@aikidosec/safe-chain 1.1.4 → 1.1.6

package/README.md

@@ -40,6 +40,12 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
 
 When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, or `bunx` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command.
 
+You can check the installed version by running:
+
+```shell
+safe-chain --version
+```
+
 ## How it works
 
 The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry. When you run npm, npx, yarn, pnpm, pnpx, bun, or bunx commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
@@ -70,17 +76,16 @@ To uninstall the Aikido Safe Chain, you can run the following command:
 
 # Configuration
 
-## Malware Action
+## Logging
 
-You can control how Aikido Safe Chain responds when malware is detected using the `--safe-chain-malware-action` flag:
+You can control the output from Aikido Safe Chain using the `--safe-chain-logging` flag:
 
-- `--safe-chain-malware-action=block` (**default**) - Automatically blocks installation and exits with an error when malware is detected
-- `--safe-chain-malware-action=prompt` - Prompts the user to decide whether to continue despite the malware detection
+- `--safe-chain-logging=silent` - Suppresses all Aikido Safe Chain output except when malware is blocked. The package manager output is written to stdout as normal, and Safe Chain only writes a short message if it has blocked malware and causes the process to exit.
 
 Example usage:
 
 ```shell
-npm install suspicious-package --safe-chain-malware-action=prompt
+npm install express --safe-chain-logging=silent
 ```
 
 # Usage in CI/CD

package/bin/aikido-npm.js

@@ -1,21 +1,10 @@
 #!/usr/bin/env node
 
-import { execSync } from "child_process";
 import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "npm";
-initializePackageManager(packageManagerName, getNpmVersion());
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);
-
-function getNpmVersion() {
-  try {
-    return execSync("npm --version").toString().trim();
-  } catch {
-    // Default to 0.0.0 if npm is not found
-    // That way we don't use any unsupported features
-    return "0.0.0";
-  }
-}

package/bin/aikido-npx.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "npx";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/aikido-pnpm.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "pnpm";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/aikido-pnpx.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "pnpx";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/aikido-yarn.js

@@ -4,7 +4,7 @@ import { main } from "../src/main.js";
 import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
 
 const packageManagerName = "yarn";
-initializePackageManager(packageManagerName, process.versions.node);
+initializePackageManager(packageManagerName);
 var exitCode = await main(process.argv.slice(2));
 
 process.exit(exitCode);

package/bin/safe-chain.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 import chalk from "chalk";
+import { createRequire } from "module";
 import { ui } from "../src/environment/userInteraction.js";
 import { setup } from "../src/shell-integration/setup.js";
 import { teardown } from "../src/shell-integration/teardown.js";
@@ -26,6 +27,8 @@ if (command === "setup") {
   teardown();
 } else if (command === "setup-ci") {
   setupCi();
+} else if (command === "--version" || command === "-v" || command === "-v") {
+  ui.writeInformation(`Current safe-chain version: ${getVersion()}`);
 } else {
   ui.writeError(`Unknown command: ${command}.`);
   ui.emptyLine();
@@ -43,13 +46,15 @@ function writeHelp() {
   ui.writeInformation(
     `Available commands: ${chalk.cyan("setup")}, ${chalk.cyan(
       "teardown"
-    )}, ${chalk.cyan("help")}`
+    )}, ${chalk.cyan("setup-ci")}, ${chalk.cyan("help")}, ${chalk.cyan(
+      "--version"
+    )}`
   );
   ui.emptyLine();
   ui.writeInformation(
     `- ${chalk.cyan(
       "safe-chain setup"
-    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm and pnpx.`
+    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, bun and bunx.`
   );
   ui.writeInformation(
     `- ${chalk.cyan(
@@ -61,5 +66,16 @@ function writeHelp() {
       "safe-chain setup-ci"
     )}: This will setup safe-chain for CI environments by creating shims and modifying the PATH.`
   );
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain --version"
+    )} (or ${chalk.cyan("-v")}): Display the current version of safe-chain.`
+  );
   ui.emptyLine();
 }
+
+function getVersion() {
+  const require = createRequire(import.meta.url);
+  const packageJson = require("../package.json");
+  return packageJson.version;
+}

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
-    "lint": "eslint ."
+    "lint": "oxlint --deny-warnings"
   },
   "bin": {
     "aikido-npm": "bin/aikido-npm.js",
@@ -30,7 +30,6 @@
   "license": "AGPL-3.0-or-later",
   "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), and [bunx](https://bun.sh/docs/cli/bunx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, or bunx from downloading or running the malware.",
   "dependencies": {
-    "abbrev": "3.0.1",
     "chalk": "5.4.1",
     "https-proxy-agent": "7.0.6",
     "make-fetch-happen": "14.0.3",

package/src/api/npmApi.js

@@ -25,6 +25,10 @@ export async function resolvePackageVersion(packageName, versionRange) {
     return distTags[versionRange];
   }
 
