Cargo · crates.io

yubikey-signer

Rs Build Time Command Combo: Process spawn (std::process::Command) paired with network / base64 / env-token read at build time.

Why PkgRadar flagged 0.7.6

Severity	Signal	Evidence
high	Rs Build Time Command Combo	Process spawn (std::process::Command) paired with network / base64 / env-token read at build time. · yubikey-signer-0.7.6/build.rs
high	Rs Build Time Network	HTTP / TCP network call inside build.rs — downloads at compile time. · yubikey-signer-0.7.6/build.rs
medium	Remote Payload	matched "github.com/openssl/openssl/releases/download" · yubikey-signer-0.7.6/build.rs

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.7.6`	High risk	78	2026-06-06
`0.7.5`	High risk	78	2026-05-30

Block this in CI

PkgRadar gates yubikey-signer (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem cargo [email protected]