Go modules · proxy.golang.org

github.com/apache/groovy

Remote Payload: matched "curl "

Why PkgRadar flagged v0.0.0-20260527104648-f220aa2fe7a3

Severity	Signal	Evidence
medium	Remote Payload	matched "curl " · github.com/apache/[email protected]/.muse/codenarc.sh
medium	Remote Payload	matched "curl " · github.com/apache/[email protected]/etc/bin/download-release-artifacts.sh
medium	Remote Payload	matched "curl " · github.com/apache/[email protected]/etc/bin/verify.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260602065805-653195f4057c`	Low risk	0	2026-06-03
`v0.0.0-20260602064131-25e23120efca`	Low risk	0	2026-06-03
`v0.0.0-20260602020858-e93430ef8273`	Low risk	0	2026-06-03
`v0.0.0-20260601213019-aae4856c7c02`	Low risk	0	2026-06-02
`v0.0.0-20260601052225-90e292c1ead2`	Low risk	0	2026-06-02
`v0.0.0-20260601034937-016b0834897e`	Low risk	0	2026-06-02
`v0.0.0-20260601030430-945b406f51ff`	Low risk	0	2026-06-02
`v0.0.0-20260531152017-86ecea47ef80`	Low risk	0	2026-06-01
`v0.0.0-20260531065358-7bfdeea2361c`	Low risk	0	2026-06-01
`v0.0.0-20260530231006-0b0f8480dbcc`	Low risk	0	2026-05-31
`v0.0.0-20260530103128-9a2496973b71`	Low risk	0	2026-05-31
`v0.0.0-20260529091914-f6e2248d1262`	Low risk	0	2026-05-30
`v0.0.0-20260527104648-f220aa2fe7a3`	Review	41	2026-05-29

Block this in CI

PkgRadar gates github.com/apache/groovy (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/apache/[email protected]