Go modules · proxy.golang.org

github.com/ory/oathkeeper

Go Mod Replace Local: go.mod replace directive redirects to a local filesystem path — non-portable / dev-time only.

Why PkgRadar flagged v0.40.10-0.20260528133806-48d1baf98bd8

Severity	Signal	Evidence
medium	Go Mod Replace Local	go.mod replace directive redirects to a local filesystem path — non-portable / dev-time only. · github.com/ory/[email protected]/go.mod

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.40.10-0.20260601134135-d55f9f7675b6`	Low risk	0	2026-06-03
`v0.0.0-20260601134135-d55f9f7675b6`	Low risk	0	2026-06-03
`v0.40.10-0.20260529091508-046df4d7d586`	Low risk	0	2026-06-01
`v0.0.0-20260529091508-046df4d7d586`	Low risk	0	2026-06-01
`v0.40.10-0.20260528133806-48d1baf98bd8`	Review	10	2026-05-29
`v0.0.0-20260528133806-48d1baf98bd8`	Review	10	2026-05-29

Block this in CI

PkgRadar gates github.com/ory/oathkeeper (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/ory/[email protected]