npm - @aikidosec/safe-chain - Versions diffs - 0.0.1-immutable-releases-beta - Mend

@aikidosec/safe-chain 0.0.1-immutable-releases-beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

package/LICENSE +674 -0
package/README.md +517 -0
package/bin/aikido-bun.js +14 -0
package/bin/aikido-bunx.js +14 -0
package/bin/aikido-npm.js +14 -0
package/bin/aikido-npx.js +14 -0
package/bin/aikido-pip.js +17 -0
package/bin/aikido-pip3.js +17 -0
package/bin/aikido-pipx.js +16 -0
package/bin/aikido-pnpm.js +14 -0
package/bin/aikido-pnpx.js +14 -0
package/bin/aikido-poetry.js +13 -0
package/bin/aikido-python.js +19 -0
package/bin/aikido-python3.js +19 -0
package/bin/aikido-uv.js +16 -0
package/bin/aikido-yarn.js +14 -0
package/bin/safe-chain.js +130 -0
package/docs/banner.svg +151 -0
package/docs/safe-package-manager-demo.gif +0 -0
package/docs/safe-package-manager-demo.png +0 -0
package/docs/shell-integration.md +149 -0
package/docs/troubleshooting.md +321 -0
package/npm-shrinkwrap.json +4069 -0
package/package.json +72 -0
package/src/api/aikido.js +187 -0
package/src/api/npmApi.js +71 -0
package/src/config/cliArguments.js +161 -0
package/src/config/configFile.js +327 -0
package/src/config/environmentVariables.js +57 -0
package/src/config/settings.js +247 -0
package/src/environment/environment.js +14 -0
package/src/environment/userInteraction.js +122 -0
package/src/main.js +123 -0
package/src/packagemanager/_shared/commandErrors.js +17 -0
package/src/packagemanager/_shared/matchesCommand.js +18 -0
package/src/packagemanager/bun/createBunPackageManager.js +48 -0
package/src/packagemanager/currentPackageManager.js +79 -0
package/src/packagemanager/npm/createPackageManager.js +72 -0
package/src/packagemanager/npm/dependencyScanner/commandArgumentScanner.js +74 -0
package/src/packagemanager/npm/dependencyScanner/nullScanner.js +9 -0
package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js +144 -0
package/src/packagemanager/npm/runNpmCommand.js +20 -0
package/src/packagemanager/npm/utils/abbrevs-generated.js +359 -0
package/src/packagemanager/npm/utils/cmd-list.js +174 -0
package/src/packagemanager/npm/utils/npmCommands.js +34 -0
package/src/packagemanager/npx/createPackageManager.js +15 -0
package/src/packagemanager/npx/dependencyScanner/commandArgumentScanner.js +43 -0
package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js +130 -0
package/src/packagemanager/npx/runNpxCommand.js +20 -0
package/src/packagemanager/pip/createPackageManager.js +25 -0
package/src/packagemanager/pip/pipSettings.js +6 -0
package/src/packagemanager/pip/runPipCommand.js +209 -0
package/src/packagemanager/pipx/createPipXPackageManager.js +18 -0
package/src/packagemanager/pipx/runPipXCommand.js +60 -0
package/src/packagemanager/pnpm/createPackageManager.js +57 -0
package/src/packagemanager/pnpm/dependencyScanner/commandArgumentScanner.js +35 -0
package/src/packagemanager/pnpm/parsing/parsePackagesFromArguments.js +109 -0
package/src/packagemanager/pnpm/runPnpmCommand.js +32 -0
package/src/packagemanager/poetry/createPoetryPackageManager.js +72 -0
package/src/packagemanager/uv/createUvPackageManager.js +18 -0
package/src/packagemanager/uv/runUvCommand.js +66 -0
package/src/packagemanager/yarn/createPackageManager.js +41 -0
package/src/packagemanager/yarn/dependencyScanner/commandArgumentScanner.js +35 -0
