Composer · packagist.org

lucatume/wp-browser

Php Remote Fetch Exec Combo: Remote fetch (file_get_contents/curl) paired with eval/exec — fetch-and-run pattern.

Why PkgRadar flagged 4.6.1

Severity	Signal	Evidence
high	Php Remote Fetch Exec Combo	Remote fetch (file_get_contents/curl) paired with eval/exec — fetch-and-run pattern. · lucatume-wp-browser-464c6a7/src/Utils/ChromedriverInstaller.php
medium	Remote Payload	matched "raw.githubusercontent.com" · lucatume-wp-browser-464c6a7/src/WordPress/CliProcess.php

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.6.1`	Review	14	2026-06-16

Block this in CI

PkgRadar gates lucatume/wp-browser (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem composer lucatume/[email protected]