npm - @aikidosec/safe-chain - Versions diffs - 1.0.17 → 1.0.19 - Mend

@aikidosec/safe-chain 1.0.17 → 1.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/bin/safe-chain.js CHANGED Viewed

@@ -46,7 +46,7 @@ function writeHelp() {
   ui.writeInformation(
     `- ${chalk.cyan(
       "safe-chain setup"
-    )}: This will setup your shell to wrap safe-chain around npm, npx and yarn.`
+    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm and pnpx.`
   );
   ui.writeInformation(
     `- ${chalk.cyan(

package/package.json CHANGED Viewed

@@ -1,15 +1,11 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.17",
+  "version": "1.0.19",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
     "lint": "eslint ."
   },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/AikidoSec/safe-chain.git"
-  },
   "bin": {
     "aikido-npm": "bin/aikido-npm.js",
     "aikido-npx": "bin/aikido-npx.js",
@@ -19,6 +15,14 @@
     "safe-chain": "bin/safe-chain.js"
   },
   "type": "module",
+  "exports": {
+    ".": {
+      "default": "./src/main.js"
+    },
+    "./scanning": {
+      "default": "./src/scanning/audit/index.js"
+    }
+  },
   "keywords": [],
   "author": "Aikido Security",
   "license": "AGPL-3.0-or-later",
@@ -31,19 +35,14 @@
     "ora": "^8.2.0",
     "semver": "^7.7.2"
   },
-  "devDependencies": {
-    "@eslint/js": "^9.26.0",
-    "eslint": "^9.26.0",
-    "eslint-plugin-import": "^2.31.0",
-    "globals": "^16.1.0",
-    "typescript-eslint": "^8.32.0"
-  },
-  "main": "eslint.config.js",
+  "main": "src/main.js",
   "bugs": {
     "url": "https://github.com/AikidoSec/safe-chain/issues"
   },
   "homepage": "https://github.com/AikidoSec/safe-chain#readme",
-  "overrides": {
-    "brace-expansion@<=2.0.2": "2.0.2"
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/AikidoSec/safe-chain.git",
+    "directory": "packages/safe-chain"
   }
 }

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.js CHANGED Viewed

@@ -86,7 +86,9 @@ function parsePackagename(arg) {
   const lastAtIndex = arg.lastIndexOf("@");
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.js CHANGED Viewed

@@ -81,7 +81,9 @@ function parsePackagename(arg, defaultTag) {
   const lastAtIndex = arg.lastIndexOf("@");
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/packagemanager/pnpm/createPackageManager.js CHANGED Viewed

@@ -13,6 +13,7 @@ export function createPnpmPackageManager() {
       matchesCommand(args, "update") ||
       matchesCommand(args, "upgrade") ||
       matchesCommand(args, "up") ||
+      matchesCommand(args, "install") ||
       // dlx does not always come in the first position
       // eg: pnpm --package=yo --package=generator-webapp dlx yo webapp
       // documentation: https://pnpm.io/cli/dlx#--package-name

package/src/packagemanager/yarn/parsing/parsePackagesFromArguments.js CHANGED Viewed

@@ -77,7 +77,9 @@ function parsePackagename(arg, defaultTag) {
   const lastAtIndex = arg.lastIndexOf("@");
   let name, version;
-  if (lastAtIndex !== -1) {
+  // The index of the last "@" should be greater than 0
+  // If the index is 0, it means the package name starts with "@" (eg: "@vercel/otel")
+  if (lastAtIndex > 0) {
     name = arg.slice(0, lastAtIndex);
     version = arg.slice(lastAtIndex + 1);
   } else {