+  if (!packageInfo.versions) {
+    return null;
+  }
+
   // If the version range is not a dist-tag, we need to resolve the highest version matching the range.
   // This is useful for ranges like "^1.0.0" or "~2.3.4".
   const availableVersions = Object.keys(packageInfo.versions);

package/src/config/cliArguments.js

@@ -1,12 +1,12 @@
 const state = {
-  malwareAction: undefined,
+  loggingLevel: undefined,
 };
 
 const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
 
 export function initializeCliArguments(args) {
   // Reset state on each call
-  state.malwareAction = undefined;
+  state.loggingLevel = undefined;
 
   const safeChainArgs = [];
   const remainingArgs = [];
@@ -19,21 +19,11 @@ export function initializeCliArguments(args) {
     }
   }
 
-  setMalwareAction(safeChainArgs);
+  setLoggingLevel(safeChainArgs);
 
   return remainingArgs;
 }
 
-function setMalwareAction(args) {
-  const safeChainMalwareActionArg = SAFE_CHAIN_ARG_PREFIX + "malware-action=";
-
-  const action = getLastArgEqualsValue(args, safeChainMalwareActionArg);
-  if (!action) {
-    return;
-  }
-  state.malwareAction = action.toLowerCase();
-}
-
 function getLastArgEqualsValue(args, prefix) {
   for (var i = args.length - 1; i >= 0; i--) {
     const arg = args[i];
@@ -45,6 +35,16 @@ function getLastArgEqualsValue(args, prefix) {
   return undefined;
 }
 
-export function getMalwareAction() {
-  return state.malwareAction;
+function setLoggingLevel(args) {
+  const safeChainLoggingArg = SAFE_CHAIN_ARG_PREFIX + "logging=";
+
+  const level = getLastArgEqualsValue(args, safeChainLoggingArg);
+  if (!level) {
+    return;
+  }
+  state.loggingLevel = level.toLowerCase();
+}
+
+export function getLoggingLevel() {
+  return state.loggingLevel;
 }

package/src/config/settings.js

@@ -1,14 +1,14 @@
 import * as cliArguments from "./cliArguments.js";
 
-export function getMalwareAction() {
-  const action = cliArguments.getMalwareAction();
+export function getLoggingLevel() {
+  const level = cliArguments.getLoggingLevel();
 
-  if (action === MALWARE_ACTION_PROMPT) {
-    return MALWARE_ACTION_PROMPT;
+  if (level === LOGGING_SILENT) {
+    return LOGGING_SILENT;
   }
 
-  return MALWARE_ACTION_BLOCK;
+  return LOGGING_NORMAL;
 }
 
-export const MALWARE_ACTION_BLOCK = "block";
-export const MALWARE_ACTION_PROMPT = "prompt";
+export const LOGGING_SILENT = "silent";
+export const LOGGING_NORMAL = "normal";

package/src/environment/userInteraction.js

@@ -1,17 +1,28 @@
+// oxlint-disable no-console
 import chalk from "chalk";
 import ora from "ora";
-import { createInterface } from "readline";
 import { isCi } from "./environment.js";
+import { getLoggingLevel, LOGGING_SILENT } from "../config/settings.js";
+
+function isSilentMode() {
+  return getLoggingLevel() === LOGGING_SILENT;
+}
 
 function emptyLine() {
+  if (isSilentMode()) return;
+
   writeInformation("");
 }
 
 function writeInformation(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
   console.log(message, ...optionalParams);
 }
 
 function writeWarning(message, ...optionalParams) {
+  if (isSilentMode()) return;
+
   if (!isCi()) {
     message = chalk.yellow(message);
   }
@@ -25,7 +36,24 @@ function writeError(message, ...optionalParams) {
   console.error(message, ...optionalParams);
 }
 
+function writeExitWithoutInstallingMaliciousPackages() {
+  let message = "Safe-chain: Exiting without installing malicious packages.";
+  if (!isCi()) {
+    message = chalk.red(message);
+  }
+  console.error(message);
+}
+
 function startProcess(message) {
+  if (isSilentMode()) {
+    return {
+      succeed: () => {},
+      fail: () => {},
+      stop: () => {},
+      setText: () => {},
+    };
+  }
+
   if (isCi()) {
     return {
       succeed: (message) => {
@@ -58,39 +86,11 @@ function startProcess(message) {
   }
 }
 
