PyPI · pypi.org

harbor

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 0.13.2

Severity	Signal	Evidence
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · harbor-0.13.2/src/harbor/agents/installed/cline/cline.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · harbor-0.13.2/src/harbor/cli/view.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · harbor-0.13.2/src/harbor/db/types.py
medium	Py Custom Build Backend	Non-standard PEP 517 build-backend `uv_build` — runs custom code at install time. · pyproject.toml
medium	Remote Payload	matched "curl\n\n" · harbor-0.13.2/src/harbor/cli/template-task/pytest-tests/test.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.13.2`	High risk	57	2026-06-11
`0.13.1`	Review	22	2026-06-03
`0.13.0`	Review	22	2026-05-30
`0.9.0`	Review	32	2026-05-28

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates harbor (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi harbor==0.13.2