@aikidosec/safe-chain 1.1.9 → 1.1.10

package/README.md

@@ -1,20 +1,22 @@
 # Aikido Safe Chain
 
-The Aikido Safe Chain **prevents developers from installing malware** on their workstations while developing in the Javascript ecosystem (through npm, npx, yarn, pnpm, pnpx, bun and bunx). It's **free** to use and does not require any token.
-
-The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, or pip/pip3 from downloading or running the malware.
+- ✅ **Block malware on developer laptops and CI/CD**
+- ✅ **Supports npm and PyPI** more package managers coming
+- ✅ **Blocks packages newer than 24 hours** without breaking your build
+- ✅ **Tokenless, free, no build data shared**
 
 Aikido Safe Chain works on Node.js version 16 and above and supports the following package managers:
 
-- ✅ **npm**
-- ✅ **npx**
-- ✅ **yarn**
-- ✅ **pnpm**
-- ✅ **pnpx**
-- ✅ **bun**
-- ✅ **bunx**
-- ✅ **pip** (beta)
-- ✅ **pip3** (beta)
+- 📦 **npm**
+- 📦 **npx**
+- 📦 **yarn**
+- 📦 **pnpm**
+- 📦 **pnpx**
+- 📦 **bun**
+- 📦 **bunx**
+- 📦 **pip** (beta)
+- 📦 **pip3** (beta)
+- 📦 **uv** (beta)
 
 # Usage
 
@@ -32,7 +34,7 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
    safe-chain setup
    ```
 
-   To enable Python (pip/pip3) support (beta), use the `--include-python` flag:
+   To enable Python (pip/pip3/uv) support (beta), use the `--include-python` flag:
 
    ```shell
    safe-chain setup --include-python
@@ -58,7 +60,7 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
 
    - The output should show that Aikido Safe Chain is blocking the installation of these test packages as they are flagged as malware.
 
-When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, or `pip3` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
+When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `uv`, `pip`, or `pip3` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
 
 You can check the installed version by running:
 
@@ -70,17 +72,17 @@ safe-chain --version
 
 ### Malware Blocking
 
-The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, `pip`, or `pip3` commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
+The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, `pip`, or `pip3` commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
 
 ### Minimum package age (npm only)
 
-For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can bypass this protection for specific installs using the `--safe-chain-skip-minimum-package-age` flag.
+For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours (by default) until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.
 
-⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to PyPI/pip.
+⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to Python package managers (uv, pip, pip3).
 
 ### Shell Integration
 
-The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, bun, bunx, and pip commands. It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
+The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, bun, bunx, and Python package managers (uv, pip). It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
 
 - ✅ **Bash**
 - ✅ **Zsh**
@@ -126,6 +128,35 @@ You can control the output from Aikido Safe Chain using the `--safe-chain-loggin
   npm install express --safe-chain-logging=verbose
   ```
 
+## Minimum Package Age
+
+You can configure how long packages must exist before Safe Chain allows their installation. By default, packages must be at least 24 hours old before they can be installed through npm-based package managers.
+
+### Configuration Options
+
+You can set the minimum package age through multiple sources (in order of priority):
+
+1. **CLI Argument** (highest priority):
+
+   ```shell
+   npm install express --safe-chain-minimum-package-age-hours=48
+   ```
+
+2. **Environment Variable**:
+
+   ```shell
+   export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS=48
+   npm install express
+   ```
+
+3. **Config File** (`~/.aikido/config.json`):
+
+   ```json
+   {
+     "minimumPackageAgeHours": 48
+   }
+   ```
+
 # Usage in CI/CD
 
 You can protect your CI/CD pipelines from malicious packages by integrating Aikido Safe Chain into your build process. This ensures that any packages installed during your automated builds are checked for malware before installation.
@@ -140,7 +171,7 @@ To use Aikido Safe Chain in CI/CD environments, run the following command after
 safe-chain setup-ci
 ```
 
