PyPI · pypi.org
data-product-forge
Py Import Time Subprocess: subprocess call — process spawning.
Why PkgRadar flagged 0.8.11
| Severity | Signal | Evidence |
|---|---|---|
| medium | Py Import Time Subprocess | subprocess call — process spawning. · data_product_forge-0.8.11/fluid_build/__init__.py |
| high | Py Runtime Dynamic Dangerous Import | Dynamic __import__('os') — reflection bypass for static checks. · data_product_forge-0.8.11/fluid_build/cli/ai_setup_browser.py |
| medium | Remote Payload | matched "curl " · data_product_forge-0.8.11/build-docker-image.sh |
| medium | Credential file access | matched "GOOGLE_APPLICATION_CREDENTIALS" · data_product_forge-0.8.11/fluid_build/providers/gcp/util/auth.py |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
0.8.11 | High risk | 159 | 2026-06-16 |
0.8.10 | High risk | 159 | 2026-06-08 |
0.8.9 | High risk | 159 | 2026-06-01 |
0.8.8 | High risk | 159 | 2026-05-31 |
0.8.7 | High risk | 159 | 2026-05-30 |
0.8.6 | High risk | 159 | 2026-05-30 |
0.8.5 | High risk | 159 | 2026-05-30 |
0.8.4 | High risk | 159 | 2026-05-30 |
Block this in CI
pkgradar gate --ecosystem pypi data-product-forge==0.8.11