Go modules · proxy.golang.org

github.com/golang/vulndb

Remote Payload: matched "raw.githubusercontent.com"

Why PkgRadar flagged v0.0.0-20260602213947-fe9f323e1610

Severity	Signal	Evidence
medium	Remote Payload	matched "raw.githubusercontent.com" · github.com/golang/[email protected]/internal/cveutils/list.go
medium	Remote Payload	matched "raw.githubusercontent.com" · github.com/golang/[email protected]/internal/genericosv/fetch.go
medium	Remote Payload	matched "raw.githubusercontent.com" · github.com/golang/[email protected]/internal/ghsarepo/client.go
medium	Remote Payload	matched "raw.githubusercontent.com" · github.com/golang/[email protected]/internal/worker/false_positive_records.gen.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260602213947-fe9f323e1610`	High risk	48	2026-06-04
`v0.0.0-20260601213518-364303b8be0f`	High risk	48	2026-06-03
`v0.0.0-20260529191756-a07a698257c6`	Review	48	2026-05-30
`v0.0.0-20260526224918-e61df3ba2f50`	Review	48	2026-05-30

Block this in CI

PkgRadar gates github.com/golang/vulndb (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/golang/[email protected]