@aikidosec/safe-chain 1.1.3 → 1.1.5

package/README.md

@@ -40,6 +40,11 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
 
 When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, or `bunx` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command.
 
+You can check the installed version by running:
+```shell
+safe-chain --version
+```
+
 ## How it works
 
 The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry. When you run npm, npx, yarn, pnpm, pnpx, bun, or bunx commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.

package/bin/aikido-npm.js

@@ -1,21 +1,10 @@
 #!/usr/bin/env node
 
-import { execSync } from "child_process";
 import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "npm";
-initializePackageManager(packageManagerName, getNpmVersion());
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);
-
-function getNpmVersion() {
-  try {
-    return execSync("npm --version").toString().trim();
-  } catch {
-    // Default to 0.0.0 if npm is not found
-    // That way we don't use any unsupported features
-    return "0.0.0";
-  }
-}

package/bin/aikido-npx.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "npx";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/aikido-pnpm.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "pnpm";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/aikido-pnpx.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "pnpx";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/aikido-yarn.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "yarn";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/safe-chain.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 import chalk from "chalk";
+import { createRequire } from "module";
 import { ui } from "../src/environment/userInteraction.js";
 import { setup } from "../src/shell-integration/setup.js";
 import { teardown } from "../src/shell-integration/teardown.js";
@@ -26,6 +27,8 @@ if (command === "setup") {
   teardown();
 } else if (command === "setup-ci") {
   setupCi();
+} else if (command === "--version" || command === "-v" || command === "-v") {
+  ui.writeInformation(`Current safe-chain version: ${getVersion()}`);
 } else {
   ui.writeError(`Unknown command: ${command}.`);
   ui.emptyLine();
@@ -43,13 +46,15 @@ function writeHelp() {
   ui.writeInformation(
     `Available commands: ${chalk.cyan("setup")}, ${chalk.cyan(
       "teardown"
-    )}, ${chalk.cyan("help")}`
+    )}, ${chalk.cyan("setup-ci")}, ${chalk.cyan("help")}, ${chalk.cyan(
+      "--version"
+    )}`
   );
   ui.emptyLine();
   ui.writeInformation(
     `- ${chalk.cyan(
       "safe-chain setup"
-    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm and pnpx.`
+    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, bun and bunx.`
   );
   ui.writeInformation(
     `- ${chalk.cyan(
@@ -61,5 +66,16 @@ function writeHelp() {
       "safe-chain setup-ci"
     )}: This will setup safe-chain for CI environments by creating shims and modifying the PATH.`
   );
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain --version"
+    )} (or ${chalk.cyan("-v")}): Display the current version of safe-chain.`
+  );
   ui.emptyLine();
 }
+
+function getVersion() {
+  const require = createRequire(import.meta.url);
+  const packageJson = require("../package.json");
+  return packageJson.version;
+}

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.1.3",
+  "version": "1.1.5",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
-    "lint": "eslint ."
+    "lint": "oxlint --deny-warnings"
   },
   "bin": {
     "aikido-npm": "bin/aikido-npm.js",
@@ -30,7 +30,6 @@
   "license": "AGPL-3.0-or-later",
   "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), and [bunx](https://bun.sh/docs/cli/bunx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, or bunx from downloading or running the malware.",
   "dependencies": {
-    "abbrev": "3.0.1",
     "chalk": "5.4.1",
     "https-proxy-agent": "7.0.6",
     "make-fetch-happen": "14.0.3",

package/src/environment/userInteraction.js

@@ -1,3 +1,4 @@
+// oxlint-disable no-console
 import chalk from "chalk";
 import ora from "ora";
 import { createInterface } from "readline";

package/src/packagemanager/currentPackageManager.js

@@ -14,9 +14,9 @@ const state = {
   packageManagerName: null,
 };
 
