Go modules · proxy.golang.org

github.com/hajimehoshi/guigui

Remote Payload: matched "github.com/notofonts/noto-cjk/releases/download"

Why PkgRadar flagged v0.0.0-20260609164110-721b8fc73a67

Severity	Signal	Evidence
medium	Remote Payload	matched "github.com/notofonts/noto-cjk/releases/download" · github.com/hajimehoshi/[email protected]/basicwidget/cjkfont/gen.go
medium	Remote Payload	matched "github.com/rsms/inter/releases/download" · github.com/hajimehoshi/[email protected]/basicwidget/internal/font/gen.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260609164110-721b8fc73a67`	Review	24	2026-06-11
`v0.0.0-20260606103249-bd5fcc7ba67a`	Review	24	2026-06-07
`v0.0.0-20260605151512-64b24e581d57`	Review	24	2026-06-06
`v0.0.0-20260604152825-da84e5173b09`	Review	24	2026-06-05
`v0.0.0-20260529164304-f6fa4eb0c666`	Review	24	2026-06-02
`v0.0.0-20260529030226-3dfaa76ecefb`	Review	24	2026-05-30

Block this in CI

PkgRadar gates github.com/hajimehoshi/guigui (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/hajimehoshi/[email protected]