@aikidosec/safe-chain 1.0.17 → 1.0.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.17",
+  "version": "1.0.18",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js

@@ -86,7 +86,9 @@ function parsePackagename(arg) {
   const lastAtIndex = arg.lastIndexOf("@");
 
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.spec.js

@@ -19,6 +19,14 @@ describe("parsePackagesFromInstallArgs", () => {
     assert.deepEqual(result, [{ name: "@jest/transform", version: "29.7.0" }]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["install", "@vercel/otel"];
+
+    const result = parsePackagesFromInstallArgs(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should return an array of changes for multiple packages", () => {
     const args = ["install", "express@4.17.1", "lodash@4.17.21"];
 

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js

@@ -81,7 +81,9 @@ function parsePackagename(arg, defaultTag) {
   const lastAtIndex = arg.lastIndexOf("@");
 
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.spec.js

@@ -19,6 +19,14 @@ describe("parsePackagesFromArguments", () => {
     assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["@vercel/otel"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should return the package with latest tag if absent", () => {
     const args = ["http-server"];
 

package/src/packagemanager/pnpm/parsing/parsePackagesFromArguments.spec.js

@@ -27,6 +27,14 @@ describe("standardPnpmArgumentParser", () => {
     assert.deepEqual(result, [{ name: "axios", version: "latest" }]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["@vercel/otel"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should return the package with latest tag if the version is absent and package starts with @", () => {
     const args = ["@aikidosec/package-name"];
 

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js

@@ -77,7 +77,9 @@ function parsePackagename(arg, defaultTag) {
   const lastAtIndex = arg.lastIndexOf("@");
 
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.spec.js

@@ -38,6 +38,14 @@ describe("standardYarnArgumentParser", () => {
     ]);
   });
 
+  it("should return the package in the format @vercel/otel", () => {
+    const args = ["add", "@vercel/otel"];
+
+    const result = parsePackagesFromArguments(args);
+
+    assert.deepEqual(result, [{ name: "@vercel/otel", version: "latest" }]);
+  });
+
   it("should ignore options with parameters and return an array of changes", () => {
     const args = ["add", "--proxy", "http://localhost", "axios@1.9.0"];
 

package/src/shell-integration/helpers.js

@@ -28,11 +28,35 @@ export function removeLinesMatchingPattern(filePath, pattern) {
   }
 
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const lines = fileContent.split(os.EOL);
-  const updatedLines = lines.filter((line) => !pattern.test(line));
+  const lines = fileContent.split(/[\r\n\u2028\u2029]+/);
+  const updatedLines = lines.filter((line) => !shouldRemoveLine(line, pattern));
   fs.writeFileSync(filePath, updatedLines.join(os.EOL), "utf-8");
 }
 
+const maxLineLength = 100;
+function shouldRemoveLine(line, pattern) {
+  const isPatternMatch = pattern.test(line);
+
+  if (!isPatternMatch) {
+    return false;
+  }
+
+  if (line.length > maxLineLength) {
+    // safe-chain only adds lines shorter than maxLineLength
+    // so if the line is longer, it must be from a different 
+    // source and could be dangerous to remove
+    return false;
+  }
+
+  if (line.includes("\n") || line.includes("\r") || line.includes("\u2028") || line.includes("\u2029")) {
+    // If the line contains newlines, something has gone wrong in splitting
+    // \u2028 and \u2029 are Unicode line separator characters (line and paragraph separators)
+    return false;
+  }
+
+  return true;
+}
+
 export function addLineToFile(filePath, line) {
   if (!fs.existsSync(filePath)) {
     fs.writeFileSync(filePath, "", "utf-8");

