@aikidosec/safe-chain 1.0.21 → 1.0.23

package/README.md

@@ -8,12 +8,16 @@ The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [n
 
 Aikido Safe Chain works on Node.js version 18 and above and supports the following package managers:
 
-- ✅ **npm**
-- ✅ **npx**
-- ✅ **yarn**
-- ✅ **pnpm**
-- ✅ **pnpx**
-- 🚧 **bun** Coming soon
+- ✅ full coverage: **npm >= 10.4.0**:
+- ⚠️ limited to scanning the install command arguments (broader scanning coming soon):
+  - **npm < 10.4.0**
+  - **npx**
+  - **yarn**
+  - **pnpm**
+  - **pnpx**
+- 🚧 **bun**: coming soon
+
+Note on the limited support for npm < 10.4.0, npx, yarn, pnpm and pnpx: adding **full support for these package managers is a high priority**. In the meantime, we offer limited support already, which means that the Aikido Safe Chain will scan the package names passed as arguments to the install commands. However, it will not scan the full dependency tree of these packages.
 
 # Usage
 
@@ -84,4 +88,4 @@ npm install suspicious-package --safe-chain-malware-action=prompt
 
 # Usage in CI/CD
 
-🚧 Support for CI/CD environments is coming soon...
+[Learn more about Safe Chain CI/CD integration in the Aikido docs.](https://help.aikido.dev/code-scanning/aikido-malware-scanning/malware-scanning-with-safe-chain-in-ci-cd-environments)

package/bin/aikido-npm.js

@@ -1,8 +1,19 @@
 #!/usr/bin/env node
 
+import { execSync } from "child_process";
 import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "npm";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName, getNpmVersion());
 await main(process.argv.slice(2));
+
+function getNpmVersion() {
+  try {
+    return execSync("npm --version").toString().trim();
+  } catch {
+    // Default to 0.0.0 if npm is not found
+    // That way we don't use any unsupported features
+    return "0.0.0";
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.21",
+  "version": "1.0.23",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -28,12 +28,12 @@
   "license": "AGPL-3.0-or-later",
   "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
   "dependencies": {
-    "@inquirer/prompts": "^7.4.1",
-    "abbrev": "^3.0.1",
-    "chalk": "^5.4.1",
-    "npm-registry-fetch": "^18.0.2",
-    "ora": "^8.2.0",
-    "semver": "^7.7.2"
+    "abbrev": "3.0.1",
+    "chalk": "5.4.1",
+    "make-fetch-happen": "14.0.3",
+    "npm-registry-fetch": "18.0.2",
+    "ora": "8.2.0",
+    "semver": "7.7.2"
   },
   "main": "src/main.js",
   "bugs": {

package/src/api/aikido.js

@@ -1,3 +1,5 @@
+import fetch from "make-fetch-happen";
+
 const malwareDatabaseUrl =
   "https://malware-list.aikido.dev/malware_predictions.json";
 

package/src/environment/userInteraction.js

@@ -1,6 +1,6 @@
 import chalk from "chalk";
 import ora from "ora";
-import { confirm as inquirerConfirm } from "@inquirer/prompts";
+import { createInterface } from "readline";
 import { isCi } from "./environment.js";
 
 function emptyLine() {
@@ -61,12 +61,29 @@ function startProcess(message) {
 async function confirm(config) {
   if (isCi()) {
     return Promise.resolve(config.default);
-  } else {
-    return inquirerConfirm({
-      message: config.message,
-      default: config.default,
-    });
   }
+
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    const defaultText = config.default ? " (Y/n)" : " (y/N)";
+    rl.question(`${config.message}${defaultText} `, (answer) => {
+      rl.close();
+
+      const normalizedAnswer = answer.trim().toLowerCase();
+
+      if (normalizedAnswer === "y" || normalizedAnswer === "yes") {
+        resolve(true);
+      } else if (normalizedAnswer === "n" || normalizedAnswer === "no") {
+        resolve(false);
+      } else {
+        resolve(config.default);
+      }
+    });
+  });
 }
 
