@aikidosec/safe-chain 1.0.0 → 1.0.10

package/src/packagemanager/npm/dependencyScanner/commandArgumentScanner.js

@@ -0,0 +1,37 @@
+import { resolvePackageVersion } from "../../../api/npmApi.js";
+import { parsePackagesFromInstallArgs } from "../parsing/parsePackagesFromInstallArgs.js";
+import { hasDryRunArg } from "../utils/npmCommands.js";
+
+export function commandArgumentScanner(opts) {
+  const ignoreDryRun = opts?.ignoreDryRun ?? false;
+
+  return {
+    scan: (args) => scanDependencies(args),
+    shouldScan: (args) => shouldScanDependencies(args, ignoreDryRun),
+  };
+}
+function scanDependencies(args) {
+  return checkChangesFromArgs(args);
+}
+
+function shouldScanDependencies(args, ignoreDryRun) {
+  return ignoreDryRun || !hasDryRunArg(args);
+}
+
+export async function checkChangesFromArgs(args) {
+  const changes = [];
+  const packageUpdates = parsePackagesFromInstallArgs(args);
+
+  for (const packageUpdate of packageUpdates) {
+    var exactVersion = await resolvePackageVersion(
+      packageUpdate.name,
+      packageUpdate.version
+    );
+    if (exactVersion) {
+      packageUpdate.version = exactVersion;
+    }
+
+    changes.push({ ...packageUpdate, type: "add" });
+  }
+  return changes;
+}

package/src/packagemanager/npm/dependencyScanner/dryRunScanner.js

@@ -0,0 +1,50 @@
+import { ui } from "../../../environment/userInteraction.js";
+import { parseDryRunOutput } from "../parsing/parseNpmInstallDryRunOutput.js";
+import { dryRunNpmCommandAndOutput } from "../runNpmCommand.js";
+import { hasDryRunArg } from "../utils/npmCommands.js";
+
+export function dryRunScanner(scannerOptions) {
+  return {
+    scan: (args) => scanDependencies(scannerOptions, args),
+    shouldScan: (args) => shouldScanDependencies(scannerOptions, args),
+  };
+}
+function scanDependencies(scannerOptions, args) {
+  let dryRunArgs = args;
+
+  if (scannerOptions?.dryRunCommand) {
+    // Replace the first argument with the dryRunCommand (eg: "install" instead of "install-test")
+    dryRunArgs = [scannerOptions.dryRunCommand, ...args.slice(1)];
+  }
+
+  return checkChangesWithDryRun(dryRunArgs);
+}
+
+function shouldScanDependencies(scannerOptions, args) {
+  if (hasDryRunArg(args)) {
+    return false;
+  }
+
+  if (scannerOptions?.skipScanWhen && scannerOptions.skipScanWhen(args)) {
+    return false;
+  }
+
+  return true;
+}
+
+function checkChangesWithDryRun(args) {
+  const dryRunOutput = dryRunNpmCommandAndOutput(args);
+
+  // Dry-run can return a non-zero status code in some cases
+  //  e.g., when running "npm audit fix --dry-run", it returns exit code 1
+  //  when there are vulnurabilities that can be fixed.
+  if (dryRunOutput.status !== 0 && !dryRunOutput.output) {
+    ui.writeError("Detecting changes failed.");
+    return [];
+  }
+
+  const parsedOutput = parseDryRunOutput(dryRunOutput.output);
+
+  // reverse the array to have the top-level packages first
+  return parsedOutput.reverse();
+}

package/src/packagemanager/npm/dependencyScanner/nullScanner.js

@@ -0,0 +1,6 @@
+export function nullScanner() {
+  return {
+    scan: () => [],
+    shouldScan: () => false,
+  };
+}

