PyPI · pypi.org

goal

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 2.1.250

Severity	Signal	Evidence
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · goal-2.1.250/goal/cli/version_types.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · goal-2.1.250/goal/dependency_update.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · goal-2.1.250/goal/package_managers.py
medium	Py Import Time Subprocess	subprocess call — process spawning. · goal-2.1.250/goal/cli/__init__.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.1.250`	High risk	87	2026-06-16
`2.1.248`	High risk	87	2026-06-16
`2.1.247`	High risk	87	2026-06-13
`2.1.246`	Review	37	2026-06-08
`2.1.245`	Review	37	2026-06-08
`2.1.244`	Review	37	2026-06-08
`2.1.243`	Review	37	2026-06-08
`2.1.242`	Review	37	2026-06-08
`2.1.241`	Review	37	2026-06-03
`2.1.240`	Review	37	2026-05-30
`2.1.239`	Review	37	2026-05-30
`2.1.237`	Review	37	2026-05-30
`2.1.236`	Review	37	2026-05-30
`2.1.235`	Review	37	2026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates goal (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi goal==2.1.250