 export const ui = {

package/src/packagemanager/npm/createPackageManager.js

@@ -14,10 +14,13 @@ import {
 } from "./utils/npmCommands.js";
 
 export function createNpmPackageManager(version) {
-  const supportedScanners =
-    getMajorVersion(version) >= 22
-      ? npm22AndAboveSupportedScanners
-      : npm21AndBelowSupportedScanners;
+  // From npm v10.4.0 onwards, the npm commands output detailed information
+  // when using the --dry-run flag.
+  // We use that information to scan for dependency changes.
+  // For older versions of npm we have to rely on parsing the command arguments.
+  const supportedScanners = isPriorToNpm10_4(version)
+    ? npm10_3AndBelowSupportedScanners
+    : npm10_4AndAboveSupportedScanners;
 
   function isSupportedCommand(args) {
     const scanner = findDependencyScannerForCommand(supportedScanners, args);
@@ -30,14 +33,13 @@ export function createNpmPackageManager(version) {
   }
 
   return {
-    getWarningMessage: () => warnForLimitedSupport(version),
     runCommand: runNpm,
     isSupportedCommand,
     getDependencyUpdatesForCommand,
   };
 }
 
-const npm22AndAboveSupportedScanners = {
+const npm10_4AndAboveSupportedScanners = {
   [npmInstallCommand]: dryRunScanner(),
   [npmUpdateCommand]: dryRunScanner(),
   [npmCiCommand]: dryRunScanner(),
@@ -53,23 +55,22 @@ const npm22AndAboveSupportedScanners = {
   [npmInstallCiTestCommand]: dryRunScanner({ dryRunCommand: npmCiCommand }),
 };
 
-const npm21AndBelowSupportedScanners = {
+const npm10_3AndBelowSupportedScanners = {
   [npmInstallCommand]: commandArgumentScanner(),
   [npmUpdateCommand]: commandArgumentScanner(),
   [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
 };
 
-function warnForLimitedSupport(version) {
-  if (getMajorVersion(version) >= 22) {
-    return null;
+function isPriorToNpm10_4(version) {
+  try {
+    const [major, minor] = version.split(".").map(Number);
+    if (major < 10) return true;
+    if (major === 10 && minor < 4) return true;
+    return false;
+  } catch {
+    // Default to true: if version parsing fails, assume it's an older version
+    return true;
   }
-
-  return `Aikido-npm will only scan the arguments of the install command for Node.js version prior to version 22.
-Please update your Node.js version to 22 or higher for full coverage. Current version: v${version}`;
-}
-
-function getMajorVersion(version) {
-  return parseInt(version.split(".")[0]);
 }
 
 function findDependencyScannerForCommand(scanners, args) {

package/src/packagemanager/npx/createPackageManager.js

@@ -5,7 +5,6 @@ export function createNpxPackageManager() {
   const scanner = commandArgumentScanner();
 
   return {
-    getWarningMessage: () => null,
     runCommand: runNpx,
     isSupportedCommand: (args) => scanner.shouldScan(args),
     getDependencyUpdatesForCommand: (args) => scanner.scan(args),

package/src/packagemanager/pnpm/createPackageManager.js

@@ -6,7 +6,6 @@ const scanner = commandArgumentScanner();
 
 export function createPnpmPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: (args) => runPnpmCommand(args, "pnpm"),
     isSupportedCommand: (args) =>
       matchesCommand(args, "add") ||
@@ -26,7 +25,6 @@ export function createPnpmPackageManager() {
 
 export function createPnpxPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: (args) => runPnpmCommand(args, "pnpx"),
     isSupportedCommand: () => true,
     getDependencyUpdatesForCommand: (args) =>

package/src/packagemanager/yarn/createPackageManager.js

@@ -5,7 +5,6 @@ const scanner = commandArgumentScanner();
 