package/src/shell-integration/helpers.js CHANGED Viewed

@@ -28,11 +28,35 @@ export function removeLinesMatchingPattern(filePath, pattern) {
   }
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const lines = fileContent.split(os.EOL);
-  const updatedLines = lines.filter((line) => !pattern.test(line));
+  const lines = fileContent.split(/[\r\n\u2028\u2029]+/);
+  const updatedLines = lines.filter((line) => !shouldRemoveLine(line, pattern));
   fs.writeFileSync(filePath, updatedLines.join(os.EOL), "utf-8");
 }
+const maxLineLength = 100;
+function shouldRemoveLine(line, pattern) {
+  const isPatternMatch = pattern.test(line);
+  if (!isPatternMatch) {
+    return false;
+  }
+  if (line.length > maxLineLength) {
+    // safe-chain only adds lines shorter than maxLineLength
+    // so if the line is longer, it must be from a different
+    // source and could be dangerous to remove
+    return false;
+  }
+  if (line.includes("\n") || line.includes("\r") || line.includes("\u2028") || line.includes("\u2029")) {
+    // If the line contains newlines, something has gone wrong in splitting
+    // \u2028 and \u2029 are Unicode line separator characters (line and paragraph separators)
+    return false;
+  }
+  return true;
+}
 export function addLineToFile(filePath, line) {
   if (!fs.existsSync(filePath)) {
     fs.writeFileSync(filePath, "", "utf-8");

package/.editorconfig DELETED Viewed

@@ -1,8 +0,0 @@
-[*]
-charset = utf-8
-insert_final_newline = true
-end_of_line = lf
-indent_style = space
-indent_size = 2
-max_line_length = 80

package/eslint.config.js DELETED Viewed

@@ -1,26 +0,0 @@
-import js from "@eslint/js";
-import { defineConfig, globalIgnores } from "@eslint/config-helpers";
-import globals from "globals";
-import importPlugin from "eslint-plugin-import";
-export default defineConfig([
-  {
-    files: ["**/*.{js,mjs,cjs,ts}"],
-    plugins: { js },
-    extends: ["js/recommended"],
-  },
-  {
-    files: ["**/*.{js,mjs,cjs,ts}"],
-    languageOptions: { globals: globals.node },
-  },
-  importPlugin.flatConfigs.recommended,
-  {
-    files: ["**/*.{js,mjs,cjs}"],
-    languageOptions: {
-      ecmaVersion: "latest",
-      sourceType: "module",
-    },
-    rules: {},
-  },
-  globalIgnores(['test/e2e']),
-]);

package/src/packagemanager/npm/parsing/parseNpmInstallDryRunOutput.spec.js DELETED Viewed

@@ -1,134 +0,0 @@
-import { describe, it } from "node:test";
-import assert from "node:assert";
-import { parseDryRunOutput } from "./parseNpmInstallDryRunOutput.js";
-describe("parseNpmInstallDryRunOutput", () => {
-  it("should parse added packages", () => {
-    const output = `
-add @jest/transform 29.7.0
-add @jest/test-result 29.7.0
-add @jest/reporters 29.7.0
-add @jest/console 29.7.0
-add jest-cli 29.7.0
-add import-local 3.2.0
-add @jest/types 29.6.3
-add @jest/core 29.7.0
-add jest 29.7.0
-added 267 packages in 831ms
-32 packages are looking for funding
-  run \`npm fund\` for details`;
-    const expected = [
-      { name: "@jest/transform", version: "29.7.0", type: "add" },
-      { name: "@jest/test-result", version: "29.7.0", type: "add" },
-      { name: "@jest/reporters", version: "29.7.0", type: "add" },
-      { name: "@jest/console", version: "29.7.0", type: "add" },
-      { name: "jest-cli", version: "29.7.0", type: "add" },
-      { name: "import-local", version: "3.2.0", type: "add" },
-      { name: "@jest/types", version: "29.6.3", type: "add" },
-      { name: "@jest/core", version: "29.7.0", type: "add" },
-      { name: "jest", version: "29.7.0", type: "add" },
-    ];
-    const result = parseDryRunOutput(output);
-    assert.deepEqual(result, expected);
-  });
-  it("should parse removed packages", () => {
-    const output = `
-remove react 19.1.0
-    removed 1 package in 115ms`;
-    const expected = [{ name: "react", version: "19.1.0", type: "remove" }];
-    const result = parseDryRunOutput(output);
-    assert.deepEqual(result, expected);
-  });
-  it("should parse changed packages", () => {
-    const output = `
-change react 19.0.0 => 19.1.0
-changed 1 package in 204ms`;
-    const expected = [
-      {
-        name: "react",
-        version: "19.1.0",
-        oldVersion: "19.0.0",
-        type: "change",
-      },
-    ];
-    const result = parseDryRunOutput(output);
-    assert.deepEqual(result, expected);
-  });
-  it("should parse mixed package changes", () => {
-    const output = `
-add @jest/transform 29.7.0
-add @jest/test-result 29.7.0
-add @jest/reporters 29.7.0
-add @jest/console 29.7.0
-add jest-cli 29.7.0
-add import-local 3.2.0
-add @jest/types 29.6.3
-add @jest/core 29.7.0
-add jest 29.7.0
-remove react 19.1.0
-change lodash 4.17.0 => 4.18.0
-removed 1 package in 115ms`;
-    const expected = [
-      { name: "@jest/transform", version: "29.7.0", type: "add" },
-      { name: "@jest/test-result", version: "29.7.0", type: "add" },
-      { name: "@jest/reporters", version: "29.7.0", type: "add" },
-      { name: "@jest/console", version: "29.7.0", type: "add" },
-      { name: "jest-cli", version: "29.7.0", type: "add" },
-      { name: "import-local", version: "3.2.0", type: "add" },
-      { name: "@jest/types", version: "29.6.3", type: "add" },
-      { name: "@jest/core", version: "29.7.0", type: "add" },
-      { name: "jest", version: "29.7.0", type: "add" },
-      { name: "react", version: "19.1.0", type: "remove" },
-      {
-        name: "lodash",
-        version: "4.18.0",
-        oldVersion: "4.17.0",
-        type: "change",
-      },
-    ];
-    const result = parseDryRunOutput(output);
-    assert.deepEqual(result, expected);
-  });
-  it("should work with npm v22.0.0", () => {
-    const output = `
-add  @jest/types                                        29.6.3
-add  @jest/core                                         29.7.0
-add  jest                                               29.7.0
-added 257 packages in 791ms
-44 packages are looking for funding
-    run \`npm fund\` for details`;
-    const expected = [
-      { name: "@jest/types", version: "29.6.3", type: "add" },
-      { name: "@jest/core", version: "29.7.0", type: "add" },
-      { name: "jest", version: "29.7.0", type: "add" },
-    ];
-    const result = parseDryRunOutput(output);
-    assert.deepEqual(result, expected);
-  });
-});