package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js +128 -0
package/src/packagemanager/yarn/runYarnCommand.js +36 -0
package/src/registryProxy/certBundle.js +203 -0
package/src/registryProxy/certUtils.js +178 -0
package/src/registryProxy/getConnectTimeout.js +13 -0
package/src/registryProxy/http-utils.js +80 -0
package/src/registryProxy/interceptors/createInterceptorForEcoSystem.js +25 -0
package/src/registryProxy/interceptors/interceptorBuilder.js +179 -0
package/src/registryProxy/interceptors/minimumPackageAgeExclusions.js +33 -0
package/src/registryProxy/interceptors/npm/modifyNpmInfo.js +180 -0
package/src/registryProxy/interceptors/npm/npmInterceptor.js +101 -0
package/src/registryProxy/interceptors/npm/parseNpmPackageUrl.js +60 -0
package/src/registryProxy/interceptors/pip/modifyPipInfo.js +167 -0
package/src/registryProxy/interceptors/pip/modifyPipJsonResponse.js +176 -0
package/src/registryProxy/interceptors/pip/parsePipPackageUrl.js +162 -0
package/src/registryProxy/interceptors/pip/pipInterceptor.js +122 -0
package/src/registryProxy/interceptors/pip/pipMetadataResponseUtils.js +27 -0
package/src/registryProxy/interceptors/pip/pipMetadataVersionUtils.js +131 -0
package/src/registryProxy/interceptors/suppressedVersionsState.js +21 -0
package/src/registryProxy/isImdsEndpoint.js +13 -0
package/src/registryProxy/mitmRequestHandler.js +240 -0
package/src/registryProxy/plainHttpProxy.js +95 -0
package/src/registryProxy/registryProxy.js +255 -0
package/src/registryProxy/tunnelRequestHandler.js +213 -0
package/src/scanning/audit/index.js +129 -0
package/src/scanning/index.js +82 -0
package/src/scanning/malwareDatabase.js +131 -0
package/src/scanning/newPackagesDatabaseBuilder.js +71 -0
package/src/scanning/newPackagesDatabaseWarnings.js +17 -0
package/src/scanning/newPackagesListCache.js +126 -0
package/src/scanning/packageNameVariants.js +29 -0
package/src/shell-integration/helpers.js +304 -0
package/src/shell-integration/path-wrappers/templates/unix-wrapper.template.sh +22 -0
package/src/shell-integration/path-wrappers/templates/windows-wrapper.template.cmd +24 -0
package/src/shell-integration/setup-ci.js +172 -0
package/src/shell-integration/setup.js +129 -0
package/src/shell-integration/shellDetection.js +39 -0
package/src/shell-integration/startup-scripts/init-fish.fish +115 -0
package/src/shell-integration/startup-scripts/init-posix.sh +96 -0
package/src/shell-integration/startup-scripts/init-pwsh.ps1 +171 -0
package/src/shell-integration/supported-shells/bash.js +152 -0
package/src/shell-integration/supported-shells/fish.js +95 -0
package/src/shell-integration/supported-shells/powershell.js +100 -0
package/src/shell-integration/supported-shells/windowsPowershell.js +100 -0
package/src/shell-integration/supported-shells/zsh.js +92 -0
package/src/shell-integration/teardown.js +112 -0
package/src/ultimate/ultimateTroubleshooting.js +111 -0
package/src/utils/safeSpawn.js +153 -0
package/tsconfig.json +21 -0

package/src/registryProxy/interceptors/minimumPackageAgeExclusions.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { getMinimumPackageAgeExclusions, getEcoSystem } from "../../config/settings.js";
+import { getEquivalentPackageNames } from "../../scanning/packageNameVariants.js";
+/**
+ * Checks if a package name matches an exclusion pattern.
+ * Supports trailing wildcard (*) for prefix matching.