package/src/packagemanager/npm/parsing/parseNpmInstallDryRunOutput.js

@@ -0,0 +1,57 @@
+export function parseDryRunOutput(output) {
+  const lines = output.split(/\r?\n/);
+  const packageChanges = [];
+
+  for (const line of lines) {
+    if (line.startsWith("add ")) {
+      packageChanges.push(parseAdd(line));
+    } else if (line.startsWith("remove ")) {
+      packageChanges.push(parseRemove(line));
+    } else if (line.startsWith("change ")) {
+      packageChanges.push(parseChange(line));
+    }
+  }
+
+  return packageChanges;
+}
+
+function parseAdd(line) {
+  const splitLine = getLineParts(line);
+  const packageName = splitLine[1];
+  const packageVersion = splitLine[splitLine.length - 1];
+  return addedPackage(packageName, packageVersion);
+}
+
+function addedPackage(name, version) {
+  return { type: "add", name, version };
+}
+
+function parseRemove(line) {
+  const splitLine = getLineParts(line);
+  const packageName = splitLine[1];
+  const packageVersion = splitLine[splitLine.length - 1];
+  return removedPackage(packageName, packageVersion);
+}
+
+function removedPackage(name, version) {
+  return { type: "remove", name, version };
+}
+
+function parseChange(line) {
+  const splitLine = getLineParts(line);
+  const packageName = splitLine[1];
+  const packageVersion = splitLine[splitLine.length - 1];
+  const oldVersion = splitLine[2];
+  return changedPackage(packageName, packageVersion, oldVersion);
+}
+
+function getLineParts(line) {
+  return line
+    .split(" ")
+    .map((part) => part.trim())
+    .filter((part) => part !== "");
+}
+
+function changedPackage(name, version, oldVersion) {
+  return { type: "change", name, version, oldVersion };
+}

package/src/packagemanager/npm/parsing/parseNpmInstallDryRunOutput.spec.js

@@ -0,0 +1,134 @@
+import { describe, it } from "node:test";
+import assert from "node:assert";
+import { parseDryRunOutput } from "./parseNpmInstallDryRunOutput.js";
+
+describe("parseNpmInstallDryRunOutput", () => {
+  it("should parse added packages", () => {
+    const output = `
+add @jest/transform 29.7.0
+add @jest/test-result 29.7.0
+add @jest/reporters 29.7.0
+add @jest/console 29.7.0
+add jest-cli 29.7.0
+add import-local 3.2.0
+add @jest/types 29.6.3
+add @jest/core 29.7.0
+add jest 29.7.0
+
+added 267 packages in 831ms
+
+32 packages are looking for funding
+  run \`npm fund\` for details`;
+
+    const expected = [
+      { name: "@jest/transform", version: "29.7.0", type: "add" },
+      { name: "@jest/test-result", version: "29.7.0", type: "add" },
+      { name: "@jest/reporters", version: "29.7.0", type: "add" },
+      { name: "@jest/console", version: "29.7.0", type: "add" },
+      { name: "jest-cli", version: "29.7.0", type: "add" },
+      { name: "import-local", version: "3.2.0", type: "add" },
+      { name: "@jest/types", version: "29.6.3", type: "add" },
+      { name: "@jest/core", version: "29.7.0", type: "add" },
+      { name: "jest", version: "29.7.0", type: "add" },
+    ];
+
+    const result = parseDryRunOutput(output);
+
+    assert.deepEqual(result, expected);
+  });
+
+  it("should parse removed packages", () => {
+    const output = `
+remove react 19.1.0
+
+    removed 1 package in 115ms`;
+
+    const expected = [{ name: "react", version: "19.1.0", type: "remove" }];
+
+    const result = parseDryRunOutput(output);
+
+    assert.deepEqual(result, expected);
+  });
+
+  it("should parse changed packages", () => {
+    const output = `
+change react 19.0.0 => 19.1.0
+
+changed 1 package in 204ms`;
+
+    const expected = [
+      {
+        name: "react",
+        version: "19.1.0",
+        oldVersion: "19.0.0",
+        type: "change",
+      },
+    ];
+
+    const result = parseDryRunOutput(output);
+
+    assert.deepEqual(result, expected);
+  });
+
+  it("should parse mixed package changes", () => {
+    const output = `
+add @jest/transform 29.7.0
+add @jest/test-result 29.7.0
+add @jest/reporters 29.7.0
+add @jest/console 29.7.0
+add jest-cli 29.7.0
+add import-local 3.2.0
+add @jest/types 29.6.3
+add @jest/core 29.7.0
+add jest 29.7.0
+remove react 19.1.0
+change lodash 4.17.0 => 4.18.0
+
+removed 1 package in 115ms`;
+
+    const expected = [
+      { name: "@jest/transform", version: "29.7.0", type: "add" },
+      { name: "@jest/test-result", version: "29.7.0", type: "add" },
+      { name: "@jest/reporters", version: "29.7.0", type: "add" },
+      { name: "@jest/console", version: "29.7.0", type: "add" },
+      { name: "jest-cli", version: "29.7.0", type: "add" },
+      { name: "import-local", version: "3.2.0", type: "add" },
+      { name: "@jest/types", version: "29.6.3", type: "add" },
+      { name: "@jest/core", version: "29.7.0", type: "add" },
+      { name: "jest", version: "29.7.0", type: "add" },
+      { name: "react", version: "19.1.0", type: "remove" },
+      {
+        name: "lodash",
+        version: "4.18.0",
+        oldVersion: "4.17.0",
+        type: "change",
+      },
+    ];
+
+    const result = parseDryRunOutput(output);
+
+    assert.deepEqual(result, expected);
+  });
+
+  it("should work with npm v22.0.0", () => {
+    const output = `
+add  @jest/types                                        29.6.3
+add  @jest/core                                         29.7.0
+add  jest                                               29.7.0
+
+added 257 packages in 791ms
+
+44 packages are looking for funding
+    run \`npm fund\` for details`;
+
+    const expected = [
+      { name: "@jest/types", version: "29.6.3", type: "add" },
+      { name: "@jest/core", version: "29.7.0", type: "add" },
+      { name: "jest", version: "29.7.0", type: "add" },
+    ];
+
+    const result = parseDryRunOutput(output);
+
+    assert.deepEqual(result, expected);
+  });
+});

