Go modules · proxy.golang.org

github.com/GoogleContainerTools/kpt

Remote Payload: matched "curl "

Why PkgRadar flagged v1.0.0-beta.64.0.20260527140400-3bc5c6c4cf70

Severity	Signal	Evidence
medium	Remote Payload	matched "curl " · github.com/googlecontainertools/[email protected]/e2e/testdata/fn-eval/privilege-options/mount/.expected/exec.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v1.0.0-beta.64.1.0.20260602093747-42fc54a57c89`	Low risk	0	2026-06-04
`v1.0.0-beta.64.1`	Low risk	0	2026-06-04
`v1.0.0-beta.64.0.20260601192224-8c95bf670cdb`	Low risk	0	2026-06-03
`v0.0.0-20260527140400-3bc5c6c4cf70`	Low risk	0	2026-05-30
`v1.0.0-beta.64.0.20260527140400-3bc5c6c4cf70`	Review	37	2026-05-29

Block this in CI

PkgRadar gates github.com/GoogleContainerTools/kpt (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/GoogleContainerTools/[email protected]