+ * @param {string} packageName
+ * @param {string} pattern
+ * @returns {boolean}
+ */
+export function matchesExclusionPattern(packageName, pattern) {
+  if (pattern.endsWith("/*")) {
+    return packageName.startsWith(pattern.slice(0, -1));
+  }
+  return packageName === pattern;
+}
+/**
+ * @param {string | undefined} packageName
+ * @returns {boolean}
+ */
+export function isExcludedFromMinimumPackageAge(packageName) {
+  if (!packageName) {
+    return false;
+  }
+  const exclusions = getMinimumPackageAgeExclusions();
+  const candidateNames = getEquivalentPackageNames(packageName, getEcoSystem());
+  return exclusions.some((pattern) =>
+    candidateNames.some((name) => matchesExclusionPattern(name, pattern))
+  );
+}

package/src/registryProxy/interceptors/npm/modifyNpmInfo.js ADDED Viewed

@@ -0,0 +1,180 @@
+import { getMinimumPackageAgeHours } from "../../../config/settings.js";
+import { ui } from "../../../environment/userInteraction.js";
+import { clearCachingHeaders, getHeaderValueAsString } from "../../http-utils.js";
+import { recordSuppressedVersion } from "../suppressedVersionsState.js";
+/**
+ * @param {NodeJS.Dict<string | string[]>} headers
+ * @returns {NodeJS.Dict<string | string[]>}
+ */
+export function modifyNpmInfoRequestHeaders(headers) {
+  const accept = getHeaderValueAsString(headers, "accept");
+  if (accept?.includes("application/vnd.npm.install-v1+json")) {
+    // The npm registry sometimes serves a more compact format that lacks
+    // the time metadata we need to filter out too new packages.
+    // Force the registry to return the full metadata by changing the Accept header.
+    headers["accept"] = "application/json";
+  }
+  return headers;
+}
+/**
+ * @param {string} url
+ * @returns {boolean}
+ */
+export function isPackageInfoUrl(url) {
+  // Remove query string and fragment to get the actual path
+  const urlWithoutParams = url.split("?")[0].split("#")[0];
+  // Tarball downloads end with .tgz
+  if (urlWithoutParams.endsWith(".tgz")) return false;
+  // Special endpoints start with /-/ and should not be modified
+  // Examples: /-/npm/v1/security/advisories/bulk, /-/v1/search, /-/package/foo/access
+  if (urlWithoutParams.includes("/-/")) return false;
+  // Everything else is package metadata that can be modified
+  return true;
+}
+/**
+ *
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns Buffer
+ */
+export function modifyNpmInfoResponse(body, headers) {
+  try {
+    const contentType = getHeaderValueAsString(headers, "content-type");
+    if (!contentType?.toLowerCase().includes("application/json")) {
+      return body;
+    }
+    if (body.byteLength === 0) {
+      return body;
+    }
+    // utf-8 is default encoding for JSON, so we don't check if charset is defined in content-type header
+    const bodyContent = body.toString("utf8");
+    const bodyJson = JSON.parse(bodyContent);
+    if (!bodyJson.time || !bodyJson["dist-tags"] || !bodyJson.versions) {
+      // Just return the current body if the format is not
+      return body;
+    }
+    const cutOff = new Date(
+      new Date().getTime() - getMinimumPackageAgeHours() * 3600 * 1000
+    );
+    const hasLatestTag = !!bodyJson["dist-tags"]["latest"];
+    const versions = Object.entries(bodyJson.time)
+      .map(([version, timestamp]) => ({
+        version,
+        timestamp,
+      }))
+      .filter((x) => x.version !== "created" && x.version !== "modified");
+    for (const { version, timestamp } of versions) {
+      const timestampValue = new Date(timestamp);
+      if (timestampValue > cutOff) {
+        deleteVersionFromJson(bodyJson, version);
+        clearCachingHeaders(headers);
+      }
+    }
+    if (hasLatestTag && !bodyJson["dist-tags"]["latest"]) {
+      // The latest tag was removed because it contained a package younger than the treshold.
