@hiero-ledger/solo
An opinionated CLI tool to deploy and manage private Hedera Networks.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Active project with regular releases; new source files reflect feature growth, not injected code. | ai | |
| dependencies | unvetted-dep:elliptic | AI (dependencies): elliptic is a well-known crypto library; no advisory flagged for 6.6.1 in this context. | ai | |
| dependencies | unvetted-dep:stream-buffers | AI (dependencies): stream-buffers is a stable, widely-used utility library with no known malicious history. | ai | |
| phantom-deps | phantom-dep:esm | AI (phantom-deps): Phantom dep heuristic false positive; stable for this package. | ai | |
| phantom-deps | phantom-dep:figlet | AI (phantom-deps): Phantom dep heuristic false positive; stable for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Pattern is augmenting PATH for subprocess execution, not leaking secrets; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:shell-quote | AI (phantom-deps): Phantom dep heuristic false positive; stable for this package. | ai | |
| phantom-deps | phantom-dep:stream-buffers | AI (phantom-deps): Phantom dep heuristic false positive; stable for this package. | ai | |
| phantom-deps | phantom-dep:elliptic | AI (phantom-deps): Phantom dep heuristic false positive; stable for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding received message content for display/logging; no malicious payload hiding. | ai | |
| phantom-deps | phantom-dep:ip | AI (phantom-deps): Phantom dep heuristic false positive; stable for this package. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 0.72.0 | 36 / 57 | |
| 0.71.0 | 35 / 57 | |
| 0.69.0 | 35 / 57 | |
| 0.68.0 | 34 / 57 | |
| 0.67.0 | 34 / 57 | |
| 0.64.1 | 34 / 58 |
v0.72.0
9 findingsSpreading entire process.env into an object — may capture all secrets 2562 | shell: '/bin/bash', 2563 | maxBuffer: 1024 * 1024 * 10, // 10MB buffer > 2564 | env: { 2565 | ...process.env, 2566 | PATH: `${container.resolve(InjectTokens.HelmInstallationDirectory)}${PathEx.delimiter}${process.env.
Spreading entire process.env into an object — may capture all secrets 45 | return new Promise<string[]>((resolve, reject): void => { 46 | const child: ChildProcessWithoutNullStreams = spawn(cmd, arguments_, { > 47 | env: {...process.env, ...environmentVariablesToAppend}, 48 | shell: true, 49 | detached,
Spreading entire process.env into an object — may capture all secrets 171 | public build(): HelmExecution { 172 | const command: string[] = this.buildCommand(); > 173 | const environment: Record<string, string> = {...process.env}; 174 | for (const [key, value] of this._environmentVariables.entries()) { 175 | environment[key] = value;
Spreading entire process.env into an object — may capture all secrets 68 | this.process = spawn(command.join(' '), { 69 | shell: true, > 70 | env: {...process.env, ...environmentVariables}, 71 | }); 72 | }
Spreading entire process.env into an object — may capture all secrets 168 | public build(): KindExecution { 169 | const command: string[] = this.buildCommand(); > 170 | const environment: Record<string, string> = {...process.env}; 171 | for (const [key, value] of this._environmentVariables.entries()) { 172 | environment[key] = value;
Spreading entire process.env into an object — may capture all secrets 43 | this.process = spawn(command.join(' '), { 44 | shell: true, > 45 | env: {...process.env, ...environmentVariables}, 46 | }); 47 | }
Spreading entire process.env into an object — may capture all secrets 61 | fullArguments, 62 | { > 63 | env: {...process.env, PATH: `${this.kubectlInstallationDirectory}${path.delimiter}${process.env.PATH}`}, 64 | stdio: ['ignore', 'pipe', 'pipe'], 65 | windowsHide: os.platform() === 'win32',
Spreading entire process.env into an object — may capture all secrets 189 | 190 | const kubectlProcess: ChildProcess = spawn(kubectlCommand, commandArguments, { > 191 | env: {...process.env, PATH: `${kubectlInstallationDirectory}${path.delimiter}${process.env.PATH}`}, 192 | stdio: options.captureOutput ? ['ignore', 'pipe', 'pipe'] : 'inherit', 193 | windowsHide: os.platform() === 'win32',
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.71.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.69.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.68.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.67.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.64.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.