Go modules · proxy.golang.org

github.com/verus-lang/verus

Remote Payload: matched "github.com/cvc5/cvc5/releases/download"

Why PkgRadar flagged v0.0.0-20260528043305-fa1787186f46

Severity	Signal	Evidence
medium	Remote Payload	matched "github.com/cvc5/cvc5/releases/download" · github.com/verus-lang/[email protected]/source/tools/get-cvc5.sh
medium	Remote Payload	matched "github.com/Z3Prover/z3/releases/download" · github.com/verus-lang/[email protected]/source/tools/get-z3.sh
medium	Remote Payload	matched "wget " · github.com/verus-lang/[email protected]/tools/veritas/get-z3.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.0-20260611220753-8c06fbd72483`	Low risk	0	2026-06-12
`v0.0.0-20260610123639-a1076c9f482d`	Low risk	0	2026-06-11
`v0.0.0-20260610010417-e6a6d4fcc960`	Low risk	0	2026-06-11
`v0.0.0-20260609024234-01f40c2f5e88`	Low risk	0	2026-06-10
`v0.0.0-20260608180556-9d21bb3dd378`	Low risk	0	2026-06-09
`v0.0.0-20260608140048-9a4284b095f7`	Low risk	0	2026-06-09
`v0.0.0-20260607130355-cd0350583e52`	Low risk	0	2026-06-09
`v0.0.0-20260605174255-6edfff09f7f8`	Low risk	0	2026-06-06
`v0.0.0-20260531024020-5dd6d836101a`	Low risk	0	2026-06-02
`v0.0.0-20260528043305-fa1787186f46`	Review	36	2026-05-29

Block this in CI

PkgRadar gates github.com/verus-lang/verus (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/verus-lang/[email protected]