← Home

@harness-engineering/cli

npm Repository Homepage

CLI for Harness Engineering toolkit

17
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

intense.visions

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/chunk-K4WRQTEF.js AI (source-diff): Large bundled CLI chunk; imports are standard well-known libs. SLSA provenance confirms CI/CD build integrity. ai
source-diff net-exec-file:dist/chunk-77EZGPSR.js AI (source-diff): Bundled ESM output for a CLI tool; imports are standard Node.js/npm modules, not dropper behavior. ai
source-diff net-exec-file:dist/chunk-KHMKAC6E.js AI (source-diff): File contains AST parsing (web-tree-sitter), file I/O, and crypto ops consistent with CLI code-analysis features; SLSA provenance confirms CI/CD build. ai
source-diff net-exec-file:dist/chunk-KQ6TDRPS.js AI (source-diff): Sample shows legitimate analysis/CLI tooling imports; SLSA provenance confirms CI/CD build integrity. ai
source-diff net-exec-file:dist/chunk-MI6MA6OP.js AI (source-diff): File contains standard ESM imports of known libraries for code analysis; no actual dropper/loader pattern present. ai
source-diff net-exec-file:dist/chunk-RFYF7TJS.js AI (source-diff): Bundled CLI tool; chunk imports are standard analysis libraries (zod, tree-sitter, eslint-parser), not malicious network+exec patterns. ai
source-diff net-exec-file:dist/chunk-MAFI6UWT.js AI (source-diff): Chunk imports are standard Node.js/ESM utilities (crypto, fs, path, zod, tree-sitter); consistent with a code-analysis CLI, not malware. ai
dependencies unvetted-dep:handlebars AI (dependencies): handlebars is a widely-used, well-maintained templating library; stable false positive for this package. ai
source-diff net-exec-file:dist/chunk-YYRQCQPZ.js AI (source-diff): Chunk contains legitimate CLI/analysis tooling code; SLSA provenance confirms CI/CD build integrity. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped org package @harness-engineering/cli cannot plausibly typosquat the unscoped 'joi'; levenshtein match is spurious. ai
phantom-deps phantom-dep:@harness-engineering/linter-gen AI (phantom-deps): Same-org monorepo dep; may be used indirectly or loaded at runtime without direct import. ai
phantom-deps phantom-dep:@harness-engineering/dashboard AI (phantom-deps): Same-org monorepo dep; may be used indirectly or loaded at runtime without direct import. ai
phantom-deps phantom-dep:tree-sitter-wasms AI (phantom-deps): Platform-specific binary package; phantom-dep heuristic is a known false positive for this type of dep. ai

Versions (showing 17 of 17)

Version Deps Published
2.6.1 22 / 5
2.5.0 22 / 5
2.2.0 22 / 5
2.1.0 22 / 5
1.28.1 21 / 5
1.27.1 21 / 5
1.26.0 21 / 5
1.25.5 21 / 5
1.25.1 21 / 5
1.18.0 20 / 5
1.17.0 19 / 5
1.12.0 17 / 5
1.9.0 12 / 5
1.8.2 12 / 5
1.4.0 8 / 4
1.0.1 8 / 4
1.0.0 8 / 4

v2.6.1

2 findings
HIGH New file with network + code execution: dist/chunk-YYRQCQPZ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.5.0

2 findings
HIGH New file with network + code execution: dist/chunk-KQ6TDRPS.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

2 findings
HIGH New file with network + code execution: dist/chunk-K4WRQTEF.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

2 findings
HIGH New file with network + code execution: dist/chunk-MAFI6UWT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.28.1

2 findings
HIGH New file with network + code execution: dist/chunk-RFYF7TJS.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.26.0

2 findings
HIGH New file with network + code execution: dist/chunk-77EZGPSR.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.25.5

2 findings
HIGH New file with network + code execution: dist/chunk-KHMKAC6E.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.25.1

2 findings
HIGH New file with network + code execution: dist/chunk-MI6MA6OP.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.18.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.17.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.12.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.8.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.