-async function confirm(config) {
-  if (isCi()) {
-    return Promise.resolve(config.default);
-  }
-
-  const rl = createInterface({
-    input: process.stdin,
-    output: process.stdout,
-  });
-
-  return new Promise((resolve) => {
-    const defaultText = config.default ? " (Y/n)" : " (y/N)";
-    rl.question(`${config.message}${defaultText} `, (answer) => {
-      rl.close();
-
-      const normalizedAnswer = answer.trim().toLowerCase();
-
-      if (normalizedAnswer === "y" || normalizedAnswer === "yes") {
-        resolve(true);
-      } else if (normalizedAnswer === "n" || normalizedAnswer === "no") {
-        resolve(false);
-      } else {
-        resolve(config.default);
-      }
-    });
-  });
-}
-
 export const ui = {
   writeInformation,
   writeWarning,
   writeError,
+  writeExitWithoutInstallingMaliciousPackages,
   emptyLine,
   startProcess,
-  confirm,
 };

package/src/packagemanager/currentPackageManager.js

@@ -14,9 +14,9 @@ const state = {
   packageManagerName: null,
 };
 
-export function initializePackageManager(packageManagerName, version) {
+export function initializePackageManager(packageManagerName) {
   if (packageManagerName === "npm") {
-    state.packageManagerName = createNpmPackageManager(version);
+    state.packageManagerName = createNpmPackageManager();
   } else if (packageManagerName === "npx") {
     state.packageManagerName = createNpxPackageManager();
   } else if (packageManagerName === "yarn") {

package/src/packagemanager/npm/createPackageManager.js

@@ -1,34 +1,27 @@
 import { commandArgumentScanner } from "./dependencyScanner/commandArgumentScanner.js";
-import { dryRunScanner } from "./dependencyScanner/dryRunScanner.js";
 import { nullScanner } from "./dependencyScanner/nullScanner.js";
 import { runNpm } from "./runNpmCommand.js";
 import {
   getNpmCommandForArgs,
   npmInstallCommand,
-  npmCiCommand,
-  npmInstallTestCommand,
-  npmInstallCiTestCommand,
   npmUpdateCommand,
-  npmAuditCommand,
   npmExecCommand,
 } from "./utils/npmCommands.js";
 
-export function createNpmPackageManager(version) {
-  // From npm v10.4.0 onwards, the npm commands output detailed information
-  // when using the --dry-run flag.
-  // We use that information to scan for dependency changes.
-  // For older versions of npm we have to rely on parsing the command arguments.
-  const supportedScanners = isPriorToNpm10_4(version)
-    ? npm10_3AndBelowSupportedScanners
-    : npm10_4AndAboveSupportedScanners;
-
+export function createNpmPackageManager() {
   function isSupportedCommand(args) {
-    const scanner = findDependencyScannerForCommand(supportedScanners, args);
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
     return scanner.shouldScan(args);
   }
 
   function getDependencyUpdatesForCommand(args) {
-    const scanner = findDependencyScannerForCommand(supportedScanners, args);
+    const scanner = findDependencyScannerForCommand(
+      commandScannerMapping,
+      args
+    );
     return scanner.scan(args);
   }
 
@@ -39,40 +32,12 @@ export function createNpmPackageManager(version) {
   };
 }
 
-const npm10_4AndAboveSupportedScanners = {
-  [npmInstallCommand]: dryRunScanner(),
-  [npmUpdateCommand]: dryRunScanner(),
-  [npmCiCommand]: dryRunScanner(),
-  [npmAuditCommand]: dryRunScanner({
-    skipScanWhen: (args) => !args.includes("fix"),
-  }),
-  [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
-
-  // Running dry-run on install-test and install-ci-test will install & run tests.
-  // We only want to know if there are changes in the dependencies.
-  // So we run change the dry-run command to only check the install.
-  [npmInstallTestCommand]: dryRunScanner({ dryRunCommand: npmInstallCommand }),
-  [npmInstallCiTestCommand]: dryRunScanner({ dryRunCommand: npmCiCommand }),
-};
-
-const npm10_3AndBelowSupportedScanners = {
+const commandScannerMapping = {
   [npmInstallCommand]: commandArgumentScanner(),
   [npmUpdateCommand]: commandArgumentScanner(),
   [npmExecCommand]: commandArgumentScanner({ ignoreDryRun: true }), // exec command doesn't support dry-run
 };
 
-function isPriorToNpm10_4(version) {
-  try {
-    const [major, minor] = version.split(".").map(Number);
-    if (major < 10) return true;
-    if (major === 10 && minor < 4) return true;
-    return false;
-  } catch {
-    // Default to true: if version parsing fails, assume it's an older version
-    return true;
-  }
-}
-
 function findDependencyScannerForCommand(scanners, args) {
   const command = getNpmCommandForArgs(args);
   if (!command) {

