Go modules · proxy.golang.org

github.com/smartcontractkit/mcms

Go Mod Replace Local: go.mod replace directive redirects to a local filesystem path — non-portable / dev-time only.

Why PkgRadar flagged v0.45.2-0.20260604181544-da0bd7da623d

Severity	Signal	Evidence
medium	Go Mod Replace Local	go.mod replace directive redirects to a local filesystem path — non-portable / dev-time only. · github.com/smartcontractkit/[email protected]/go.mod

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.46.0`	Low risk	0	2026-06-06
`v0.45.2-0.20260605152204-7da8a8eec372`	Low risk	0	2026-06-06
`v0.45.2-0.20260604181544-da0bd7da623d`	Review	10	2026-06-06
`v0.45.2-0.20260605010100-d1e8d620ac8a`	Low risk	0	2026-06-06
`v0.45.2-0.20260604053848-48d8a8691ced`	Low risk	0	2026-06-05
`v0.45.2-0.20260602134349-0cd9cb459d7f`	Low risk	0	2026-06-03
`v0.45.2-0.20260528044117-c5e2be5e88a5`	Low risk	0	2026-06-01
`v0.45.2-0.20260531163148-3a6d240f5aaf`	Low risk	0	2026-06-01

Block this in CI

PkgRadar gates github.com/smartcontractkit/mcms (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/smartcontractkit/[email protected]