-export function initializePackageManager(packageManagerName, version) {
+export function initializePackageManager(packageManagerName) {
   if (packageManagerName === "npm") {
-    state.packageManagerName = createNpmPackageManager(version);
+    state.packageManagerName = createNpmPackageManager();
   } else if (packageManagerName === "npx") {
     state.packageManagerName = createNpxPackageManager();
   } else if (packageManagerName === "yarn") {

package/src/packagemanager/npm/createPackageManager.js

@@ -1,34 +1,27 @@
 import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
-import { dryRunScanner } from "./dependencyScanner/dryRunScanner.js";
 import { nullScanner } from "./dependencyScanner/nullScanner.js";
 import { runNpm } from "./runNpmCommand.js";
 import {
   getNpmCommandForArgs,
   npmInstallCommand,
-  npmCiCommand,
-  npmInstallTestCommand,
-  npmInstallCiTestCommand,
   npmUpdateCommand,
-  npmAuditCommand,
   npmExecCommand,
 } from "./utils/npmCommands.js";
 
-export function createNpmPackageManager(version) {
-  // From npm v10.4.0 onwards, the npm commands output detailed information
-  // when using the --dry-run flag.
-  // We use that information to scan for dependency changes.
-  // For older versions of npm we have to rely on parsing the command arguments.
-  const supportedScanners = isPriorToNpm10_4(version)
-    ? npm10_3AndBelowSupportedScanners
-    : npm10_4AndAboveSupportedScanners;
-
+export function createNpmPackageManager() {
   function isSupportedCommand(args) {
-    const scanner = findDependencyScannerForCommand(supportedScanners, args);
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
     return scanner.shouldScan(args);
   }
 
   function getDependencyUpdatesForCommand(args) {
-    const scanner = findDependencyScannerForCommand(supportedScanners, args);
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
     return scanner.scan(args);
   }
 
@@ -39,40 +32,12 @@ export function createNpmPackageManager(version) {
   };
 }
 
-const npm10_4AndAboveSupportedScanners = {
-  [npmInstallCommand]: dryRunScanner(),
-  [npmUpdateCommand]: dryRunScanner(),
-  [npmCiCommand]: dryRunScanner(),
-  [npmAuditCommand]: dryRunScanner({
-    skipScanWhen: (args) => !args.includes("fix"),
-  }),
-  [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
-
-  // Running dry-run on install-test and install-ci-test will install & run tests.
-  // We only want to know if there are changes in the dependencies.
-  // So we run change the dry-run command to only check the install.
-  [npmInstallTestCommand]: dryRunScanner({ dryRunCommand: npmInstallCommand }),
-  [npmInstallCiTestCommand]: dryRunScanner({ dryRunCommand: npmCiCommand }),
-};
-
-const npm10_3AndBelowSupportedScanners = {
+const commandScannerMapping = {
   [npmInstallCommand]: commandArgumentScanner(),
   [npmUpdateCommand]: commandArgumentScanner(),
   [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
 };
 
-function isPriorToNpm10_4(version) {
-  try {
-    const [major, minor] = version.split(".").map(Number);
-    if (major < 10) return true;
-    if (major === 10 && minor < 4) return true;
-    return false;
-  } catch {
-    // Default to true: if version parsing fails, assume it's an older version
-    return true;
-  }
-}
-
 function findDependencyScannerForCommand(scanners, args) {
   const command = getNpmCommandForArgs(args);
   if (!command) {