+      // A new latest tag needs to be calculated
+      bodyJson["dist-tags"]["latest"] = calculateLatestTag(bodyJson.time);
+    }
+    return Buffer.from(JSON.stringify(bodyJson));
+  } catch (/** @type {any} */ err) {
+    ui.writeVerbose(
+      `Safe-chain: Package metadata not in expected format - bypassing modification. Error: ${err.message}`
+    );
+    return body;
+  }
+}
+/**
+ * @param {any} json
+ * @param {string} version
+ */
+function deleteVersionFromJson(json, version) {
+  recordSuppressedVersion();
+  const packageName = typeof json?.name === "string" ? json.name : "(unknown)";
+  ui.writeVerbose(
+    `Safe-chain: ${packageName}@${version} is newer than ${getMinimumPackageAgeHours()} hours and was removed (minimumPackageAgeInHours setting).`
+  );
+  delete json.time[version];
+  delete json.versions[version];
+  for (const [tag, distVersion] of Object.entries(json["dist-tags"])) {
+    if (version == distVersion) {
+      delete json["dist-tags"][tag];
+    }
+  }
+}
+/**
+ * @param {Record<string, string>} tagList
+ * @returns {string | undefined}
+ */
+function calculateLatestTag(tagList) {
+  const entries = Object.entries(tagList).filter(
+    ([version, _]) => version !== "created" && version !== "modified"
+  );
+  const latestFullRelease = getMostRecentTag(
+    Object.fromEntries(entries.filter(([version, _]) => !version.includes("-")))
+  );
+  if (latestFullRelease) {
+    return latestFullRelease;
+  }
+  const latestPrerelease = getMostRecentTag(
+    Object.fromEntries(entries.filter(([version, _]) => version.includes("-")))
+  );
+  return latestPrerelease;
+}
+/**
+ * @param {Record<string, string>} tagList
+ * @returns {string | undefined}
+ */
+function getMostRecentTag(tagList) {
+  let current, currentDate;
+  for (const [version, timestamp] of Object.entries(tagList)) {
+    if (!currentDate || currentDate < timestamp) {
+      current = version;
+      currentDate = timestamp;
+    }
+  }
+  return current;
+}
+/**
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns {string | undefined}
+ */
+export function getPackageNameFromMetadataResponse(body, headers) {
+  try {
+    const contentType = getHeaderValueAsString(headers, "content-type");
+    if (!contentType?.toLowerCase().includes("application/json")) {
+      return undefined;
+    }
+    const bodyJson = JSON.parse(body.toString("utf8"));
+    return typeof bodyJson.name === "string" ? bodyJson.name : undefined;
+  } catch {
+    return undefined;
+  }
+}

package/src/registryProxy/interceptors/npm/npmInterceptor.js ADDED Viewed

@@ -0,0 +1,101 @@
+import {
+  getNpmCustomRegistries,
+  skipMinimumPackageAge,
+} from "../../../config/settings.js";
+import { isMalwarePackage } from "../../../scanning/audit/index.js";
+import { interceptRequests } from "../interceptorBuilder.js";
+import {
+  getPackageNameFromMetadataResponse,
+  isPackageInfoUrl,
+  modifyNpmInfoRequestHeaders,
+  modifyNpmInfoResponse,
+} from "./modifyNpmInfo.js";
+import { parseNpmPackageUrl } from "./parseNpmPackageUrl.js";
+import { openNewPackagesDatabase } from "../../../scanning/newPackagesListCache.js";
+import {
+  isExcludedFromMinimumPackageAge,
+} from "../minimumPackageAgeExclusions.js";
+const knownJsRegistries = [
+  "registry.npmjs.org",
+  "registry.yarnpkg.com",
+  "registry.npmjs.com",
+];
+/**
+ * @param {string} url
+ * @returns {import("../interceptorBuilder.js").Interceptor | undefined}
+ */
+export function npmInterceptorForUrl(url) {
+  const registry = [...knownJsRegistries, ...getNpmCustomRegistries()].find(
+    (reg) => url.includes(reg)
+  );
+  if (registry) {
+    return buildNpmInterceptor(registry);
+  }
+  return undefined;
+}
+/**
+ * @param {string} registry
+ * @returns {import("../interceptorBuilder.js").Interceptor}
+ */
+function buildNpmInterceptor(registry) {
+  return interceptRequests(async (reqContext) => {
+    const { packageName, version } = parseNpmPackageUrl(
+      reqContext.targetUrl,
+      registry
+    );
+    const minimumAgeChecksEnabled = !skipMinimumPackageAge();
+    if (await isMalwarePackage(packageName, version)) {
+      reqContext.blockMalware(packageName, version);
+      return;
+    }
+    if (minimumAgeChecksEnabled && isPackageInfoUrl(reqContext.targetUrl)) {
+      reqContext.modifyRequestHeaders(modifyNpmInfoRequestHeaders);
+      reqContext.modifyBody(modifyNpmInfoResponseUnlessExcluded);
+      return;
+    }
+    // For tarball requests the metadata check above is skipped, so we check the
+    // new packages list as a fallback (covers e.g. frozen-lockfile installs).
