npm - @aikidosec/safe-chain - Versions diffs - 1.0.20 → 1.0.22 - Mend

@aikidosec/safe-chain 1.0.20 → 1.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +16 -1
package/bin/aikido-npm.js +12 -1
package/package.json +2 -2
package/src/api/aikido.js +2 -0
package/src/config/cliArguments.js +50 -0
package/src/config/settings.js +14 -0
package/src/environment/userInteraction.js +23 -6
package/src/main.js +4 -0
package/src/packagemanager/npm/createPackageManager.js +18 -17
package/src/packagemanager/npx/createPackageManager.js +0 -1
package/src/packagemanager/pnpm/createPackageManager.js +0 -2
package/src/packagemanager/yarn/createPackageManager.js +0 -1
package/src/scanning/index.js +16 -14

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # Aikido Safe Chain
-The Aikido Safe Chain **prevents developers from installing malware** on their workstations through npm, npx, yarn, pnpm and pnpx.
+The Aikido Safe Chain **prevents developers from installing malware** on their workstations through npm, npx, yarn, pnpm and pnpx. It's **free** to use and does not require any token.
 The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm or pnpx from downloading or running the malware.
@@ -67,6 +67,21 @@ To uninstall the Aikido Safe Chain, you can run the following command:
    ```
 3. **❗Restart your terminal** to remove the aliases.
+# Configuration
+## Malware Action
+You can control how Aikido Safe Chain responds when malware is detected using the `--safe-chain-malware-action` flag:
+- `--safe-chain-malware-action=block` (**default**) - Automatically blocks installation and exits with an error when malware is detected
+- `--safe-chain-malware-action=prompt` - Prompts the user to decide whether to continue despite the malware detection
+Example usage:
+```shell
+npm install suspicious-package --safe-chain-malware-action=prompt
+```
 # Usage in CI/CD
 🚧 Support for CI/CD environments is coming soon...

package/bin/aikido-npm.js CHANGED Viewed

@@ -1,8 +1,19 @@
 #!/usr/bin/env node
+import { execSync } from "child_process";
 import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 const packageManagerName = "npm";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName, getNpmVersion());
 await main(process.argv.slice(2));
+function getNpmVersion() {
+  try {
+    return execSync("npm --version").toString().trim();
+  } catch {
+    // Default to 0.0.0 if npm is not found
+    // That way we don't use any unsupported features
+    return "0.0.0";
+  }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.20",
+  "version": "1.0.22",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -28,9 +28,9 @@
   "license": "AGPL-3.0-or-later",
   "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
   "dependencies": {
-    "@inquirer/prompts": "^7.4.1",
     "abbrev": "^3.0.1",
     "chalk": "^5.4.1",
+    "make-fetch-happen": "^14.0.3",
     "npm-registry-fetch": "^18.0.2",
     "ora": "^8.2.0",
     "semver": "^7.7.2"

package/src/api/aikido.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import fetch from "make-fetch-happen";
 const malwareDatabaseUrl =
   "https://malware-list.aikido.dev/malware_predictions.json";

package/src/config/cliArguments.js ADDED Viewed

@@ -0,0 +1,50 @@
+const state = {
+  malwareAction: undefined,
+};
+const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
+export function initializeCliArguments(args) {
+  // Reset state on each call
+  state.malwareAction = undefined;
+  const safeChainArgs = [];
+  const remainingArgs = [];
+  for (const arg of args) {
+    if (arg.toLowerCase().startsWith(SAFE_CHAIN_ARG_PREFIX)) {
+      safeChainArgs.push(arg);
+    } else {
+      remainingArgs.push(arg);
+    }
+  }
+  setMalwareAction(safeChainArgs);
+  return remainingArgs;
+}
+function setMalwareAction(args) {
+  const safeChainMalwareActionArg = SAFE_CHAIN_ARG_PREFIX + "malware-action=";
+  const action = getLastArgEqualsValue(args, safeChainMalwareActionArg);
+  if (!action) {
+    return;
+  }
+  state.malwareAction = action.toLowerCase();
+}
+function getLastArgEqualsValue(args, prefix) {
+  for (var i = args.length - 1; i >= 0; i--) {
+    const arg = args[i];
+    if (arg.toLowerCase().startsWith(prefix)) {
+      return arg.substring(prefix.length);
+    }
+  }
+  return undefined;
+}
+export function getMalwareAction() {
+  return state.malwareAction;
+}