package/src/packagemanager/npm/utils/abbrevs-generated.js

@@ -0,0 +1,358 @@
+// This was ran with the abbrev package to generate the abbrevs object below
+// console.log(abbrev(commands.concat(Object.keys(aliases))));
+export const abbrevs = {
+  ac: "access",
+  acc: "access",
+  acce: "access",
+  acces: "access",
+  access: "access",
+  add: "add",
+  "add-": "add-user",
+  "add-u": "add-user",
+  "add-us": "add-user",
+  "add-use": "add-user",
+  "add-user": "add-user",
+  addu: "adduser",
+  addus: "adduser",
+  adduse: "adduser",
+  adduser: "adduser",
+  aud: "audit",
+  audi: "audit",
+  audit: "audit",
+  aut: "author",
+  auth: "author",
+  autho: "author",
+  author: "author",
+  b: "bugs",
+  bu: "bugs",
+  bug: "bugs",
+  bugs: "bugs",
+  c: "c",
+  ca: "cache",
+  cac: "cache",
+  cach: "cache",
+  cache: "cache",
+  ci: "ci",
+  cit: "cit",
+  "clean-install": "clean-install",
+  "clean-install-": "clean-install-test",
+  "clean-install-t": "clean-install-test",
+  "clean-install-te": "clean-install-test",
+  "clean-install-tes": "clean-install-test",
+  "clean-install-test": "clean-install-test",
+  com: "completion",
+  comp: "completion",
+  compl: "completion",
+  comple: "completion",
+  complet: "completion",
+  completi: "completion",
+  completio: "completion",
+  completion: "completion",
+  con: "config",
+  conf: "config",
+  confi: "config",
+  config: "config",
+  cr: "create",
+  cre: "create",
+  crea: "create",
+  creat: "create",
+  create: "create",
+  dd: "ddp",
+  ddp: "ddp",
+  ded: "dedupe",
+  dedu: "dedupe",
+  dedup: "dedupe",
+  dedupe: "dedupe",
+  dep: "deprecate",
+  depr: "deprecate",
+  depre: "deprecate",
+  deprec: "deprecate",
+  depreca: "deprecate",
+  deprecat: "deprecate",
+  deprecate: "deprecate",
+  dif: "diff",
+  diff: "diff",
+  "dist-tag": "dist-tag",
+  "dist-tags": "dist-tags",
+  docs: "docs",
+  doct: "doctor",
+  docto: "doctor",
+  doctor: "doctor",
+  ed: "edit",
+  edi: "edit",
+  edit: "edit",
+  exe: "exec",
+  exec: "exec",
+  expla: "explain",
+  explai: "explain",
+  explain: "explain",
+  explo: "explore",
+  explor: "explore",
+  explore: "explore",
+  find: "find",
+  "find-": "find-dupes",
+  "find-d": "find-dupes",
+  "find-du": "find-dupes",
+  "find-dup": "find-dupes",
+  "find-dupe": "find-dupes",
+  "find-dupes": "find-dupes",
+  fu: "fund",
+  fun: "fund",
+  fund: "fund",
+  g: "get",
+  ge: "get",
+  get: "get",
+  help: "help",
+  "help-": "help-search",
+  "help-s": "help-search",
+  "help-se": "help-search",
+  "help-sea": "help-search",
+  "help-sear": "help-search",
+  "help-searc": "help-search",
+  "help-search": "help-search",
+  hl: "hlep",
+  hle: "hlep",
+  hlep: "hlep",
+  ho: "home",
+  hom: "home",
+  home: "home",
+  i: "i",
+  ic: "ic",
+  in: "in",
+  inf: "info",
+  info: "info",
+  ini: "init",
+  init: "init",
+  inn: "innit",
+  inni: "innit",
+  innit: "innit",
+  ins: "ins",
+  inst: "inst",
+  insta: "insta",
+  instal: "instal",
+  install: "install",
+  "install-ci": "install-ci-test",
+  "install-ci-": "install-ci-test",
+  "install-ci-t": "install-ci-test",
+  "install-ci-te": "install-ci-test",
+  "install-ci-tes": "install-ci-test",
+  "install-ci-test": "install-ci-test",
+  "install-cl": "install-clean",
+  "install-cle": "install-clean",
+  "install-clea": "install-clean",
+  "install-clean": "install-clean",
+  "install-t": "install-test",
+  "install-te": "install-test",
+  "install-tes": "install-test",
+  "install-test": "install-test",
+  isnt: "isnt",
+  isnta: "isnta",
+  isntal: "isntal",
+  isntall: "isntall",
+  "isntall-": "isntall-clean",
+  "isntall-c": "isntall-clean",
+  "isntall-cl": "isntall-clean",
+  "isntall-cle": "isntall-clean",
+  "isntall-clea": "isntall-clean",
+  "isntall-clean": "isntall-clean",
+  iss: "issues",
+  issu: "issues",