package/src/packagemanager/npm/utils/abbrevs-generated.js

@@ -0,0 +1,358 @@
+// This was ran with the abbrev package to generate the abbrevs object below
+// console.log(abbrev(commands.concat(Object.keys(aliases))));
+export const abbrevs = {
+  ac: "access",
+  acc: "access",
+  acce: "access",
+  acces: "access",
+  access: "access",
+  add: "add",
+  "add-": "add-user",
+  "add-u": "add-user",
+  "add-us": "add-user",
+  "add-use": "add-user",
+  "add-user": "add-user",
+  addu: "adduser",
+  addus: "adduser",
+  adduse: "adduser",
+  adduser: "adduser",
+  aud: "audit",
+  audi: "audit",
+  audit: "audit",
+  aut: "author",
+  auth: "author",
+  autho: "author",
+  author: "author",
+  b: "bugs",
+  bu: "bugs",
+  bug: "bugs",
+  bugs: "bugs",
+  c: "c",
+  ca: "cache",
+  cac: "cache",
+  cach: "cache",
+  cache: "cache",
+  ci: "ci",
+  cit: "cit",
+  "clean-install": "clean-install",
+  "clean-install-": "clean-install-test",
+  "clean-install-t": "clean-install-test",
+  "clean-install-te": "clean-install-test",
+  "clean-install-tes": "clean-install-test",
+  "clean-install-test": "clean-install-test",
+  com: "completion",
+  comp: "completion",
+  compl: "completion",
+  comple: "completion",
+  complet: "completion",
+  completi: "completion",
+  completio: "completion",
+  completion: "completion",
+  con: "config",
+  conf: "config",
+  confi: "config",
+  config: "config",
+  cr: "create",
+  cre: "create",
+  crea: "create",
+  creat: "create",
+  create: "create",
+  dd: "ddp",
+  ddp: "ddp",
+  ded: "dedupe",
+  dedu: "dedupe",
+  dedup: "dedupe",
+  dedupe: "dedupe",
+  dep: "deprecate",
+  depr: "deprecate",
+  depre: "deprecate",
+  deprec: "deprecate",
+  depreca: "deprecate",
+  deprecat: "deprecate",
+  deprecate: "deprecate",
+  dif: "diff",
+  diff: "diff",
+  "dist-tag": "dist-tag",
+  "dist-tags": "dist-tags",
+  docs: "docs",
+  doct: "doctor",
+  docto: "doctor",
+  doctor: "doctor",
+  ed: "edit",
+  edi: "edit",
+  edit: "edit",
+  exe: "exec",
+  exec: "exec",
+  expla: "explain",
+  explai: "explain",
+  explain: "explain",
+  explo: "explore",
+  explor: "explore",
+  explore: "explore",
+  find: "find",
+  "find-": "find-dupes",
+  "find-d": "find-dupes",
+  "find-du": "find-dupes",
+  "find-dup": "find-dupes",
+  "find-dupe": "find-dupes",
+  "find-dupes": "find-dupes",
+  fu: "fund",
+  fun: "fund",
+  fund: "fund",
+  g: "get",
+  ge: "get",
+  get: "get",
+  help: "help",
+  "help-": "help-search",
+  "help-s": "help-search",
+  "help-se": "help-search",
+  "help-sea": "help-search",
+  "help-sear": "help-search",
+  "help-searc": "help-search",
+  "help-search": "help-search",
+  hl: "hlep",
+  hle: "hlep",
+  hlep: "hlep",
+  ho: "home",
+  hom: "home",
+  home: "home",
+  i: "i",
+  ic: "ic",
+  in: "in",
+  inf: "info",
+  info: "info",
+  ini: "init",
+  init: "init",
+  inn: "innit",
+  inni: "innit",
+  innit: "innit",
+  ins: "ins",
+  inst: "inst",
+  insta: "insta",
+  instal: "instal",
+  install: "install",
+  "install-ci": "install-ci-test",
+  "install-ci-": "install-ci-test",
+  "install-ci-t": "install-ci-test",
+  "install-ci-te": "install-ci-test",
+  "install-ci-tes": "install-ci-test",
+  "install-ci-test": "install-ci-test",
+  "install-cl": "install-clean",
+  "install-cle": "install-clean",
+  "install-clea": "install-clean",
+  "install-clean": "install-clean",
+  "install-t": "install-test",
+  "install-te": "install-test",
+  "install-tes": "install-test",
+  "install-test": "install-test",
+  isnt: "isnt",
+  isnta: "isnta",
+  isntal: "isntal",
+  isntall: "isntall",
+  "isntall-": "isntall-clean",
+  "isntall-c": "isntall-clean",
+  "isntall-cl": "isntall-clean",
+  "isntall-cle": "isntall-clean",
+  "isntall-clea": "isntall-clean",
+  "isntall-clean": "isntall-clean",
+  iss: "issues",
+  issu: "issues",
+  issue: "issues",
+  issues: "issues",
+  it: "it",
+  la: "la",
+  lin: "link",
