Maven · repo1.maven.org

com.walmartlabs.concord.runtime.v1:concord-runtime-impl-v1

Java Dynamic Classload: URLClassLoader / defineClass — runs attacker-provided bytecode.

Why PkgRadar flagged 2.42.0

Severity	Signal	Evidence
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · com/walmartlabs/concord/runner/Main.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/walmartlabs/concord/runner/Main.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/walmartlabs/concord/runner/engine/FileEventStorage.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/walmartlabs/concord/runner/engine/FileFormStorage.java

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.42.0`	Review	21	2026-06-18

Block this in CI

PkgRadar gates com.walmartlabs.concord.runtime.v1:concord-runtime-impl-v1 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven com.walmartlabs.concord.runtime.v1:[email protected]