+  issue: "issues",
+  issues: "issues",
+  it: "it",
+  la: "la",
+  lin: "link",
+  link: "link",
+  lis: "list",
+  list: "list",
+  ll: "ll",
+  ln: "ln",
+  logi: "login",
+  login: "login",
+  logo: "logout",
+  logou: "logout",
+  logout: "logout",
+  ls: "ls",
+  og: "ogr",
+  ogr: "ogr",
+  or: "org",
+  org: "org",
+  ou: "outdated",
+  out: "outdated",
+  outd: "outdated",
+  outda: "outdated",
+  outdat: "outdated",
+  outdate: "outdated",
+  outdated: "outdated",
+  ow: "owner",
+  own: "owner",
+  owne: "owner",
+  owner: "owner",
+  pa: "pack",
+  pac: "pack",
+  pack: "pack",
+  pi: "ping",
+  pin: "ping",
+  ping: "ping",
+  pk: "pkg",
+  pkg: "pkg",
+  pre: "prefix",
+  pref: "prefix",
+  prefi: "prefix",
+  prefix: "prefix",
+  pro: "profile",
+  prof: "profile",
+  profi: "profile",
+  profil: "profile",
+  profile: "profile",
+  pru: "prune",
+  prun: "prune",
+  prune: "prune",
+  pu: "publish",
+  pub: "publish",
+  publ: "publish",
+  publi: "publish",
+  publis: "publish",
+  publish: "publish",
+  q: "query",
+  qu: "query",
+  que: "query",
+  quer: "query",
+  query: "query",
+  r: "r",
+  rb: "rb",
+  reb: "rebuild",
+  rebu: "rebuild",
+  rebui: "rebuild",
+  rebuil: "rebuild",
+  rebuild: "rebuild",
+  rem: "remove",
+  remo: "remove",
+  remov: "remove",
+  remove: "remove",
+  rep: "repo",
+  repo: "repo",
+  res: "restart",
+  rest: "restart",
+  resta: "restart",
+  restar: "restart",
+  restart: "restart",
+  rm: "rm",
+  ro: "root",
+  roo: "root",
+  root: "root",
+  rum: "rum",
+  run: "run",
+  "run-": "run-script",
+  "run-s": "run-script",
+  "run-sc": "run-script",
+  "run-scr": "run-script",
+  "run-scri": "run-script",
+  "run-scrip": "run-script",
+  "run-script": "run-script",
+  s: "s",
+  sb: "sbom",
+  sbo: "sbom",
+  sbom: "sbom",
+  se: "se",
+  sea: "search",
+  sear: "search",
+  searc: "search",
+  search: "search",
+  set: "set",
+  sho: "show",
+  show: "show",
+  shr: "shrinkwrap",
+  shri: "shrinkwrap",
+  shrin: "shrinkwrap",
+  shrink: "shrinkwrap",
+  shrinkw: "shrinkwrap",
+  shrinkwr: "shrinkwrap",
+  shrinkwra: "shrinkwrap",
+  shrinkwrap: "shrinkwrap",
+  si: "sit",
+  sit: "sit",
+  star: "star",
+  stars: "stars",
+  start: "start",
+  sto: "stop",
+  stop: "stop",
+  t: "t",
+  tea: "team",
+  team: "team",
+  tes: "test",
+  test: "test",
+  to: "token",
+  tok: "token",
+  toke: "token",
+  token: "token",
+  ts: "tst",
+  tst: "tst",
+  ud: "udpate",
+  udp: "udpate",
+  udpa: "udpate",
+  udpat: "udpate",
+  udpate: "udpate",
+  un: "un",
+  und: "undeprecate",
+  unde: "undeprecate",
+  undep: "undeprecate",
+  undepr: "undeprecate",
+  undepre: "undeprecate",
+  undeprec: "undeprecate",
+  undepreca: "undeprecate",
+  undeprecat: "undeprecate",
+  undeprecate: "undeprecate",
+  uni: "uninstall",
+  unin: "uninstall",
+  unins: "uninstall",
+  uninst: "uninstall",
+  uninsta: "uninstall",
+  uninstal: "uninstall",
+  uninstall: "uninstall",
+  unl: "unlink",
+  unli: "unlink",
+  unlin: "unlink",
+  unlink: "unlink",
+  unp: "unpublish",
+  unpu: "unpublish",
+  unpub: "unpublish",
+  unpubl: "unpublish",
+  unpubli: "unpublish",
+  unpublis: "unpublish",
+  unpublish: "unpublish",
+  uns: "unstar",
+  unst: "unstar",
+  unsta: "unstar",
+  unstar: "unstar",
+  up: "up",
+  upd: "update",
+  upda: "update",
+  updat: "update",
+  update: "update",
+  upg: "upgrade",
+  upgr: "upgrade",
+  upgra: "upgrade",
+  upgrad: "upgrade",
+  upgrade: "upgrade",
+  ur: "urn",
+  urn: "urn",
+  v: "v",
+  veri: "verison",
+  veris: "verison",
+  veriso: "verison",
+  verison: "verison",
+  vers: "version",
+  versi: "version",
+  versio: "version",
+  version: "version",
+  vi: "view",
+  vie: "view",
+  view: "view",
+  who: "whoami",
+  whoa: "whoami",
+  whoam: "whoami",
+  whoami: "whoami",
+  why: "why",
+  x: "x",
+};

