Go modules · proxy.golang.org
github.com/xz-dev/rclone
Go Generate Shell: //go:generate directive shells out to curl/wget/bash — runs during `go generate`.
Why PkgRadar flagged v1.70.0
| Severity | Signal | Evidence |
|---|---|---|
| medium | Go Generate Shell | //go:generate directive shells out to curl/wget/bash — runs during `go generate`. · github.com/xz-dev/[email protected]/vfs/vfs.go |
| medium | Remote Payload | matched "cURL " · github.com/xz-dev/[email protected]/backend/azurefiles/azurefiles.go |
| medium | Remote Payload | matched "cURL " · github.com/xz-dev/[email protected]/backend/ulozto/api/types.go |
| medium | Remote Payload | matched "cURL " · github.com/xz-dev/[email protected]/backend/yandex/api/types.go |
| medium | Remote Payload | matched "cURL " · github.com/xz-dev/[email protected]/backend/yandex/yandex.go |
| medium | Remote Payload | matched "cURL\n\t" · github.com/xz-dev/[email protected]/lib/http/context.go |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
v1.70.0 | High risk | 95 | 2026-06-08 |
v1.74.0 | High risk | 119 | 2026-06-08 |
v1.74.1-0.20260504081948-f346ac3c95cf | High risk | 119 | 2026-06-08 |
Block this in CI
pkgradar gate --ecosystem go github.com/xz-dev/[email protected]