Go modules · proxy.golang.org

gopkg.in/juju/charm.v5

Remote Payload: matched "curl "

Why PkgRadar flagged v5.0.0-20150820175011-aad3e4a7a176

Severity	Signal	Evidence
medium	Remote Payload	matched "curl " · gopkg.in/juju/[email protected]/charmrepo/charmstore.go
medium	Remote Payload	matched "curl " · gopkg.in/juju/[email protected]/charmrepo/legacy.go
medium	Remote Payload	matched "curl " · gopkg.in/juju/[email protected]/charmrepo/local.go
medium	Remote Payload	matched "curl " · gopkg.in/juju/[email protected]/charmrepo/params.go
medium	Remote Payload	matched "curl " · gopkg.in/juju/[email protected]/charmrepo/repo.go
medium	Remote Payload	matched "curl " · gopkg.in/juju/[email protected]/testing/charm.go

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v5.0.0-20150820175011-aad3e4a7a176`	High risk	50	2026-06-05

Block this in CI

PkgRadar gates gopkg.in/juju/charm.v5 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go gopkg.in/juju/[email protected]