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js

@@ -0,0 +1,109 @@
+export function parsePackagesFromInstallArgs(args) {
+  const changes = [];
+  let defaultTag = "latest";
+
+  // Skip first argument (install command)
+  for (let i = 1; i < args.length; i++) {
+    const arg = args[i];
+    const npmOption = getNpmOption(arg);
+
+    if (npmOption) {
+      // If the option has a parameter, skip the next argument as well
+      i += npmOption.numberOfParameters;
+
+      // it a tag is specified, set the default tag
+      if (npmOption.name === "--tag") {
+        defaultTag = args[i];
+      }
+
+      continue;
+    }
+
+    const packageDetails = parsePackagename(arg);
+    if (packageDetails) {
+      changes.push(packageDetails);
+      continue;
+    }
+  }
+
+  for (const change of changes) {
+    if (!change.version) {
+      change.version = defaultTag;
+    }
+  }
+
+  return changes;
+}
+
+function getNpmOption(arg) {
+  if (isNpmOptionWithParameter(arg)) {
+    return {
+      name: arg,
+      numberOfParameters: 1,
+    };
+  }
+
+  // Arguments starting with "-" or "--" are considered npm options
+  if (arg.startsWith("-")) {
+    return {
+      name: arg,
+      numberOfParameters: 0,
+    };
+  }
+
+  return undefined;
+}
+
+function isNpmOptionWithParameter(arg) {
+  const optionsWithParameters = [
+    "--access",
+    "--auth-type",
+    "--cache",
+    "--fetch-retries",
+    "--fetch-retry-mintimeout",
+    "--fetch-retry-maxtimeout",
+    "--fetch-retry-factor",
+    "--fetch-timeout",
+    "--https-proxy",
+    "--include",
+    "--location",
+    "--lockfile-version",
+    "--loglevel",
+    "--omit",
+    "--proxy",
+    "--registry",
+    "--replace-registry-host",
+    "--tag",
+    "--user-config",
+    "--workspace",
+  ];
+
+  return optionsWithParameters.includes(arg);
+}
+
+function parsePackagename(arg) {
+  arg = removeAlias(arg);
+  const lastAtIndex = arg.lastIndexOf("@");
+
+  let name, version;
+  if (lastAtIndex !== -1) {
+    name = arg.slice(0, lastAtIndex);
+    version = arg.slice(lastAtIndex + 1);
+  } else {
+    name = arg;
+    version = null;
+  }
+
+  return {
+    name,
+    version,
+  };
+}
+
+function removeAlias(arg) {
+  const aliasIndex = arg.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return arg.slice(aliasIndex + 5);
+  }
+  return arg;
+}