+  link: "link",
+  lis: "list",
+  list: "list",
+  ll: "ll",
+  ln: "ln",
+  logi: "login",
+  login: "login",
+  logo: "logout",
+  logou: "logout",
+  logout: "logout",
+  ls: "ls",
+  og: "ogr",
+  ogr: "ogr",
+  or: "org",
+  org: "org",
+  ou: "outdated",
+  out: "outdated",
+  outd: "outdated",
+  outda: "outdated",
+  outdat: "outdated",
+  outdate: "outdated",
+  outdated: "outdated",
+  ow: "owner",
+  own: "owner",
+  owne: "owner",
+  owner: "owner",
+  pa: "pack",
+  pac: "pack",
+  pack: "pack",
+  pi: "ping",
+  pin: "ping",
+  ping: "ping",
+  pk: "pkg",
+  pkg: "pkg",
+  pre: "prefix",
+  pref: "prefix",
+  prefi: "prefix",
+  prefix: "prefix",
+  pro: "profile",
+  prof: "profile",
+  profi: "profile",
+  profil: "profile",
+  profile: "profile",
+  pru: "prune",
+  prun: "prune",
+  prune: "prune",
+  pu: "publish",
+  pub: "publish",
+  publ: "publish",
+  publi: "publish",
+  publis: "publish",
+  publish: "publish",
+  q: "query",
+  qu: "query",
+  que: "query",
+  quer: "query",
+  query: "query",
+  r: "r",
+  rb: "rb",
+  reb: "rebuild",
+  rebu: "rebuild",
+  rebui: "rebuild",
+  rebuil: "rebuild",
+  rebuild: "rebuild",
+  rem: "remove",
+  remo: "remove",
+  remov: "remove",
+  remove: "remove",
+  rep: "repo",
+  repo: "repo",
+  res: "restart",
+  rest: "restart",
+  resta: "restart",
+  restar: "restart",
+  restart: "restart",
+  rm: "rm",
+  ro: "root",
+  roo: "root",
+  root: "root",
+  rum: "rum",
+  run: "run",
+  "run-": "run-script",
+  "run-s": "run-script",
+  "run-sc": "run-script",
+  "run-scr": "run-script",
+  "run-scri": "run-script",
+  "run-scrip": "run-script",
+  "run-script": "run-script",
+  s: "s",
+  sb: "sbom",
+  sbo: "sbom",
+  sbom: "sbom",
+  se: "se",
+  sea: "search",
+  sear: "search",
+  searc: "search",
+  search: "search",
+  set: "set",
+  sho: "show",
+  show: "show",
+  shr: "shrinkwrap",
+  shri: "shrinkwrap",
+  shrin: "shrinkwrap",
+  shrink: "shrinkwrap",
+  shrinkw: "shrinkwrap",
+  shrinkwr: "shrinkwrap",
+  shrinkwra: "shrinkwrap",
+  shrinkwrap: "shrinkwrap",
+  si: "sit",
+  sit: "sit",
+  star: "star",
+  stars: "stars",
+  start: "start",
+  sto: "stop",
+  stop: "stop",
+  t: "t",
+  tea: "team",
+  team: "team",
+  tes: "test",
+  test: "test",
+  to: "token",
+  tok: "token",
+  toke: "token",
+  token: "token",
+  ts: "tst",
+  tst: "tst",
+  ud: "udpate",
+  udp: "udpate",
+  udpa: "udpate",
+  udpat: "udpate",
+  udpate: "udpate",
+  un: "un",
+  und: "undeprecate",
+  unde: "undeprecate",
+  undep: "undeprecate",
+  undepr: "undeprecate",
+  undepre: "undeprecate",
+  undeprec: "undeprecate",
+  undepreca: "undeprecate",
+  undeprecat: "undeprecate",
+  undeprecate: "undeprecate",
+  uni: "uninstall",
+  unin: "uninstall",
+  unins: "uninstall",
+  uninst: "uninstall",
+  uninsta: "uninstall",
+  uninstal: "uninstall",
+  uninstall: "uninstall",
+  unl: "unlink",
+  unli: "unlink",
+  unlin: "unlink",
+  unlink: "unlink",
+  unp: "unpublish",
+  unpu: "unpublish",
+  unpub: "unpublish",
+  unpubl: "unpublish",
+  unpubli: "unpublish",
+  unpublis: "unpublish",
+  unpublish: "unpublish",
+  uns: "unstar",
+  unst: "unstar",
+  unsta: "unstar",
+  unstar: "unstar",
+  up: "up",
+  upd: "update",
+  upda: "update",
+  updat: "update",
+  update: "update",
+  upg: "upgrade",
+  upgr: "upgrade",
+  upgra: "upgrade",
+  upgrad: "upgrade",
+  upgrade: "upgrade",
+  ur: "urn",
+  urn: "urn",
+  v: "v",
+  veri: "verison",
+  veris: "verison",
+  veriso: "verison",
+  verison: "verison",
+  vers: "version",
+  versi: "version",
+  versio: "version",
+  version: "version",
+  vi: "view",
+  vie: "view",
+  view: "view",
+  who: "whoami",
+  whoa: "whoami",
+  whoam: "whoami",
+  whoami: "whoami",
+  why: "why",
+  x: "x",
+};

package/src/packagemanager/npm/utils/cmd-list.js

@@ -1,6 +1,6 @@
 // Based on https://github.com/npm/cli/blob/latest/lib/utils/cmd-list.js
 
