npm - @aikidosec/safe-chain - Versions diffs - 1.0.21 → 1.0.22 - Mend

@aikidosec/safe-chain 1.0.21 → 1.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/bin/aikido-npm.js +12 -1
package/package.json +2 -2
package/src/api/aikido.js +2 -0
package/src/environment/userInteraction.js +23 -6
package/src/packagemanager/npm/createPackageManager.js +18 -17
package/src/packagemanager/npx/createPackageManager.js +0 -1
package/src/packagemanager/pnpm/createPackageManager.js +0 -2
package/src/packagemanager/yarn/createPackageManager.js +0 -1

package/bin/aikido-npm.js CHANGED Viewed

@@ -1,8 +1,19 @@
 #!/usr/bin/env node
+import { execSync } from "child_process";
 import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 const packageManagerName = "npm";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName, getNpmVersion());
 await main(process.argv.slice(2));
+function getNpmVersion() {
+  try {
+    return execSync("npm --version").toString().trim();
+  } catch {
+    // Default to 0.0.0 if npm is not found
+    // That way we don't use any unsupported features
+    return "0.0.0";
+  }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.21",
+  "version": "1.0.22",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -28,9 +28,9 @@
   "license": "AGPL-3.0-or-later",
   "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
   "dependencies": {
-    "@inquirer/prompts": "^7.4.1",
     "abbrev": "^3.0.1",
     "chalk": "^5.4.1",
+    "make-fetch-happen": "^14.0.3",
     "npm-registry-fetch": "^18.0.2",
     "ora": "^8.2.0",
     "semver": "^7.7.2"

package/src/api/aikido.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import fetch from "make-fetch-happen";
 const malwareDatabaseUrl =
   "https://malware-list.aikido.dev/malware_predictions.json";

package/src/environment/userInteraction.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import chalk from "chalk";
 import ora from "ora";
-import { confirm as inquirerConfirm } from "@inquirer/prompts";
+import { createInterface } from "readline";
 import { isCi } from "./environment.js";
 function emptyLine() {
@@ -61,12 +61,29 @@ function startProcess(message) {
 async function confirm(config) {
   if (isCi()) {
     return Promise.resolve(config.default);
-  } else {
-    return inquirerConfirm({
-      message: config.message,
-      default: config.default,
-    });
   }
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+  return new Promise((resolve) => {
+    const defaultText = config.default ? " (Y/n)" : " (y/N)";
+    rl.question(`${config.message}${defaultText} `, (answer) => {
+      rl.close();
+      const normalizedAnswer = answer.trim().toLowerCase();
+      if (normalizedAnswer === "y" || normalizedAnswer === "yes") {
+        resolve(true);
+      } else if (normalizedAnswer === "n" || normalizedAnswer === "no") {
+        resolve(false);
+      } else {
+        resolve(config.default);
+      }
+    });
+  });
 }
 export const ui = {

package/src/packagemanager/npm/createPackageManager.js CHANGED Viewed

@@ -14,10 +14,13 @@ import {
 } from "./utils/npmCommands.js";
 export function createNpmPackageManager(version) {
-  const supportedScanners =
-    getMajorVersion(version) >= 22
-      ? npm22AndAboveSupportedScanners
-      : npm21AndBelowSupportedScanners;
+  // From npm v10.4.0 onwards, the npm commands output detailed information
+  // when using the --dry-run flag.
+  // We use that information to scan for dependency changes.
+  // For older versions of npm we have to rely on parsing the command arguments.
+  const supportedScanners = isPriorToNpm10_4(version)
+    ? npm10_3AndBelowSupportedScanners
+    : npm10_4AndAboveSupportedScanners;
   function isSupportedCommand(args) {
     const scanner = findDependencyScannerForCommand(supportedScanners, args);
@@ -30,14 +33,13 @@ export function createNpmPackageManager(version) {
   }
   return {
-    getWarningMessage: () => warnForLimitedSupport(version),
     runCommand: runNpm,
     isSupportedCommand,
     getDependencyUpdatesForCommand,
   };
 }
-const npm22AndAboveSupportedScanners = {
+const npm10_4AndAboveSupportedScanners = {
   [npmInstallCommand]: dryRunScanner(),
   [npmUpdateCommand]: dryRunScanner(),
   [npmCiCommand]: dryRunScanner(),
@@ -53,23 +55,22 @@ const npm22AndAboveSupportedScanners = {
   [npmInstallCiTestCommand]: dryRunScanner({ dryRunCommand: npmCiCommand }),
 };
-const npm21AndBelowSupportedScanners = {
+const npm10_3AndBelowSupportedScanners = {
   [npmInstallCommand]: commandArgumentScanner(),
   [npmUpdateCommand]: commandArgumentScanner(),
   [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
 };
-function warnForLimitedSupport(version) {
-  if (getMajorVersion(version) >= 22) {
-    return null;
+function isPriorToNpm10_4(version) {
+  try {
+    const [major, minor] = version.split(".").map(Number);
+    if (major < 10) return true;
+    if (major === 10 && minor < 4) return true;
+    return false;
+  } catch {
+    // Default to true: if version parsing fails, assume it's an older version
+    return true;
   }
-  return `Aikido-npm will only scan the arguments of the install command for Node.js version prior to version 22.
-Please update your Node.js version to 22 or higher for full coverage. Current version: v${version}`;
-}
-function getMajorVersion(version) {
-  return parseInt(version.split(".")[0]);
 }
 function findDependencyScannerForCommand(scanners, args) {

package/src/packagemanager/npx/createPackageManager.js CHANGED Viewed

@@ -5,7 +5,6 @@ export function createNpxPackageManager() {
   const scanner = commandArgumentScanner();
   return {
-    getWarningMessage: () => null,
     runCommand: runNpx,
     isSupportedCommand: (args) => scanner.shouldScan(args),
     getDependencyUpdatesForCommand: (args) => scanner.scan(args),

package/src/packagemanager/pnpm/createPackageManager.js CHANGED Viewed

@@ -6,7 +6,6 @@ const scanner = commandArgumentScanner();
 export function createPnpmPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: (args) => runPnpmCommand(args, "pnpm"),
     isSupportedCommand: (args) =>
       matchesCommand(args, "add") ||
@@ -26,7 +25,6 @@ export function createPnpmPackageManager() {
 export function createPnpxPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: (args) => runPnpmCommand(args, "pnpx"),
     isSupportedCommand: () => true,
     getDependencyUpdatesForCommand: (args) =>

package/src/packagemanager/yarn/createPackageManager.js CHANGED Viewed

@@ -5,7 +5,6 @@ const scanner = commandArgumentScanner();
 export function createYarnPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: runYarnCommand,
     isSupportedCommand: (args) =>
       matchesCommand(args, "add") ||