+    if (
+      minimumAgeChecksEnabled &&
+      packageName &&
+      version &&
+      !isExcludedFromMinimumPackageAge(packageName)
+    ) {
+      const newPackagesDatabase = await openNewPackagesDatabase();
+      if (newPackagesDatabase.isNewlyReleasedPackage(packageName, version)) {
+        reqContext.blockMinimumAgeRequest(
+          packageName,
+          version,
+          `Forbidden - blocked by safe-chain direct download minimum package age (${packageName}@${version})`
+        );
+      }
+    }
+  });
+}
+/**
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns {Buffer}
+ */
+function modifyNpmInfoResponseUnlessExcluded(body, headers) {
+  const metadataPackageName = getPackageNameFromMetadataResponse(body, headers);
+  if (
+    metadataPackageName &&
+    isExcludedFromMinimumPackageAge(metadataPackageName)
+  ) {
+    return body;
+  }
+  return modifyNpmInfoResponse(body, headers);
+}

package/src/registryProxy/interceptors/npm/parseNpmPackageUrl.js ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * @param {string} url
+ * @param {string} registry
+ * @returns {{packageName: string | undefined, version: string | undefined}}
+ */
+export function parseNpmPackageUrl(url, registry) {
+  let packageName, version;
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    return { packageName, version };
+  }
+  const pathname = parsedUrl.pathname;
+  if (!registry || !pathname.endsWith(".tgz")) {
+    return { packageName, version };
+  }
+  const registryPrefix = `${registry}/`;
+  const urlAfterProtocol = `${parsedUrl.host}${pathname}`;
+  if (!urlAfterProtocol.startsWith(registryPrefix)) {
+    return { packageName, version };
+  }
+  const afterRegistry = decodeURIComponent(
+    urlAfterProtocol.substring(registryPrefix.length)
+  );
+  const separatorIndex = afterRegistry.indexOf("/-/");
+  if (separatorIndex === -1) {
+    return { packageName, version };
+  }
+  packageName = afterRegistry.substring(0, separatorIndex);
+  const filename = afterRegistry.substring(
+    separatorIndex + 3,
+    afterRegistry.length - 4
+  ); // Remove /-/ and .tgz
+  // Extract version from filename
+  // For scoped packages like @babel/core, the filename is core-7.21.4.tgz
+  // For regular packages like lodash, the filename is lodash-4.17.21.tgz
+  if (packageName.startsWith("@")) {
+    const scopedPackageName = packageName.substring(
+      packageName.lastIndexOf("/") + 1
+    );
+    if (filename.startsWith(scopedPackageName + "-")) {
+      version = filename.substring(scopedPackageName.length + 1);
+    }
+  } else {
+    if (filename.startsWith(packageName + "-")) {
+      version = filename.substring(packageName.length + 1);
+    }
+  }
+  return { packageName, version };
+}

package/src/registryProxy/interceptors/pip/modifyPipInfo.js ADDED Viewed

@@ -0,0 +1,167 @@
+import { ui } from "../../../environment/userInteraction.js";
+import { clearCachingHeaders } from "../../http-utils.js";
+import { normalizePipPackageName } from "../../../scanning/packageNameVariants.js";
+import { parsePipPackageFromUrl } from "./parsePipPackageUrl.js";
+export { parsePipMetadataUrl, isPipPackageInfoUrl } from "./parsePipPackageUrl.js";
+import { getPipMetadataContentType, logSuppressedVersion } from "./pipMetadataResponseUtils.js";
+import { modifyPipJsonResponse } from "./modifyPipJsonResponse.js";
+// Match simple-index anchor tags and capture their href so we can suppress
+// individual distribution links from PyPI HTML metadata responses.