package/src/packagemanager/npm/utils/cmd-list.js

@@ -1,6 +1,6 @@
 // Based on https://github.com/npm/cli/blob/latest/lib/utils/cmd-list.js
 
-import abbrev from "abbrev";
+import { abbrevs } from "./abbrevs-generated.js";
 
 const commands = [
   "access",
@@ -158,8 +158,6 @@ export function deref(c) {
     return aliases[c];
   }
 
-  const abbrevs = abbrev(commands.concat(Object.keys(aliases)));
-
   // first deref the abbrev, if there is one
   // then resolve any aliases
   // so `npm install-cl` will resolve to `install-clean` then to `ci`

package/src/registryProxy/mitmRequestHandler.js

@@ -5,6 +5,12 @@ import { HttpsProxyAgent } from "https-proxy-agent";
 export function mitmConnect(req, clientSocket, isAllowed) {
   const { hostname } = new URL(`http://${req.url}`);
 
+  clientSocket.on("error", () => {
+    // NO-OP
+    // This can happen if the client TCP socket sends RST instead of FIN.
+    // Not subscribing to 'close' event will cause node to throw and crash.
+  });
+
   const server = createHttpsServer(hostname, isAllowed);
 
   // Establish the connection

package/src/registryProxy/plainHttpProxy.js

@@ -0,0 +1,69 @@
+import * as http from "http";
+import * as https from "https";
+
+export function handleHttpProxyRequest(req, res) {
+  const url = new URL(req.url);
+
+  // The protocol for the plainHttpProxy should usually only be http:
+  // but when the client for some reason sends an https: request directly
+  // instead of using the CONNECT method, we should handle it gracefully.
+  let protocol;
+  if (url.protocol === "http:") {
+    protocol = http;
+  } else if (url.protocol === "https:") {
+    protocol = https;
+  } else {
+    res.writeHead(502);
+    res.end(`Bad Gateway: Unsupported protocol ${url.protocol}`);
+    return;
+  }
+
+  const proxyRequest = protocol
+    .request(
+      req.url,
+      { method: req.method, headers: req.headers },
+      (proxyRes) => {
+        res.writeHead(proxyRes.statusCode, proxyRes.headers);
+        proxyRes.pipe(res);
+
+        proxyRes.on("error", () => {
+          // Proxy response stream error
+          // Clean up client response stream
+          if (res.writable) {
+            res.end();
+          }
+        });
+
+        proxyRes.on("close", () => {
+          // Clean up if the proxy response stream closes
+          if (res.writable) {
+            res.end();
+          }
+        });
+      }
+    )
+    .on("error", (err) => {
+      res.writeHead(502);
+      res.end(`Bad Gateway: ${err.message}`);
+    });
+
+  req.on("error", () => {
+    // Client request stream error
+    // Abort the proxy request
+    proxyRequest.destroy();
+  });
+
+  res.on("error", () => {
+    // Client response stream error (client disconnected)
+    // Clean up proxy streams
+    proxyRequest.destroy();
+  });
+
+  res.on("close", () => {
+    // Client disconnected
+    // Abort the proxy request to avoid unnecessary work
+    proxyRequest.destroy();
+  });
+
+  req.pipe(proxyRequest);
+}

