PyPI · pypi.org

vllm-tpu

Py Install Time Subprocess: subprocess call — process spawning.

Why PkgRadar flagged 0.21.0

Severity	Signal	Evidence
medium	Py Install Time Subprocess	subprocess call — process spawning. · vllm_tpu-0.21.0/setup.py
medium	Py Install Time Ctypes Load	ctypes.CDLL/cdll.LoadLibrary — loads native code into the process. · vllm_tpu-0.21.0/setup.py
medium	Remote Payload	matched "wget " · vllm_tpu-0.21.0/tools/ep_kernels/elastic_ep/install_eep_libraries.sh
medium	Remote Payload	matched "curl " · vllm_tpu-0.21.0/tools/ep_kernels/install_python_libraries.sh
medium	Remote Payload	matched "curl " · vllm_tpu-0.21.0/tools/install_gdrcopy.sh
medium	Remote Payload	matched "wget " · vllm_tpu-0.21.0/tools/pre_commit/shellcheck.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.21.0`	High risk	71	2026-06-05

Block this in CI

PkgRadar gates vllm-tpu (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi vllm-tpu==0.21.0