package/src/config/settings.js ADDED Viewed

@@ -0,0 +1,14 @@
+import * as cliArguments from "./cliArguments.js";
+export function getMalwareAction() {
+  const action = cliArguments.getMalwareAction();
+  if (action === MALWARE_ACTION_PROMPT) {
+    return MALWARE_ACTION_PROMPT;
+  }
+  return MALWARE_ACTION_BLOCK;
+}
+export const MALWARE_ACTION_BLOCK = "block";
+export const MALWARE_ACTION_PROMPT = "prompt";

package/src/environment/userInteraction.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import chalk from "chalk";
 import ora from "ora";
-import { confirm as inquirerConfirm } from "@inquirer/prompts";
+import { createInterface } from "readline";
 import { isCi } from "./environment.js";
 function emptyLine() {
@@ -61,12 +61,29 @@ function startProcess(message) {
 async function confirm(config) {
   if (isCi()) {
     return Promise.resolve(config.default);
-  } else {
-    return inquirerConfirm({
-      message: config.message,
-      default: config.default,
-    });
   }
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+  return new Promise((resolve) => {
+    const defaultText = config.default ? " (Y/n)" : " (y/N)";
+    rl.question(`${config.message}${defaultText} `, (answer) => {
+      rl.close();
+      const normalizedAnswer = answer.trim().toLowerCase();
+      if (normalizedAnswer === "y" || normalizedAnswer === "yes") {
+        resolve(true);
+      } else if (normalizedAnswer === "n" || normalizedAnswer === "no") {
+        resolve(false);
+      } else {
+        resolve(config.default);
+      }
+    });
+  });
 }
 export const ui = {

package/src/main.js CHANGED Viewed

@@ -3,9 +3,13 @@
 import { scanCommand, shouldScanCommand } from "./scanning/index.js";
 import { ui } from "./environment/userInteraction.js";
 import { getPackageManager } from "./packagemanager/currentPackageManager.js";
+import { initializeCliArguments } from "./config/cliArguments.js";
 export async function main(args) {
   try {
+    // This parses all the --safe-chain arguments and removes them from the args array
+    args = initializeCliArguments(args);
     if (shouldScanCommand(args)) {
       await scanCommand(args);
     }

package/src/packagemanager/npm/createPackageManager.js CHANGED Viewed

@@ -14,10 +14,13 @@ import {
 } from "./utils/npmCommands.js";
 export function createNpmPackageManager(version) {
-  const supportedScanners =
-    getMajorVersion(version) >= 22
-      ? npm22AndAboveSupportedScanners
-      : npm21AndBelowSupportedScanners;
+  // From npm v10.4.0 onwards, the npm commands output detailed information
+  // when using the --dry-run flag.
+  // We use that information to scan for dependency changes.
+  // For older versions of npm we have to rely on parsing the command arguments.
+  const supportedScanners = isPriorToNpm10_4(version)
+    ? npm10_3AndBelowSupportedScanners
+    : npm10_4AndAboveSupportedScanners;
   function isSupportedCommand(args) {
     const scanner = findDependencyScannerForCommand(supportedScanners, args);
@@ -30,14 +33,13 @@ export function createNpmPackageManager(version) {
   }
   return {
-    getWarningMessage: () => warnForLimitedSupport(version),
     runCommand: runNpm,
     isSupportedCommand,
     getDependencyUpdatesForCommand,
   };
 }
-const npm22AndAboveSupportedScanners = {
+const npm10_4AndAboveSupportedScanners = {
   [npmInstallCommand]: dryRunScanner(),
   [npmUpdateCommand]: dryRunScanner(),
   [npmCiCommand]: dryRunScanner(),
@@ -53,23 +55,22 @@ const npm22AndAboveSupportedScanners = {
   [npmInstallCiTestCommand]: dryRunScanner({ dryRunCommand: npmCiCommand }),
 };
-const npm21AndBelowSupportedScanners = {
+const npm10_3AndBelowSupportedScanners = {
   [npmInstallCommand]: commandArgumentScanner(),
   [npmUpdateCommand]: commandArgumentScanner(),
   [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
 };
-function warnForLimitedSupport(version) {
-  if (getMajorVersion(version) >= 22) {
-    return null;
+function isPriorToNpm10_4(version) {
+  try {
+    const [major, minor] = version.split(".").map(Number);
+    if (major < 10) return true;
+    if (major === 10 && minor < 4) return true;
+    return false;
+  } catch {
+    // Default to true: if version parsing fails, assume it's an older version
+    return true;
   }
-  return `Aikido-npm will only scan the arguments of the install command for Node.js version prior to version 22.
-Please update your Node.js version to 22 or higher for full coverage. Current version: v${version}`;
-}
-function getMajorVersion(version) {
-  return parseInt(version.split(".")[0]);
 }
 function findDependencyScannerForCommand(scanners, args) {