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.spec.js

@@ -0,0 +1,176 @@
+import { describe, it } from "node:test";
+import assert from "node:assert";
+import { parsePackagesFromInstallArgs } from "./parsePackagesFromInstallArgs.js";
+
+describe("parsePackagesFromInstallArgs", () => {
+  it("should return an empty array for no changes", () => {
+    const args = ["install"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, []);
+  });
+
+  it("should return an array of changes for one package", () => {
+    const args = ["install", "@jest/transform@29.7.0"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "@jest/transform", version: "29.7.0" }]);
+  });
+
+  it("should return an array of changes for multiple packages", () => {
+    const args = ["install", "express@4.17.1", "lodash@4.17.21"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "express", version: "4.17.1" },
+      { name: "lodash", version: "4.17.21" },
+    ]);
+  });
+
+  it("should ignore options and return an array of changes", () => {
+    const args = [
+      "install",
+      "--save-dev",
+      "express@4.17.1",
+      "--save-exact",
+      "lodash@4.17.21",
+    ];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "express", version: "4.17.1" },
+      { name: "lodash", version: "4.17.21" },
+    ]);
+  });
+
+  it("should ignore options with parameters and return an array of changes", () => {
+    const args = [
+      "install",
+      "--save-dev",
+      "express@4.17.1",
+      "--loglevel",
+      "error",
+      "lodash@4.17.21",
+    ];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "express", version: "4.17.1" },
+      { name: "lodash", version: "4.17.21" },
+    ]);
+  });
+
+  it("should not ignore the next argument if it is passed directly with the option", () => {
+    const args = [
+      "install",
+      "--save-dev",
+      "express@4.17.1",
+      "--loglevel=error",
+      "lodash@4.17.21",
+    ];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "express", version: "4.17.1" },
+      { name: "lodash", version: "4.17.21" },
+    ]);
+  });
+
+  it("should set the default tag for packages", () => {
+    const args = ["install", "express", "lodash@4.17.21"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "express", version: "latest" },
+      { name: "lodash", version: "4.17.21" },
+    ]);
+  });
+
+  it("should set the default tag for packages with a specific tag", () => {
+    const args = ["install", "express", "lodash@4.17.21", "--tag", "beta"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "express", version: "beta" },
+      { name: "lodash", version: "4.17.21" },
+    ]);
+  });
+
+  it("should ignore alias", () => {
+    const args = ["install", "express@npm:express@4.17.1"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "express", version: "4.17.1" }]);
+  });
+
+  it("should parse version even for aliased packages", () => {
+    const args = ["install", "express@npm:express@4.17.1"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "express", version: "4.17.1" }]);
+  });
+
+  it("should parse scoped packages", () => {
+    const args = ["install", "@scope/package@1.0.0"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "@scope/package", version: "1.0.0" }]);
+  });
+
+  it("should parse packages with version ranges", () => {
+    const args = ["install", "express@^4.17.1"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "express", version: "^4.17.1" }]);
+  });
+
+  it("should parse package folders", () => {
+    const args = ["install", "./local-package"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "./local-package", version: "latest" }]);
+  });
+
+  it("should parse tarballs", () => {
+    const args = ["install", "file:./local-package.tgz"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "file:./local-package.tgz", version: "latest" },
+    ]);
+  });
+
+  it("should parse tarball URLs", () => {
+    const args = ["install", "https://example.com/local-package.tgz"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "https://example.com/local-package.tgz", version: "latest" },
+    ]);
+  });
+
+  it("should parse git URLs", () => {
+    const args = ["install", "git://github.com/npm/cli.git"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [
+      { name: "git://github.com/npm/cli.git", version: "latest" },
+    ]);
+  });
+});

package/src/packagemanager/npm/runNpmCommand.js

@@ -0,0 +1,33 @@
+import { execSync } from "child_process";
+import { ui } from "../../environment/userInteraction.js";
+
+export function runNpm(args) {
+  try {
+    const npmCommand = `npm ${args.join(" ")}`;
+    execSync(npmCommand, { stdio: "inherit" });
+  } catch (error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+  return { status: 0 };
+}
+
+export function dryRunNpmCommandAndOutput(args) {
+  try {
+    const npmCommand = `npm ${args.join(" ")} --dry-run`;
+    const output = execSync(npmCommand, { stdio: "pipe" });
+    return { status: 0, output: output.toString() };
+  } catch (error) {
+    if (error.status) {
+      const output = error.stdout ? error.stdout.toString() : "";
+      return { status: error.status, output };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
+  }
+}