Go modules · proxy.golang.org

github.com/score-spec/score-compose

DNS / OAST exfiltration: matched "dig .Init.sk \"instanceServiceName\" \"\" .Shared }}-data\n target: /data\n {{ dig .Init.sk \"instanceServiceName\" \"\" .Shared }}-init:\n image: quay.io/minio/minio\n entrypoint: [\"/bin/bash\"]\n command:\n - \"-c\"\n - \"for s in $$("

Why PkgRadar flagged v0.0.0-20260601225550-6e13c308ef5d

Severity	Signal	Evidence
high	DNS / OAST exfiltration	matched "dig .Init.sk \"instanceServiceName\" \"\" .Shared }}-data\n target: /data\n {{ dig .Init.sk \"instanceServiceName\" \"\" .Shared }}-init:\n image: quay.io/minio/minio\n entrypoint: [\"/bin/bash\"]\n command:\n - \"-c\"\n - \"for s in $$(" · github.com/score-spec/[email protected]/internal/command/default.provisioners.yaml
medium	Remote Payload	matched "raw.githubusercontent.com" · github.com/score-spec/[email protected]/internal/command/init.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260601225550-6e13c308ef5d`	High risk	45	2026-06-05

Block this in CI

PkgRadar gates github.com/score-spec/score-compose (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/score-spec/[email protected]

Start free — 25 scans / mo View full evidence