package/src/shell-integration/helpers.spec.js

@@ -0,0 +1,113 @@
+import { describe, it, beforeEach, afterEach, mock } from "node:test";
+import assert from "node:assert";
+import { tmpdir } from "node:os";
+import fs from "node:fs";
+import path from "path";
+
+describe("removeLinesMatchingPatternTests", () => {
+  let testFile;
+
+  beforeEach(() => {
+    // Create temporary test file
+    testFile = path.join(tmpdir(), `test-helpers-${Date.now()}.txt`);
+
+    // Mock the os module to override EOL
+    mock.module("node:os", {
+      namedExports: {
+        EOL: "\r\n", // Simulate Windows line endings
+        tmpdir: tmpdir,
+        platform: () => "linux"
+      }
+    });
+  });
+
+  afterEach(() => {
+    // Clean up test files
+    if (fs.existsSync(testFile)) {
+      fs.unlinkSync(testFile);
+    }
+
+    // Reset mocks
+    mock.reset();
+  });
+
+
+  it("should handle mixed line endings without wiping entire file", async () => {
+    // Import helpers after setting up the mock
+    const { removeLinesMatchingPattern } = await import("./helpers.js");
+    
+    // Create a file with Unix line endings but os.EOL expects Windows
+    const fileContent = [
+      "# keep this line",
+      "alias npm='remove-this'", 
+      "# keep this line too",
+      "alias yarn='remove-this-too'",
+      "# final line to keep"
+    ].join("\n"); // File has Unix line endings
+    
+    fs.writeFileSync(testFile, fileContent, "utf-8");
+    
+    // Try to remove lines containing 'alias'
+    const pattern = /alias.*=/;
+    removeLinesMatchingPattern(testFile, pattern);
+    
+    const result = fs.readFileSync(testFile, "utf-8");
+    
+    // This test will fail because the function splits on '\r\n' but file uses '\n'
+    // So it treats the entire content as one line and if any part matches, removes everything
+    assert.ok(result.includes("keep this line"), "Should preserve non-matching lines");
+    assert.ok(result.includes("final line to keep"), "Should preserve final line");
+  });
+
+  it("should handle mixed line endings with short matching content", async () => {
+    // Import helpers after setting up the mock
+    const { removeLinesMatchingPattern } = await import("./helpers.js");
+    
+    // Create a file with Unix line endings, but make the entire content short 
+    // to bypass the maxLineLength protection
+    const fileContent = [
+      "# keep1",
+      "alias x=y", // Short alias line that should be removed
+      "# keep2"
+    ].join("\n"); // File has Unix line endings, total length < 100 chars
+    
+    fs.writeFileSync(testFile, fileContent, "utf-8");
+    
+    // Try to remove lines containing 'alias'
+    const pattern = /alias/;
+    removeLinesMatchingPattern(testFile, pattern);
+    
+    const result = fs.readFileSync(testFile, "utf-8");
+    
+    // This should now be protected by the newline detection
+    assert.ok(result.includes("keep1"), "Should preserve first line");
+    assert.ok(result.includes("keep2"), "Should preserve third line");
+  });
+
+  it("should handle Unicode line separators that bypass newline detection", async () => {
+    // Import helpers after setting up the mock
+    const { removeLinesMatchingPattern } = await import("./helpers.js");
+    
+    // Use Unicode line separator (U+2028) and paragraph separator (U+2029)
+    // These are considered line breaks but aren't \n or \r
+    const fileContent = [
+      "keep this",
+      "alias test=value",
+      "keep that"
+    ].join("\u2028"); // Unicode line separator
+    
+    fs.writeFileSync(testFile, fileContent, "utf-8");
+    
+    // Try to remove lines containing 'alias'
+    const pattern = /alias/;
+    removeLinesMatchingPattern(testFile, pattern);
+    
+    const result = fs.readFileSync(testFile, "utf-8");
+    
+    // This could still wipe everything if split() treats it as one line
+    // but the content doesn't contain \n or \r so passes the newline check
+    assert.ok(result.includes("keep this"), "Should preserve first part");
+    assert.ok(result.includes("keep that"), "Should preserve last part");
+  });
+
+});