`'s nested `classes.jar` is unpacked and inspected too. Releases get indicator-filename, native-blob, JNDI/Log4Shell-family class-path, and manifest/AndroidManifest signals; when a source jar is present it gets full static analysis (Runtime.exec, reflection-based exec bypass, URLClassLoader.defineClass, untrusted deserialization, static-init side effects).
164.5K
89
6,674
32
28m ago
Install-time attack surface
static initializer blocks (run on first class load) + Maven plugin code (runs in the build JVM)
Supported lockfile formats
pom.xmlSpec format
pkgradar gate --ecosystem maven com.fasterxml.jackson.core:[email protected]Recent activity
The corpus-wide release feed lives on /campaigns. A per-ecosystem release feed for Maven is on the roadmap — the stats above are filtered to this ecosystem in the meantime.
Other ecosystems