 export function createYarnPackageManager() {
   return {
-    getWarningMessage: () => null,
     runCommand: runYarnCommand,
     isSupportedCommand: (args) =>
       matchesCommand(args, "add") ||

package/src/shell-integration/helpers.js

@@ -1,6 +1,7 @@
 import { spawnSync } from "child_process";
 import * as os from "os";
 import fs from "fs";
+import path from "path";
 
 export const knownAikidoTools = [
   { tool: "npm", aikidoCommand: "aikido-npm" },
@@ -22,15 +23,17 @@ export function doesExecutableExistOnSystem(executableName) {
   }
 }
 
-export function removeLinesMatchingPattern(filePath, pattern) {
+export function removeLinesMatchingPattern(filePath, pattern, eol) {
   if (!fs.existsSync(filePath)) {
     return;
   }
 
+  eol = eol || os.EOL;
+
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const lines = fileContent.split(/[\r\n\u2028\u2029]+/);
+  const lines = fileContent.split(/[\r\n\u2028\u2029]/);
   const updatedLines = lines.filter((line) => !shouldRemoveLine(line, pattern));
-  fs.writeFileSync(filePath, updatedLines.join(os.EOL), "utf-8");
+  fs.writeFileSync(filePath, updatedLines.join(eol), "utf-8");
 }
 
 const maxLineLength = 100;
@@ -43,12 +46,17 @@ function shouldRemoveLine(line, pattern) {
 
   if (line.length > maxLineLength) {
     // safe-chain only adds lines shorter than maxLineLength
-    // so if the line is longer, it must be from a different 
+    // so if the line is longer, it must be from a different
     // source and could be dangerous to remove
     return false;
   }
 
-  if (line.includes("\n") || line.includes("\r") || line.includes("\u2028") || line.includes("\u2029")) {
+  if (
+    line.includes("\n") ||
+    line.includes("\r") ||
+    line.includes("\u2028") ||
+    line.includes("\u2029")
+  ) {
     // If the line contains newlines, something has gone wrong in splitting
     // \u2028 and \u2029 are Unicode line separator characters (line and paragraph separators)
     return false;
@@ -57,12 +65,25 @@ function shouldRemoveLine(line, pattern) {
   return true;
 }
 
-export function addLineToFile(filePath, line) {
-  if (!fs.existsSync(filePath)) {
-    fs.writeFileSync(filePath, "", "utf-8");
-  }
+export function addLineToFile(filePath, line, eol) {
+  createFileIfNotExists(filePath);
+
+  eol = eol || os.EOL;
 
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const updatedContent = fileContent + os.EOL + line;
+  const updatedContent = fileContent + eol + line + eol;
   fs.writeFileSync(filePath, updatedContent, "utf-8");
 }
+
+function createFileIfNotExists(filePath) {
+  if (fs.existsSync(filePath)) {
+    return;
+  }
+
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  fs.writeFileSync(filePath, "", "utf-8");
+}

package/src/shell-integration/setup.js

@@ -56,11 +56,13 @@ export async function setup() {
  */
 function setupShell(shell) {
   let success = false;
+  let error;
   try {
     shell.teardown(knownAikidoTools); // First, tear down to prevent duplicate aliases
     success = shell.setup(knownAikidoTools);
-  } catch {
+  } catch (err) {
     success = false;
+    error = err;
   }
 
   if (success) {
@@ -75,6 +77,13 @@ function setupShell(shell) {
         "Setup failed"
       )}. Please check your ${shell.name} configuration.`
     );
+    if (error) {
+      let message = `  Error: ${error.message}`;
+      if (error.code) {
+        message += ` (code: ${error.code})`;
+      }
+      ui.writeError(message);
+    }
   }
 
   return success;

package/src/shell-integration/supported-shells/bash.js

@@ -9,6 +9,7 @@ import * as os from "os";
 const shellName = "Bash";
 const executableName = "bash";
 const startupFileCommand = "echo ~/.bashrc";
+const eol = "\n"; // When bash runs on Windows (e.g., Git Bash or WSL), it expects LF line endings.
 
