Go modules · proxy.golang.org

github.com/k0sproject/k0smotron

Remote Payload: matched "Invoke-WebRequest"

Why PkgRadar flagged v1.10.6-0.20260605183823-da7b670f9e03

Severity	Signal	Evidence
medium	Remote Payload	matched "Invoke-WebRequest" · github.com/k0sproject/[email protected]/internal/controller/bootstrap/worker_bootstrap_controller.go
medium	Remote Payload	matched "curl " · github.com/k0sproject/[email protected]/internal/controller/util/download.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v1.10.6-0.20260605183823-da7b670f9e03`	Review	27	2026-06-13
`v1.10.6-0.20260601164453-c16b361a62ca`	Review	15	2026-06-03
`v1.10.7`	Review	15	2026-06-03

Block this in CI

PkgRadar gates github.com/k0sproject/k0smotron (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/k0sproject/[email protected]