package/src/packagemanager/npm/parsing/parsePackagesFromInstallArgs.spec.js DELETED Viewed

@@ -1,176 +0,0 @@
-import { describe, it } from "node:test";
-import assert from "node:assert";
-import { parsePackagesFromInstallArgs } from "./parsePackagesFromInstallArgs.js";
-describe("parsePackagesFromInstallArgs", () => {
-  it("should return an empty array for no changes", () => {
-    const args = ["install"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, []);
-  });
-  it("should return an array of changes for one package", () => {
-    const args = ["install", "@jest/transform@29.7.0"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [{ name: "@jest/transform", version: "29.7.0" }]);
-  });
-  it("should return an array of changes for multiple packages", () => {
-    const args = ["install", "express@4.17.1", "lodash@4.17.21"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "express", version: "4.17.1" },
-      { name: "lodash", version: "4.17.21" },
-    ]);
-  });
-  it("should ignore options and return an array of changes", () => {
-    const args = [
-      "install",
-      "--save-dev",
-      "express@4.17.1",
-      "--save-exact",
-      "lodash@4.17.21",
-    ];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "express", version: "4.17.1" },
-      { name: "lodash", version: "4.17.21" },
-    ]);
-  });
-  it("should ignore options with parameters and return an array of changes", () => {
-    const args = [
-      "install",
-      "--save-dev",
-      "express@4.17.1",
-      "--loglevel",
-      "error",
-      "lodash@4.17.21",
-    ];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "express", version: "4.17.1" },
-      { name: "lodash", version: "4.17.21" },
-    ]);
-  });
-  it("should not ignore the next argument if it is passed directly with the option", () => {
-    const args = [
-      "install",
-      "--save-dev",
-      "express@4.17.1",
-      "--loglevel=error",
-      "lodash@4.17.21",
-    ];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "express", version: "4.17.1" },
-      { name: "lodash", version: "4.17.21" },
-    ]);
-  });
-  it("should set the default tag for packages", () => {
-    const args = ["install", "express", "lodash@4.17.21"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "express", version: "latest" },
-      { name: "lodash", version: "4.17.21" },
-    ]);
-  });
-  it("should set the default tag for packages with a specific tag", () => {
-    const args = ["install", "express", "lodash@4.17.21", "--tag", "beta"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "express", version: "beta" },
-      { name: "lodash", version: "4.17.21" },
-    ]);
-  });
-  it("should ignore alias", () => {
-    const args = ["install", "express@npm:express@4.17.1"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [{ name: "express", version: "4.17.1" }]);
-  });
-  it("should parse version even for aliased packages", () => {
-    const args = ["install", "express@npm:express@4.17.1"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [{ name: "express", version: "4.17.1" }]);
-  });
-  it("should parse scoped packages", () => {
-    const args = ["install", "@scope/package@1.0.0"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [{ name: "@scope/package", version: "1.0.0" }]);
-  });
-  it("should parse packages with version ranges", () => {
-    const args = ["install", "express@^4.17.1"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [{ name: "express", version: "^4.17.1" }]);
-  });
-  it("should parse package folders", () => {
-    const args = ["install", "./local-package"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [{ name: "./local-package", version: "latest" }]);
-  });
-  it("should parse tarballs", () => {
-    const args = ["install", "file:./local-package.tgz"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "file:./local-package.tgz", version: "latest" },
-    ]);
-  });
-  it("should parse tarball URLs", () => {
-    const args = ["install", "https://example.com/local-package.tgz"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "https://example.com/local-package.tgz", version: "latest" },
-    ]);
-  });
-  it("should parse git URLs", () => {
-    const args = ["install", "git://github.com/npm/cli.git"];
-    const result = parsePackagesFromInstallArgs(args);
-    assert.deepEqual(result, [
-      { name: "git://github.com/npm/cli.git", version: "latest" },
-    ]);
-  });
-});