package/src/registryProxy/registryProxy.js

@@ -1,6 +1,7 @@
 import * as http from "http";
 import { tunnelRequest } from "./tunnelRequestHandler.js";
 import { mitmConnect } from "./mitmRequestHandler.js";
+import { handleHttpProxyRequest } from "./plainHttpProxy.js";
 import { getCaCertPath } from "./certUtils.js";
 import { auditChanges } from "../scanning/audit/index.js";
 import { knownRegistries, parsePackageFromUrl } from "./parsePackageFromUrl.js";
@@ -15,7 +16,6 @@ const state = {
 
 export function createSafeChainProxy() {
   const server = createProxyServer();
-  server.on("connect", handleConnect);
 
   return {
     startServer: () => startServer(server),
@@ -54,13 +54,15 @@ export function mergeSafeChainProxyEnvironmentVariables(env) {
 }
 
 function createProxyServer() {
-  const server = http.createServer((_, res) => {
-    res.writeHead(400, "Bad Request");
-    res.write(
-      "Safe-chain proxy: Direct http not supported. Only CONNECT requests are allowed."
-    );
-    res.end();
-  });
+  const server = http.createServer(
+    // This handles direct HTTP requests (non-CONNECT requests)
+    // This is normally http-only traffic, but we also handle
+    // https for clients that don't properly use CONNECT
+    handleHttpProxyRequest
+  );
+
+  // This handles HTTPS requests via the CONNECT method
+  server.on("connect", handleConnect);
 
   return server;
 }

package/src/registryProxy/tunnelRequestHandler.js

@@ -24,6 +24,12 @@ export function tunnelRequest(req, clientSocket, head) {
 function tunnelRequestToDestination(req, clientSocket, head) {
   const { port, hostname } = new URL(`http://${req.url}`);
 
+  clientSocket.on("error", () => {
+    // NO-OP
+    // This can happen if the client TCP socket sends RST instead of FIN.
+    // Not subscribing to 'close' event will cause node to throw and crash.
+  });
+
   const serverSocket = net.connect(port || 443, hostname, () => {
     clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
     serverSocket.write(head);

package/src/utils/safeSpawn.js

@@ -1,4 +1,4 @@
-import { spawnSync, spawn } from "child_process";
+import { spawn } from "child_process";
 
 function escapeArg(arg) {
   // If argument contains spaces or quotes, wrap in double quotes and escape double quotes
@@ -13,11 +13,6 @@ function buildCommand(command, args) {
   return `${command} ${escapedArgs.join(" ")}`;
 }
 
-export function safeSpawnSync(command, args, options = {}) {
-  const fullCommand = buildCommand(command, args);
-  return spawnSync(fullCommand, { ...options, shell: true });
-}
-
 export async function safeSpawn(command, args, options = {}) {
   const fullCommand = buildCommand(command, args);
   return new Promise((resolve, reject) => {