 function isInstalled() {
   return doesExecutableExistOnSystem(executableName);
@@ -19,13 +20,18 @@ function teardown(tools) {
 
   for (const { tool } of tools) {
     // Remove any existing alias for the tool
-    removeLinesMatchingPattern(startupFile, new RegExp(`^alias\\s+${tool}=`));
+    removeLinesMatchingPattern(
+      startupFile,
+      new RegExp(`^alias\\s+${tool}=`),
+      eol
+    );
   }
 
   // Removes the line that sources the safe-chain bash initialization script (~/.aikido/scripts/init-posix.sh)
   removeLinesMatchingPattern(
     startupFile,
-    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/
+    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
+    eol
   );
 
   return true;
@@ -36,7 +42,8 @@ function setup() {
 
   addLineToFile(
     startupFile,
-    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script`
+    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script`,
+    eol
   );
 
   return true;

package/src/shell-integration/supported-shells/fish.js

@@ -8,6 +8,7 @@ import { execSync } from "child_process";
 const shellName = "Fish";
 const executableName = "fish";
 const startupFileCommand = "echo ~/.config/fish/config.fish";
+const eol = "\n"; // When fish runs on Windows (e.g., Git Bash or WSL), it expects LF line endings.
 
 function isInstalled() {
   return doesExecutableExistOnSystem(executableName);
@@ -20,14 +21,16 @@ function teardown(tools) {
     // Remove any existing alias for the tool
     removeLinesMatchingPattern(
       startupFile,
-      new RegExp(`^alias\\s+${tool}\\s+`)
+      new RegExp(`^alias\\s+${tool}\\s+`),
+      eol
     );
   }
 
   // Removes the line that sources the safe-chain fish initialization script (~/.safe-chain/scripts/init-fish.fish)
   removeLinesMatchingPattern(
     startupFile,
-    /^source\s+~\/\.safe-chain\/scripts\/init-fish\.fish/
+    /^source\s+~\/\.safe-chain\/scripts\/init-fish\.fish/,
+    eol
   );
 
   return true;
@@ -38,7 +41,8 @@ function setup() {
 
   addLineToFile(
     startupFile,
-    `source ~/.safe-chain/scripts/init-fish.fish # Safe-chain Fish initialization script`
+    `source ~/.safe-chain/scripts/init-fish.fish # Safe-chain Fish initialization script`,
+    eol
   );
 
   return true;

package/src/shell-integration/supported-shells/zsh.js

@@ -8,6 +8,7 @@ import { execSync } from "child_process";
 const shellName = "Zsh";
 const executableName = "zsh";
 const startupFileCommand = "echo ${ZDOTDIR:-$HOME}/.zshrc";
+const eol = "\n"; // When zsh runs on Windows (e.g., Git Bash or WSL), it expects LF line endings.
 
 function isInstalled() {
   return doesExecutableExistOnSystem(executableName);
@@ -18,13 +19,18 @@ function teardown(tools) {
 
   for (const { tool } of tools) {
     // Remove any existing alias for the tool
-    removeLinesMatchingPattern(startupFile, new RegExp(`^alias\\s+${tool}=`));
+    removeLinesMatchingPattern(
+      startupFile,
+      new RegExp(`^alias\\s+${tool}=`),
+      eol
+    );
   }
 
   // Removes the line that sources the safe-chain zsh initialization script (~/.aikido/scripts/init-posix.sh)
   removeLinesMatchingPattern(
     startupFile,
-    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/
+    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
+    eol
   );
 
   return true;
@@ -35,7 +41,8 @@ function setup() {
 
   addLineToFile(
     startupFile,
-    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain Zsh initialization script`
+    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain Zsh initialization script`,
+    eol
   );
 
   return true;