@aikidosec/safe-chain 1.0.13 → 1.0.14

package/README.md

@@ -1,5 +1,7 @@
 # Aikido Safe Chain
 
+The Aikido Safe Chain **prevents developers from installing malware** on their workstations through npm, npx, or yarn.
+
 The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), and [yarn](https://yarnpkg.com/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, or yarn from downloading or running the malware.
 
 ![demo](https://aikido-production-staticfiles-public.s3.eu-west-1.amazonaws.com/safe-pkg.gif)
@@ -9,6 +11,9 @@ Aikido Safe Chain works on Node.js version 18 and above and supports the followi
 - ✅ **npm**
 - ✅ **npx**
 - ✅ **yarn**
+- 🚧 **pnpm** Coming soon
+
+# Usage
 
 ## Installation
 
@@ -29,35 +34,22 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
    npm install eslint-js
    ```
    - The output should show that Aikido Safe Chain is blocking the installation of this package as it is flagged as malware.
-     ![Output of vulneralbe package](./docs/vulnerable-package-message.png)
 
 When running `npm`, `npx`, or `yarn` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command.
 
-## Shell Integration
-
-The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, and yarn commands. It sets up aliases for these commands so that they are replaced with the Aikido Safe Chain commands, which perform malware checks before executing the original commands.
+## How it works
 
-More information about the shell integration can be found in the [shell integration documentation](docs/shell-integration.md).
+The Aikido Safe Chain works by intercepting the npm, npx, and yarn commands and verifying the packages against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**.
 
-Shell integration is supported for the following shells:
+The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, and yarn commands. It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which perform malware checks before executing the original commands. We currently support:
 
 - ✅ **Bash**
 - ✅ **Zsh**
 - ✅ **Fish**
-- ✅ **Powershell**
+- ✅ **PowerShell**
 - ✅ **PowerShell Core**
 
-### Disabling Shell Integration
-
-To disable the Aikido Safe Chain integration, run:
-
-```shell
-safe-chain teardown
-```
-
-This removes the aliases for **npm**, **npx**, and **yarn** from your shell startup files, restoring the original commands.
-
-❗ After removing the shell integration, **the shell needs to restart in order to load the alias**.
+More information about the shell integration can be found in the [shell integration documentation](docs/shell-integration.md).
 
 ## Uninstallation
 
@@ -71,4 +63,8 @@ To uninstall the Aikido Safe Chain, you can run the following command:
    ```shell
    npm uninstall -g @aikidosec/safe-chain
    ```
-3. **Restart your terminal** to remove the aliases.
+3. **❗Restart your terminal** to remove the aliases.
+
+# Usage in CI/CD
+
+🚧 Support for CI/CD environments is coming soon...

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.13",
+  "version": "1.0.14",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks **/*.spec.js",
     "test:watch": "node --test --watch --experimental-test-module-mocks **/*.spec.js",

package/src/scanning/malwareDatabase.js

@@ -6,6 +6,7 @@ import {
   readDatabaseFromLocalCache,
   writeDatabaseToLocalCache,
 } from "../config/configFile.js";
+import { ui } from "../environment/userInteraction.js";
 
 export async function openMalwareDatabase() {
   const malwareDatabase = await getMalwareDatabase();
@@ -37,18 +38,27 @@ async function getMalwareDatabase() {
   const { malwareDatabase: cachedDatabase, version: cachedVersion } =
     readDatabaseFromLocalCache();
 
-  if (cachedDatabase) {
-    const currentVersion = await fetchMalwareDatabaseVersion();
+  try {
+    if (cachedDatabase) {
+      const currentVersion = await fetchMalwareDatabaseVersion();
+      if (cachedVersion === currentVersion) {
+        return cachedDatabase;
+      }
+    }
+
+    const { malwareDatabase, version } = await fetchMalwareDatabase();
+    writeDatabaseToLocalCache(malwareDatabase, version);
 
-    if (cachedVersion === currentVersion) {
+    return malwareDatabase;
+  } catch (error) {
+    if (cachedDatabase) {
+      ui.writeWarning(
+        "Failed to fetch the latest malware database. Using cached version."
+      );
       return cachedDatabase;
     }
+    throw error;
   }
-
-  const { malwareDatabase, version } = await fetchMalwareDatabase();
-  writeDatabaseToLocalCache(malwareDatabase, version);
-
-  return malwareDatabase;
 }
 
 function isMalwareStatus(status) {