+const HTML_ANCHOR_HREF_RE =
+  /<a\b[^>]*href\s*=\s*(["'])([^"']+)\1[^>]*>[\s\S]*?<\/a>/gi;
+/**
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @param {string} metadataUrl
+ * @param {(packageName: string | undefined, version: string | undefined) => boolean} isNewlyReleasedPackage
+ * @param {string} packageName
+ * @returns {Buffer}
+ */
+export function modifyPipInfoResponse(
+  body,
+  headers,
+  metadataUrl,
+  isNewlyReleasedPackage,
+  packageName
+) {
+  try {
+    const contentType = getPipMetadataContentType(headers);
+    if (!contentType || body.byteLength === 0) {
+      return body;
+    }
+    if (
+      contentType.includes("html") ||
+      contentType.includes("application/vnd.pypi.simple.v1+html")
+    ) {
+      return modifyHtmlSimpleResponse(
+        body,
+        headers,
+        metadataUrl,
+        isNewlyReleasedPackage,
+        packageName
+      );
+    }
+    if (
+      contentType.includes("json") ||
+      contentType.includes("application/vnd.pypi.simple.v1+json")
+    ) {
+      return modifyJsonResponse(
+        body,
+        headers,
+        metadataUrl,
+        isNewlyReleasedPackage,
+        packageName
+      );
+    }
+    return body;
+  } catch (/** @type {any} */ err) {
+    ui.writeVerbose(
+      `Safe-chain: PyPI package metadata not in expected format - bypassing modification. Error: ${err.message}`
+    );
+    return body;
+  }
+}
+/**
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @param {string} metadataUrl
+ * @param {(packageName: string | undefined, version: string | undefined) => boolean} isNewlyReleasedPackage
+ * @param {string} packageName
+ * @returns {Buffer}
+ */
+function modifyHtmlSimpleResponse(
+  body,
+  headers,
+  metadataUrl,
+  isNewlyReleasedPackage,
+  packageName
+) {
+  const html = body.toString("utf8");
+  let modified = false;
+  const rewriteHtmlAnchor = createHtmlAnchorRewriter(
+    metadataUrl,
+    isNewlyReleasedPackage,
+    packageName,
+    () => {
+      modified = true;
+    }
+  );
+  const updatedHtml = html.replace(HTML_ANCHOR_HREF_RE, rewriteHtmlAnchor);
+  if (!modified) return body;
+  const modifiedBuffer = Buffer.from(updatedHtml);
+  clearCachingHeaders(headers);
+  return modifiedBuffer;
+}
+/**
+ * @param {string} metadataUrl
+ * @param {(packageName: string | undefined, version: string | undefined) => boolean} isNewlyReleasedPackage
+ * @param {string} packageName
+ * @param {() => void} onModified
+ * @returns {(anchor: string, quote: string, href: string) => string}
+ */
+function createHtmlAnchorRewriter(
+  metadataUrl,
+  isNewlyReleasedPackage,
+  packageName,
+  onModified
+) {
+  return (anchor, _quote, href) => {
+    const resolvedHref = new URL(href, metadataUrl).toString();
+    const { packageName: hrefPackageName, version } = parsePipPackageFromUrl(
+      resolvedHref,
+      new URL(resolvedHref).host
+    );
+    if (
+      hrefPackageName &&
+      normalizePipPackageName(hrefPackageName) ===
+        normalizePipPackageName(packageName) &&
+      version &&
+      isNewlyReleasedPackage(packageName, version)
+    ) {
+      onModified();
+      logSuppressedVersion(packageName, version);
+      return "";
+    }
+    return anchor;
+  };
+}
+/**
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @param {string} metadataUrl
+ * @param {(packageName: string | undefined, version: string | undefined) => boolean} isNewlyReleasedPackage
+ * @param {string} packageName
+ * @returns {Buffer}
+ */
+function modifyJsonResponse(
+  body,
+  headers,
+  metadataUrl,
+  isNewlyReleasedPackage,
+  packageName
+) {
+  const json = JSON.parse(body.toString("utf8"));
+  const modified = modifyPipJsonResponse(
+    json,
+    metadataUrl,
+    isNewlyReleasedPackage,
+    packageName
+  );
+  if (!modified) return body;
+  const modifiedBuffer = Buffer.from(JSON.stringify(json));
+  clearCachingHeaders(headers);
+  return modifiedBuffer;
+}