package/src/packagemanager/npx/parsing/parsePackagesFromArguments.spec.js DELETED Viewed

@@ -1,147 +0,0 @@
-import { describe, it } from "node:test";
-import assert from "node:assert";
-import { parsePackagesFromArguments } from "./parsePackagesFromArguments.js";
-describe("parsePackagesFromArguments", () => {
-  it("should return an empty array for no changes", () => {
-    const args = [];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, []);
-  });
-  it("should return an array of changes for one package", () => {
-    const args = ["http-server@14.1.1"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
-  });
-  it("should return the package with latest tag if absent", () => {
-    const args = ["http-server"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
-  });
-  it("should ignore double --", () => {
-    const args = ["--", "http-server"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
-  });
-  it("should only return the first package", () => {
-    const args = ["http-server", "jest"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
-  });
-  it("should return package with -p option", () => {
-    const args = ["-p", "http-server"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
-  });
-  it("should return package with --package option", () => {
-    const args = ["--package", "http-server"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
-  });
-  it("should return package with --package=x option", () => {
-    const args = ["--package=http-server"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "latest" }]);
-  });
-  it("should return package with --package=x@version option", () => {
-    const args = ["--package=http-server@1.0.0"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "1.0.0" }]);
-  });
-  it("should ignore options with parameters and return an array of changes", () => {
-    const args = ["--loglevel", "error", "http-server@14.1.1"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
-  });
-  it("should parse version even for aliased packages", () => {
-    const args = ["server@npm:http-server@14.1.1"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "14.1.1" }]);
-  });
-  it("should parse scoped packages", () => {
-    const args = ["@scope/package@1.0.0"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "@scope/package", version: "1.0.0" }]);
-  });
-  it("should parse packages with version ranges", () => {
-    const args = ["http-server@^14.1.1"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "http-server", version: "^14.1.1" }]);
-  });
-  it("should parse package folders", () => {
-    const args = ["./local-package"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [{ name: "./local-package", version: "latest" }]);
-  });
-  it("should parse tarballs", () => {
-    const args = ["file:./local-package.tgz"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [
-      { name: "file:./local-package.tgz", version: "latest" },
-    ]);
-  });
-  it("should parse tarball URLs", () => {
-    const args = ["https://example.com/local-package.tgz"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [
-      { name: "https://example.com/local-package.tgz", version: "latest" },
-    ]);
-  });
-  it("should parse git URLs", () => {
-    const args = ["git://github.com/http-party/http-server"];
-    const result = parsePackagesFromArguments(args);
-    assert.deepEqual(result, [
-      { name: "git://github.com/http-party/http-server", version: "latest" },
-    ]);
-  });
-});