Composer · packagist.org

jtsternberg/buddy-cli

Php Remote Fetch Exec Combo: Remote fetch (file_get_contents/curl) paired with eval/exec — fetch-and-run pattern.

Why PkgRadar flagged v1.6.2

Severity	Signal	Evidence
high	Php Remote Fetch Exec Combo	Remote fetch (file_get_contents/curl) paired with eval/exec — fetch-and-run pattern. · jtsternberg-buddy-cli-1b365fa/tests/Integration/Commands/AuthCommandsTest.php
medium	Remote Payload	matched "curl " · jtsternberg-buddy-cli-1b365fa/src/Commands/Auth/LoginCommand.php

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v1.6.2`	High risk	47	2026-06-04
`v1.6.1`	High risk	47	2026-05-30

Block this in CI

PkgRadar gates jtsternberg/buddy-cli (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem composer jtsternberg/[email protected]