-import abbrev from "abbrev";
+import { abbrevs } from "./abbrevs-generated.js";
 
 const commands = [
   "access",
@@ -158,8 +158,6 @@ export function deref(c) {
     return aliases[c];
   }
 
-  const abbrevs = abbrev(commands.concat(Object.keys(aliases)));
-
   // first deref the abbrev, if there is one
   // then resolve any aliases
   // so `npm install-cl` will resolve to `install-clean` then to `ci`

package/src/registryProxy/plainHttpProxy.js

@@ -0,0 +1,69 @@
+import * as http from "http";
+import * as https from "https";
+
+export function handleHttpProxyRequest(req, res) {
+  const url = new URL(req.url);
+
+  // The protocol for the plainHttpProxy should usually only be http:
+  // but when the client for some reason sends an https: request directly
+  // instead of using the CONNECT method, we should handle it gracefully.
+  let protocol;
+  if (url.protocol === "http:") {
+    protocol = http;
+  } else if (url.protocol === "https:") {
+    protocol = https;
+  } else {
+    res.writeHead(502);
+    res.end(`Bad Gateway: Unsupported protocol ${url.protocol}`);
+    return;
+  }
+
+  const proxyRequest = protocol
+    .request(
+      req.url,
+      { method: req.method, headers: req.headers },
+      (proxyRes) => {
+        res.writeHead(proxyRes.statusCode, proxyRes.headers);
+        proxyRes.pipe(res);
+
+        proxyRes.on("error", () => {
+          // Proxy response stream error
+          // Clean up client response stream
+          if (res.writable) {
+            res.end();
+          }
+        });
+
+        proxyRes.on("close", () => {
+          // Clean up if the proxy response stream closes
+          if (res.writable) {
+            res.end();
+          }
+        });
+      }
+    )
+    .on("error", (err) => {
+      res.writeHead(502);
+      res.end(`Bad Gateway: ${err.message}`);
+    });
+
+  req.on("error", () => {
+    // Client request stream error
+    // Abort the proxy request
+    proxyRequest.destroy();
+  });
+
+  res.on("error", () => {
+    // Client response stream error (client disconnected)
+    // Clean up proxy streams
+    proxyRequest.destroy();
+  });
+
+  res.on("close", () => {
+    // Client disconnected
+    // Abort the proxy request to avoid unnecessary work
+    proxyRequest.destroy();
+  });
+
+  req.pipe(proxyRequest);
+}

package/src/registryProxy/registryProxy.js

@@ -1,6 +1,7 @@
 import * as http from "http";
 import { tunnelRequest } from "./tunnelRequestHandler.js";
 import { mitmConnect } from "./mitmRequestHandler.js";
+import { handleHttpProxyRequest } from "./plainHttpProxy.js";
 import { getCaCertPath } from "./certUtils.js";
 import { auditChanges } from "../scanning/audit/index.js";
 import { knownRegistries, parsePackageFromUrl } from "./parsePackageFromUrl.js";
@@ -15,7 +16,6 @@ const state = {
 
 export function createSafeChainProxy() {
   const server = createProxyServer();
-  server.on("connect", handleConnect);
 
   return {
     startServer: () => startServer(server),
@@ -54,13 +54,15 @@ export function mergeSafeChainProxyEnvironmentVariables(env) {
 }
 
 function createProxyServer() {
-  const server = http.createServer((_, res) => {
-    res.writeHead(400, "Bad Request");
-    res.write(
-      "Safe-chain proxy: Direct http not supported. Only CONNECT requests are allowed."
-    );
-    res.end();
-  });
+  const server = http.createServer(
+    // This handles direct HTTP requests (non-CONNECT requests)
+    // This is normally http-only traffic, but we also handle
+    // https for clients that don't properly use CONNECT
+    handleHttpProxyRequest
+  );
+
+  // This handles HTTPS requests via the CONNECT method
+  server.on("connect", handleConnect);
 
   return server;
 }
@@ -151,7 +153,7 @@ function verifyNoMaliciousPackages() {
   }
 
   ui.emptyLine();
-  ui.writeError("Exiting without installing malicious packages.");
+  ui.writeExitWithoutInstallingMaliciousPackages();
   ui.emptyLine();
 
