← Home

@hashgraph/solo

npm Repository Homepage

An opinionated CLI tool to deploy and manage private Hedera Networks.

9
Versions
Apache2.0
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

steven.sheehyswirldslabs-adminrbair23nathan-swirldslabshedera-eng-automationnana-ec

Keywords

solosolo-chartssolo-network-manager

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): Active Hashgraph tooling package; new proto dependency is consistent with ledger protocol evolution, no malicious indicators. ai
source-diff large-new-source-files AI (source-diff): Actively developed CLI tool; incremental source file additions are expected across frequent releases. ai
dependencies unvetted-dep:elliptic AI (dependencies): elliptic was removed as a runtime dep in this version; finding is stale. ai
dependencies unvetted-dep:tsyringe-neo AI (dependencies): tsyringe-neo was removed as a runtime dep in this version; finding is stale. ai
dependencies unvetted-dep:stream-buffers AI (dependencies): stream-buffers was removed as a runtime dep in this version; finding is stale. ai
provenance missing-githead AI (provenance): SLSA provenance attestation present; gitHead absence is cosmetic given Sigstore-backed CI publish. ai
phantom-deps phantom-dep:shell-quote AI (phantom-deps): Phantom dep heuristic false positive for this established toolchain package. ai
semgrep semgrep:env-spread AI (semgrep): Pattern is used to pass augmented PATH to subprocesses; not credential exfiltration. ai
phantom-deps phantom-dep:stream-buffers AI (phantom-deps): Phantom dep heuristic false positive for this established toolchain package. ai
semgrep semgrep:base64-decode AI (semgrep): Decoding Hedera network message content for display; no malicious payload pattern. ai
phantom-deps phantom-dep:ip AI (phantom-deps): Phantom dep heuristic false positive for this established toolchain package. ai
phantom-deps phantom-dep:esm AI (phantom-deps): Phantom dep heuristic false positive for this established toolchain package. ai
phantom-deps phantom-dep:figlet AI (phantom-deps): Phantom dep heuristic false positive for this established toolchain package. ai
phantom-deps phantom-dep:elliptic AI (phantom-deps): Phantom dep heuristic false positive for this established toolchain package. ai

Versions (showing 9 of 9)

Version Deps Published
0.72.0 36 / 57
0.71.0 35 / 57
0.70.0 35 / 57
0.69.0 35 / 57
0.68.0 34 / 57
0.67.0 34 / 57
0.66.0 34 / 57
0.65.0 34 / 57
0.40.0 32 / 59

v0.72.0

9 findings
HIGH env-spread: src/commands/node/tasks.ts:2564 semgrep

Spreading entire process.env into an object — may capture all secrets 2562 | shell: '/bin/bash', 2563 | maxBuffer: 1024 * 1024 * 10, // 10MB buffer > 2564 | env: { 2565 | ...process.env, 2566 | PATH: `${container.resolve(InjectTokens.HelmInstallationDirectory)}${PathEx.delimiter}${process.env.

HIGH env-spread: src/core/shell-runner.ts:47 semgrep

Spreading entire process.env into an object — may capture all secrets 45 | return new Promise<string[]>((resolve, reject): void => { 46 | const child: ChildProcessWithoutNullStreams = spawn(cmd, arguments_, { > 47 | env: {...process.env, ...environmentVariablesToAppend}, 48 | shell: true, 49 | detached,

HIGH env-spread: src/integration/helm/execution/helm-execution-builder.ts:173 semgrep

Spreading entire process.env into an object — may capture all secrets 171 | public build(): HelmExecution { 172 | const command: string[] = this.buildCommand(); > 173 | const environment: Record<string, string> = {...process.env}; 174 | for (const [key, value] of this._environmentVariables.entries()) { 175 | environment[key] = value;

HIGH env-spread: src/integration/helm/execution/helm-execution.ts:70 semgrep

Spreading entire process.env into an object — may capture all secrets 68 | this.process = spawn(command.join(' '), { 69 | shell: true, > 70 | env: {...process.env, ...environmentVariables}, 71 | }); 72 | }

HIGH env-spread: src/integration/kind/execution/kind-execution-builder.ts:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | public build(): KindExecution { 169 | const command: string[] = this.buildCommand(); > 170 | const environment: Record<string, string> = {...process.env}; 171 | for (const [key, value] of this._environmentVariables.entries()) { 172 | environment[key] = value;

