PyPI · pypi.org

attestor

Py Runtime Dynamic Dangerous Import: Dynamic __import__('os') — reflection bypass for static checks.

Why PkgRadar flagged 4.1.11

Severity	Signal	Evidence
high	Py Runtime Dynamic Dangerous Import	Dynamic __import__('os') — reflection bypass for static checks. · attestor-4.1.11/attestor/consolidation/reflection.py
high	Py Runtime Dynamic Dangerous Import	Dynamic __import__('os') — reflection bypass for static checks. · attestor-4.1.11/attestor/extraction/llm_entity_extractor.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.1.11`	High risk	53	2026-05-30
`4.1.10`	High risk	53	2026-05-30
`4.1.8`	High risk	53	2026-05-30
`4.1.7`	High risk	53	2026-05-30
`4.1.6`	High risk	53	2026-05-30
`4.1.5`	High risk	53	2026-05-30
`4.1.4`	High risk	53	2026-05-30
`4.1.3`	High risk	53	2026-05-30
`4.1.2`	High risk	53	2026-05-30
`4.1.1`	High risk	53	2026-05-30

Block this in CI

PkgRadar gates attestor (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi attestor==4.1.11