PkgRadar

PyPI · pypi.org

liger-kernel-nightly

Py Install Time Subprocess: subprocess call with shell=True — passes argv to /bin/sh.

Why PkgRadar flagged 0.8.0.dev20260611145756

SeveritySignalEvidence
mediumPy Install Time Subprocesssubprocess call with shell=True — passes argv to /bin/sh. · liger_kernel_nightly-0.8.0.dev20260611145756/setup.py
mediumPy Install Time Subprocesssubprocess call — process spawning. · liger_kernel_nightly-0.8.0.dev20260611145756/setup.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.8.0.dev20260611145756Review502026-06-11
0.8.0.dev20260611145605Review502026-06-11
0.8.0.dev20260610212417Review502026-06-10
0.8.0.dev20260610205228Review502026-06-10
0.8.0.dev20260609202624Review502026-06-09
0.8.0.dev20260605180032Review502026-06-05
0.8.0.dev20260605175131Review502026-06-05
0.8.0.dev20260604160932Review502026-06-04
0.8.0.dev20260604160620Review502026-06-04
0.8.0.dev20260604153053Review502026-06-04
0.8.0.dev20260601200337Review502026-06-01
0.8.0.dev20260528004734Review502026-05-30
0.8.0.dev20260527233919Review502026-05-30
0.8.0.dev20260526211009Review502026-05-30

Block this in CI

PkgRadar gates liger-kernel-nightly (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi liger-kernel-nightly==0.8.0.dev20260611145756
Start free — 25 scans / moView full evidence