PkgRadar

Maven · repo1.maven.org

com.google.javascript:closure-compiler-unshaded

Java Unsafe Deserialize: ObjectInputStream / XStream.fromXML — untrusted deserialization sink.

Why PkgRadar flagged v20260610

SeveritySignalEvidence
mediumJava Unsafe DeserializeObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/google/javascript/jscomp/Compiler.java

Scanned versions

VersionVerdictScoreScanned (UTC)
v20260610Review62026-06-11
v20260607Review62026-06-09
v20260526Review62026-05-28

Block this in CI

PkgRadar gates com.google.javascript:closure-compiler-unshaded (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven com.google.javascript:closure-compiler-unshaded@v20260610
Start free — 25 scans / moView full evidence