   return false;

package/src/scanning/index.js

@@ -4,7 +4,6 @@ import { setTimeout } from "timers/promises";
 import chalk from "chalk";
 import { getPackageManager } from "../packagemanager/currentPackageManager.js";
 import { ui } from "../environment/userInteraction.js";
-import { getMalwareAction, MALWARE_ACTION_PROMPT } from "../config/settings.js";
 
 export function shouldScanCommand(args) {
   if (!args || args.length === 0) {
@@ -65,7 +64,8 @@ export async function scanCommand(args) {
     return 0;
   } else {
     printMaliciousChanges(audit.disallowedChanges, spinner);
-    return await onMalwareFound();
+    onMalwareFound();
+    return 1;
   }
 }
 
@@ -77,23 +77,8 @@ function printMaliciousChanges(changes, spinner) {
   }
 }
 
-async function onMalwareFound() {
+function onMalwareFound() {
   ui.emptyLine();
-
-  if (getMalwareAction() === MALWARE_ACTION_PROMPT) {
-    const continueInstall = await ui.confirm({
-      message:
-        "Malicious packages were found. Do you want to continue with the installation?",
-      default: false,
-    });
-
-    if (continueInstall) {
-      ui.writeWarning("Continuing with the installation despite the risks...");
-      return 0;
-    }
-  }
-
-  ui.writeError("Exiting without installing malicious packages.");
+  ui.writeExitWithoutInstallingMaliciousPackages();
   ui.emptyLine();
-  return 1;
 }

package/src/utils/safeSpawn.js

@@ -1,27 +1,77 @@
-import { spawnSync, spawn } from "child_process";
+import { spawn, execSync } from "child_process";
+import os from "os";
 
-function escapeArg(arg) {
-  // If argument contains spaces or quotes, wrap in double quotes and escape double quotes
-  if (arg.includes(" ") || arg.includes('"') || arg.includes("'")) {
-    return '"' + arg.replaceAll('"', '\\"') + '"';
+function sanitizeShellArgument(arg) {
+  // If argument contains shell metacharacters, wrap in double quotes
+  // and escape characters that are special even inside double quotes
+  if (hasShellMetaChars(arg)) {
+    // Inside double quotes, we need to escape: " $ ` \
+    return '"' + escapeDoubleQuoteContent(arg) + '"';
   }
   return arg;
 }
 
+function hasShellMetaChars(arg) {
+  // Shell metacharacters that need escaping
+  // These characters have special meaning in shells and need to be quoted
+  // Whenever one of these characters is present, we should quote the argument
+  // Characters: space, ", &, ', |, ;, <, >, (, ), $, `, \, !, *, ?, [, ], {, }, ~, #
+  const shellMetaChars = /[ "&'|;<>()$`\\!*?[\]{}~#]/;
+  return shellMetaChars.test(arg);
+}
+
+function escapeDoubleQuoteContent(arg) {
+  // Escape special characters for shell safety
+  // This escapes ", $, `, and \ by prefixing them with a backslash
+  return arg.replace(/(["`$\\])/g, "\\$1");
+}
+
 function buildCommand(command, args) {
-  const escapedArgs = args.map(escapeArg);
+  if (args.length === 0) {
+    return command;
+  }
+
+  const escapedArgs = args.map(sanitizeShellArgument);
+
   return `${command} ${escapedArgs.join(" ")}`;
 }
 
-export function safeSpawnSync(command, args, options = {}) {
-  const fullCommand = buildCommand(command, args);
-  return spawnSync(fullCommand, { ...options, shell: true });
+function resolveCommandPath(command) {
+  // command will be "npm", "yarn", etc.
+  // Use 'command -v' to find the full path
+  const fullPath = execSync(`command -v ${command}`, {
+    encoding: "utf8",
+    shell: true,
+  }).trim();
+
+  if (!fullPath) {
+    throw new Error(`Command not found: ${command}`);
+  }
+
+  return fullPath;
 }
 
 export async function safeSpawn(command, args, options = {}) {
-  const fullCommand = buildCommand(command, args);
+  // The command is always one of our supported package managers.
+  // It should always be alphanumeric or _ or -
+  // Reject any command names with suspicious characters
+  if (!/^[a-zA-Z0-9_-]+$/.test(command)) {
+    throw new Error(`Invalid command name: ${command}`);
+  }
+
   return new Promise((resolve, reject) => {
-    const child = spawn(fullCommand, { ...options, shell: true });
+    // Windows requires shell: true because .bat and .cmd files are not executable
+    // without a terminal. On Unix/macOS, we resolve the full path first, then use
+    // array args (safer, no escaping needed).
+    // See: https://nodejs.org/api/child_process.html#child_processspawncommand-args-options
+    let child;
+    if (os.platform() === "win32") {
+      const fullCommand = buildCommand(command, args);
+      child = spawn(fullCommand, { ...options, shell: true });
+    } else {
+      const fullPath = resolveCommandPath(command);
+      child = spawn(fullPath, args, options);
+    }
 
