← Home

@wireio/test-cluster-tool

npm

Core library and CLI for creating, running, and tearing down multi-chain WIRE test clusters. Ships the `wire-test-cluster` binary, process managers for every cluster component, and typed clients for WIRE / Ethereum / Solana.

2
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jglanzwn-user

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Spreading process.env into child_process spawn options for Hardhat; standard pattern for this cluster tool. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): All raw IP references are localhost/127.0.0.1 for local cluster URL construction; not exfiltration. ai
semgrep semgrep:child-process-import AI (semgrep): Cluster orchestration tool legitimately spawns child processes (Hardhat, CLI clients). ai
phantom-deps phantom-dep:@wireio/shared-node AI (phantom-deps): Same org scope; likely used transitively or in config files. ai
phantom-deps phantom-dep:@wireio/opp-solidity-models AI (phantom-deps): Same org scope; likely used transitively or in config files. ai

Versions (showing 2 of 2)

Version Deps Published
0.1.9 21 / 6
0.1.5 21 / 6

v0.1.9

5 findings
HIGH env-spread: lib/cjs/cluster/ETHBootstrapper.js:181 semgrep

Spreading entire process.env into an object — may capture all secrets 179 | timeout: HardhatDeployTimeoutMs, 180 | maxBuffer: HardhatDeployBufferBytes, > 181 | env: { 182 | ...process.env, 183 | // Ensure hardhat uses the right network config

HIGH env-spread: lib/cjs/processes/ProcessManager.js:237 semgrep

Spreading entire process.env into an object — may capture all secrets 235 | const exitDeferred = new shared_1.Deferred(), pidFile = this.toProcessPidPath(config.label), child = (0, child_p 236 | cwd: config.cwd, > 237 | env: { 238 | ...process.env, 239 | ...(config.env ?? {})

HIGH env-spread: src/cluster/ETHBootstrapper.ts:255 semgrep

Spreading entire process.env into an object — may capture all secrets 253 | timeout: HardhatDeployTimeoutMs, 254 | maxBuffer: HardhatDeployBufferBytes, > 255 | env: { 256 | ...process.env, 257 | // Ensure hardhat uses the right network config

HIGH env-spread: src/processes/ProcessManager.ts:307 semgrep

Spreading entire process.env into an object — may capture all secrets 305 | child = spawn(config.command, config.args, { 306 | cwd: config.cwd, > 307 | env: { 308 | ...process.env, 309 | ...(config.env ?? {})

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.5

3 findings
HIGH env-spread: lib/cjs/cluster/ETHBootstrapper.js:181 semgrep

Spreading entire process.env into an object — may capture all secrets 179 | timeout: HardhatDeployTimeoutMs, 180 | maxBuffer: HardhatDeployBufferBytes, > 181 | env: { 182 | ...process.env, 183 | // Ensure hardhat uses the right network config

HIGH env-spread: lib/cjs/processes/ProcessManager.js:237 semgrep

Spreading entire process.env into an object — may capture all secrets 235 | const exitDeferred = new shared_1.Deferred(), pidFile = this.toProcessPidPath(config.label), child = (0, child_p 236 | cwd: config.cwd, > 237 | env: { 238 | ...process.env, 239 | ...(config.env ?? {})

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.