Go modules · proxy.golang.org

github.com/grafana/alloy/tools

Remote Payload: matched "api.github.com/graphql"

Why PkgRadar flagged v0.0.0-20260610092523-46cd81f6aeb5

Severity	Signal	Evidence
medium	Remote Payload	matched "api.github.com/graphql" · github.com/grafana/alloy/[email protected]/release/internal/github/client.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260610092523-46cd81f6aeb5`	Review	12	2026-06-11
`v0.0.0-20260609144024-805ec5e93d0e`	Review	12	2026-06-11
`v0.0.0-20260608093643-dcb1ef33f57d`	Review	12	2026-06-09
`v0.0.0-20260605203330-c03b9af8c59c`	Review	12	2026-06-07
`v0.0.0-20260603131107-fc98bb598003`	Review	12	2026-06-04
`v0.0.0-20260601194600-1fbc9196fcc6`	Review	12	2026-06-03
`v0.0.0-20260530014404-8860ec155df6`	Review	12	2026-05-31

Block this in CI

PkgRadar gates github.com/grafana/alloy/tools (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/grafana/alloy/[email protected]