package/src/packagemanager/npx/createPackageManager.js CHANGED Viewed

@@ -5,7 +5,6 @@ export function createNpxPackageManager() {
   const scanner = commandArgumentScanner();
   return {
-    getWarningMessage: () => null,
     runCommand: runNpx,
     isSupportedCommand: (args) => scanner.shouldScan(args),
     getDependencyUpdatesForCommand: (args) => scanner.scan(args),

package/src/packagemanager/pnpm/createPackageManager.js CHANGED Viewed

@@ -6,7 +6,6 @@ const scanner = commandArgumentScanner();
 export function createPnpmPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: (args) => runPnpmCommand(args, "pnpm"),
     isSupportedCommand: (args) =>
       matchesCommand(args, "add") ||
@@ -26,7 +25,6 @@ export function createPnpmPackageManager() {
 export function createPnpxPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: (args) => runPnpmCommand(args, "pnpx"),
     isSupportedCommand: () => true,
     getDependencyUpdatesForCommand: (args) =>

package/src/packagemanager/yarn/createPackageManager.js CHANGED Viewed

@@ -5,7 +5,6 @@ const scanner = commandArgumentScanner();
 export function createYarnPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: runYarnCommand,
     isSupportedCommand: (args) =>
       matchesCommand(args, "add") ||

package/src/scanning/index.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { setTimeout } from "timers/promises";
 import chalk from "chalk";
 import { getPackageManager } from "../packagemanager/currentPackageManager.js";
 import { ui } from "../environment/userInteraction.js";
+import { getMalwareAction, MALWARE_ACTION_PROMPT } from "../config/settings.js";
 export function shouldScanCommand(args) {
   if (!args || args.length === 0) {
@@ -59,10 +60,7 @@ export async function scanCommand(args) {
     spinner.succeed("No malicious packages detected.");
   } else {
     printMaliciousChanges(audit.disallowedChanges, spinner);
-    await acceptRiskOrExit(
-      "Do you want to continue with the installation despite the risks?",
-      false
-    );
+    await onMalwareFound();
   }
 }
@@ -74,19 +72,23 @@ function printMaliciousChanges(changes, spinner) {
   }
 }
-async function acceptRiskOrExit(message, defaultValue) {
+async function onMalwareFound() {
   ui.emptyLine();
-  const continueInstall = await ui.confirm({
-    message: message,
-    default: defaultValue,
-  });
-  if (continueInstall) {
-    ui.writeInformation("Continuing with the installation...");
-    return;
+  if (getMalwareAction() === MALWARE_ACTION_PROMPT) {
+    const continueInstall = await ui.confirm({
+      message:
+        "Malicious packages were found. Do you want to continue with the installation?",
+      default: false,
+    });
+    if (continueInstall) {
+      ui.writeWarning("Continuing with the installation despite the risks...");
+      return;
+    }
   }
-  ui.writeInformation("Exiting without installing packages.");
+  ui.writeError("Exiting without installing malicious packages.");
   ui.emptyLine();
   process.exit(1);
 }