package/src/packagemanager/npm/dependencyScanner/dryRunScanner.js

@@ -1,67 +0,0 @@
-import { parseDryRunOutput } from "../parsing/parseNpmInstallDryRunOutput.js";
-import { dryRunNpmCommandAndOutput } from "../runNpmCommand.js";
-import { hasDryRunArg } from "../utils/npmCommands.js";
-
-export function dryRunScanner(scannerOptions) {
-  return {
-    scan: (args) => scanDependencies(scannerOptions, args),
-    shouldScan: (args) => shouldScanDependencies(scannerOptions, args),
-  };
-}
-
-function scanDependencies(scannerOptions, args) {
-  let dryRunArgs = args;
-
-  if (scannerOptions?.dryRunCommand) {
-    // Replace the first argument with the dryRunCommand (eg: "install" instead of "install-test")
-    dryRunArgs = [scannerOptions.dryRunCommand, ...args.slice(1)];
-  }
-
-  return checkChangesWithDryRun(dryRunArgs);
-}
-
-function shouldScanDependencies(scannerOptions, args) {
-  if (hasDryRunArg(args)) {
-    return false;
-  }
-
-  if (scannerOptions?.skipScanWhen && scannerOptions.skipScanWhen(args)) {
-    return false;
-  }
-
-  return true;
-}
-
-async function checkChangesWithDryRun(args) {
-  const dryRunOutput = await dryRunNpmCommandAndOutput(args);
-
-  // Dry-run can return a non-zero status code in some cases
-  //  e.g., when running "npm audit fix --dry-run", it returns exit code 1
-  //  when there are vulnerabilities that can be fixed.
-  if (dryRunOutput.status !== 0 && !canCommandReturnNonZeroOnSuccess(args)) {
-    throw new Error(
-      `Dry-run command failed with exit code ${dryRunOutput.status} and output:\n${dryRunOutput.output}`
-    );
-  }
-
-  if (dryRunOutput.status !== 0 && !dryRunOutput.output) {
-    throw new Error(
-      `Dry-run command failed with exit code ${dryRunOutput.status} and produced no output.`
-    );
-  }
-
-  const parsedOutput = parseDryRunOutput(dryRunOutput.output);
-
-  // reverse the array to have the top-level packages first
-  return parsedOutput.reverse();
-}
-
-function canCommandReturnNonZeroOnSuccess(args) {
-  if (args.length < 2) {
-    return false;
-  }
-
-  // `npm audit fix --dry-run` can return exit code 1 when it succesfully ran and
-  // there were vulnerabilities that could be fixed
-  return args[0] === "audit" && args[1] === "fix";
-}

package/src/packagemanager/npm/parsing/parseNpmInstallDryRunOutput.js

@@ -1,57 +0,0 @@
-export function parseDryRunOutput(output) {
-  const lines = output.split(/\r?\n/);
-  const packageChanges = [];
-
-  for (const line of lines) {
-    if (line.startsWith("add ")) {
-      packageChanges.push(parseAdd(line));
-    } else if (line.startsWith("remove ")) {
-      packageChanges.push(parseRemove(line));
-    } else if (line.startsWith("change ")) {
-      packageChanges.push(parseChange(line));
-    }
-  }
-
-  return packageChanges;
-}
-
-function parseAdd(line) {
-  const splitLine = getLineParts(line);
-  const packageName = splitLine[1];
-  const packageVersion = splitLine[splitLine.length - 1];
-  return addedPackage(packageName, packageVersion);
-}
-
-function addedPackage(name, version) {
-  return { type: "add", name, version };
-}
-
-function parseRemove(line) {
-  const splitLine = getLineParts(line);
-  const packageName = splitLine[1];
-  const packageVersion = splitLine[splitLine.length - 1];
-  return removedPackage(packageName, packageVersion);
-}
-
-function removedPackage(name, version) {
-  return { type: "remove", name, version };
-}
-
-function parseChange(line) {
-  const splitLine = getLineParts(line);
-  const packageName = splitLine[1];
-  const packageVersion = splitLine[splitLine.length - 1];
-  const oldVersion = splitLine[2];
-  return changedPackage(packageName, packageVersion, oldVersion);
-}
-
-function getLineParts(line) {
-  return line
-    .split(" ")
-    .map((part) => part.trim())
-    .filter((part) => part !== "");
-}
-
-function changedPackage(name, version, oldVersion) {
-  return { type: "change", name, version, oldVersion };
-}