HIGH env-spread: src/integration/kind/execution/kind-execution.ts:45 semgrep

Spreading entire process.env into an object — may capture all secrets 43 | this.process = spawn(command.join(' '), { 44 | shell: true, > 45 | env: {...process.env, ...environmentVariables}, 46 | }); 47 | }

HIGH env-spread: src/integration/kube/k8-client/resources/container/k8-client-container.ts:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | fullArguments, 62 | { > 63 | env: {...process.env, PATH: `${this.kubectlInstallationDirectory}${path.delimiter}${process.env.PATH}`}, 64 | stdio: ['ignore', 'pipe', 'pipe'], 65 | windowsHide: os.platform() === 'win32',

HIGH env-spread: src/integration/kube/k8-client/resources/pod/persist-port-forward.ts:191 semgrep

Spreading entire process.env into an object — may capture all secrets 189 | 190 | const kubectlProcess: ChildProcess = spawn(kubectlCommand, commandArguments, { > 191 | env: {...process.env, PATH: `${kubectlInstallationDirectory}${path.delimiter}${process.env.PATH}`}, 192 | stdio: options.captureOutput ? ['ignore', 'pipe', 'pipe'] : 'inherit', 193 | windowsHide: os.platform() === 'win32',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.71.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.70.0

9 findings
HIGH env-spread: src/commands/node/tasks.ts:2480 semgrep

Spreading entire process.env into an object — may capture all secrets 2478 | shell: '/bin/bash', 2479 | maxBuffer: 1024 * 1024 * 10, // 10MB buffer > 2480 | env: { 2481 | ...process.env, 2482 | PATH: `${container.resolve(InjectTokens.HelmInstallationDirectory)}${path.delimiter}${process.env.PA

HIGH env-spread: src/core/shell-runner.ts:32 semgrep

Spreading entire process.env into an object — may capture all secrets 30 | return new Promise<string[]>((resolve, reject): void => { 31 | const child: ChildProcessWithoutNullStreams = spawn(cmd, arguments_, { > 32 | env: {...process.env, ...environmentVariablesToAppend}, 33 | shell: true, 34 | detached,

HIGH env-spread: src/integration/helm/execution/helm-execution-builder.ts:173 semgrep

Spreading entire process.env into an object — may capture all secrets 171 | public build(): HelmExecution { 172 | const command: string[] = this.buildCommand(); > 173 | const environment: Record<string, string> = {...process.env}; 174 | for (const [key, value] of this._environmentVariables.entries()) { 175 | environment[key] = value;

HIGH env-spread: src/integration/helm/execution/helm-execution.ts:54 semgrep

Spreading entire process.env into an object — may capture all secrets 52 | this.process = spawn(command.join(' '), { 53 | shell: true, > 54 | env: {...process.env, ...environmentVariables}, 55 | }); 56 | }

HIGH env-spread: src/integration/kind/execution/kind-execution-builder.ts:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | public build(): KindExecution { 169 | const command: string[] = this.buildCommand(); > 170 | const environment: Record<string, string> = {...process.env}; 171 | for (const [key, value] of this._environmentVariables.entries()) { 172 | environment[key] = value;

HIGH env-spread: src/integration/kind/execution/kind-execution.ts:44 semgrep

Spreading entire process.env into an object — may capture all secrets 42 | this.process = spawn(command.join(' '), { 43 | shell: true, > 44 | env: {...process.env, ...environmentVariables}, 45 | }); 46 | }

HIGH env-spread: src/integration/kube/k8-client/resources/container/k8-client-container.ts:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | fullArguments, 61 | { > 62 | env: {...process.env, PATH: `${this.kubectlInstallationDirectory}${path.delimiter}${process.env.PATH}`}, 63 | stdio: ['ignore', 'pipe', 'pipe'], 64 | windowsHide: os.platform() === 'win32',

HIGH env-spread: src/integration/kube/k8-client/resources/pod/persist-port-forward.ts:64 semgrep

Spreading entire process.env into an object — may capture all secrets 62 | 63 | const kubectlProcess: ChildProcess = spawn(kubectlCommand, commandArguments, { > 64 | env: {...process.env, PATH: `${kubectlInstallationDirectory}${path.delimiter}${process.env.PATH}`}, 65 | stdio: options.captureOutput ? ['ignore', 'pipe', 'pipe'] : 'inherit', 66 | windowsHide: os.platform() === 'win32',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.69.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v0.68.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.67.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v0.66.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.65.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.40.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.