     // When stdio is piped, we need to collect the output
     let stdout = "";

package/src/packagemanager/npm/dependencyScanner/dryRunScanner.js

@@ -1,67 +0,0 @@
-import { parseDryRunOutput } from "../parsing/parseNpmInstallDryRunOutput.js";
-import { dryRunNpmCommandAndOutput } from "../runNpmCommand.js";
-import { hasDryRunArg } from "../utils/npmCommands.js";
-
-export function dryRunScanner(scannerOptions) {
-  return {
-    scan: (args) => scanDependencies(scannerOptions, args),
-    shouldScan: (args) => shouldScanDependencies(scannerOptions, args),
-  };
-}
-
-function scanDependencies(scannerOptions, args) {
-  let dryRunArgs = args;
-
-  if (scannerOptions?.dryRunCommand) {
-    // Replace the first argument with the dryRunCommand (eg: "install" instead of "install-test")
-    dryRunArgs = [scannerOptions.dryRunCommand, ...args.slice(1)];
-  }
-
-  return checkChangesWithDryRun(dryRunArgs);
-}
-
-function shouldScanDependencies(scannerOptions, args) {
-  if (hasDryRunArg(args)) {
-    return false;
-  }
-
-  if (scannerOptions?.skipScanWhen && scannerOptions.skipScanWhen(args)) {
-    return false;
-  }
-
-  return true;
-}
-
-async function checkChangesWithDryRun(args) {
-  const dryRunOutput = await dryRunNpmCommandAndOutput(args);
-
-  // Dry-run can return a non-zero status code in some cases
-  //  e.g., when running "npm audit fix --dry-run", it returns exit code 1
-  //  when there are vulnerabilities that can be fixed.
-  if (dryRunOutput.status !== 0 && !canCommandReturnNonZeroOnSuccess(args)) {
-    throw new Error(
-      `Dry-run command failed with exit code ${dryRunOutput.status} and output:\n${dryRunOutput.output}`
-    );
-  }
-
-  if (dryRunOutput.status !== 0 && !dryRunOutput.output) {
-    throw new Error(
-      `Dry-run command failed with exit code ${dryRunOutput.status} and produced no output.`
-    );
-  }
-
-  const parsedOutput = parseDryRunOutput(dryRunOutput.output);
-
-  // reverse the array to have the top-level packages first
-  return parsedOutput.reverse();
-}
-
-function canCommandReturnNonZeroOnSuccess(args) {
-  if (args.length < 2) {
-    return false;
-  }
-
-  // `npm audit fix --dry-run` can return exit code 1 when it succesfully ran and
-  // there were vulnerabilities that could be fixed
-  return args[0] === "audit" && args[1] === "fix";
-}

package/src/packagemanager/npm/parsing/parseNpmInstallDryRunOutput.js

@@ -1,57 +0,0 @@
-export function parseDryRunOutput(output) {
-  const lines = output.split(/\r?\n/);
-  const packageChanges = [];
-
-  for (const line of lines) {
-    if (line.startsWith("add ")) {
-      packageChanges.push(parseAdd(line));
-    } else if (line.startsWith("remove ")) {
-      packageChanges.push(parseRemove(line));
-    } else if (line.startsWith("change ")) {
-      packageChanges.push(parseChange(line));
-    }
-  }
-
-  return packageChanges;
-}
-
-function parseAdd(line) {
-  const splitLine = getLineParts(line);
-  const packageName = splitLine[1];
-  const packageVersion = splitLine[splitLine.length - 1];
-  return addedPackage(packageName, packageVersion);
-}
-
-function addedPackage(name, version) {
-  return { type: "add", name, version };
-}
-
-function parseRemove(line) {
-  const splitLine = getLineParts(line);
-  const packageName = splitLine[1];
-  const packageVersion = splitLine[splitLine.length - 1];
-  return removedPackage(packageName, packageVersion);
-}
-
-function removedPackage(name, version) {
-  return { type: "remove", name, version };
-}
-
-function parseChange(line) {
-  const splitLine = getLineParts(line);
-  const packageName = splitLine[1];
-  const packageVersion = splitLine[splitLine.length - 1];
-  const oldVersion = splitLine[2];
-  return changedPackage(packageName, packageVersion, oldVersion);
-}
-
-function getLineParts(line) {
-  return line
-    .split(" ")
-    .map((part) => part.trim())
-    .filter((part) => part !== "");
-}
-
-function changedPackage(name, version, oldVersion) {
-  return { type: "change", name, version, oldVersion };
-}