-To enable Python (pip/pip3) support (beta) in CI/CD, use the `--include-python` flag:
+To enable Python (pip/pip3/uv) support (beta) in CI/CD, use the `--include-python` flag:
 
 ```shell
 safe-chain setup-ci --include-python

package/bin/aikido-uv.js

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
+
+// Set eco system
+setEcoSystem(ECOSYSTEM_PY);
+
+initializePackageManager("uv");
+
+// Pass through only user-supplied uv args
+var exitCode = await main(process.argv.slice(2));
+process.exit(exitCode);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.1.9",
+  "version": "1.1.10",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -15,6 +15,7 @@
     "aikido-pnpx": "bin/aikido-pnpx.js",
     "aikido-bun": "bin/aikido-bun.js",
     "aikido-bunx": "bin/aikido-bunx.js",
+    "aikido-uv": "bin/aikido-uv.js",
     "aikido-pip": "bin/aikido-pip.js",
     "aikido-pip3": "bin/aikido-pip3.js",
     "aikido-python": "bin/aikido-python.js",
@@ -33,25 +34,24 @@
   "keywords": [],
   "author": "Aikido Security",
   "license": "AGPL-3.0-or-later",
-  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), and [bunx](https://bun.sh/docs/cli/bunx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, or bunx from downloading or running the malware.",
+  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), [uv](https://docs.astral.sh/uv/) (Python), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, or pip/pip3 from downloading or running the malware.",
   "dependencies": {
-    "certifi": "^14.5.15",
+    "certifi": "14.5.15",
     "chalk": "5.4.1",
     "https-proxy-agent": "7.0.6",
-    "ini": "^6.0.0",
+    "ini": "6.0.0",
     "make-fetch-happen": "14.0.3",
     "node-forge": "1.3.1",
     "npm-registry-fetch": "18.0.2",
-    "ora": "8.2.0",
     "semver": "7.7.2"
   },
   "devDependencies": {
     "@types/ini": "^4.1.1",
     "@types/make-fetch-happen": "^10.0.4",
     "@types/node": "^18.19.130",
+    "@types/node-forge": "^1.3.14",
     "@types/npm-registry-fetch": "^8.0.9",
     "@types/semver": "^7.7.1",
-    "@types/node-forge": "^1.3.14",
     "typescript": "^5.9.3"
   },
   "main": "src/main.js",

package/src/config/cliArguments.js

@@ -1,9 +1,10 @@
 /**
- * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, includePython: boolean}}
+ * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined, includePython: boolean}}
  */
 const state = {
   loggingLevel: undefined,
   skipMinimumPackageAge: undefined,
+  minimumPackageAgeHours: undefined,
   includePython: false,
 };
 
@@ -17,6 +18,7 @@ export function initializeCliArguments(args) {
   // Reset state on each call
   state.loggingLevel = undefined;
   state.skipMinimumPackageAge = undefined;
+  state.minimumPackageAgeHours = undefined;
 
   const safeChainArgs = [];
   const remainingArgs = [];
@@ -31,6 +33,7 @@ export function initializeCliArguments(args) {
 
   setLoggingLevel(safeChainArgs);
   setSkipMinimumPackageAge(safeChainArgs);
+  setMinimumPackageAgeHours(safeChainArgs);
   setIncludePython(args);
 
   return remainingArgs;
@@ -86,6 +89,26 @@ export function getSkipMinimumPackageAge() {
   return state.skipMinimumPackageAge;
 }
 
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setMinimumPackageAgeHours(args) {
+  const argName = SAFE_CHAIN_ARG_PREFIX + "minimum-package-age-hours=";
+
+  const value = getLastArgEqualsValue(args, argName);
+  if (value) {
+    state.minimumPackageAgeHours = value;
+  }
+}
+
+/**
+ * @returns {string | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  return state.minimumPackageAgeHours;
+}
+
 /**
  * @param {string[]} args
  */

package/src/config/configFile.js

@@ -9,7 +9,8 @@ import { getEcoSystem } from "./settings.js";
  *
  * This should be a number, but can be anything because it is user-input.
  * We cannot trust the input and should add the necessary validations.
- * @property {any} scanTimeout
+ * @property {unknown} scanTimeout
+ * @property {unknown} minimumPackageAgeHours
  */
 
 /**
@@ -48,6 +49,35 @@ function validateTimeout(value) {
   return null;
 }
 
+/**
+ * @param {any} value
+ * @returns {number | undefined}
+ */
+function validateMinimumPackageAgeHours(value) {
+  const hours = Number(value);
+  if (!Number.isNaN(hours)) {
+    return hours;
+  }
+  return undefined;
+}
+
+/**
+ * Gets the minimum package age in hours from config file only
+ * @returns {number | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  const config = readConfigFile();
+  if (config.minimumPackageAgeHours) {
+    const validated = validateMinimumPackageAgeHours(
+      config.minimumPackageAgeHours
+    );
+    if (validated !== undefined) {
+      return validated;
+    }
+  }
+  return undefined;
+}
+
 /**
  * @param {import("../api/aikido.js").MalwarePackage[]} data
  * @param {string | number} version
@@ -111,6 +141,7 @@ function readConfigFile() {
   if (!fs.existsSync(configFilePath)) {
     return {
       scanTimeout: undefined,
+      minimumPackageAgeHours: undefined,
     };
   }
 
@@ -120,6 +151,7 @@ function readConfigFile() {
   } catch {
     return {
       scanTimeout: undefined,
+      minimumPackageAgeHours: undefined,
     };
   }
 }

package/src/config/environmentVariables.js

@@ -0,0 +1,7 @@
+/**
+ * Gets the minimum package age in hours from environment variable
+ * @returns {string | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  return process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS;
+}

package/src/config/settings.js

@@ -1,4 +1,6 @@
 import * as cliArguments from "./cliArguments.js";
+import * as configFile from "./configFile.js";
+import * as environmentVariables from "./environmentVariables.js";
 
 export const LOGGING_SILENT = "silent";
 export const LOGGING_NORMAL = "normal";
@@ -38,10 +40,54 @@ export function setEcoSystem(setting) {
 }
 
 const defaultMinimumPackageAge = 24;
+/** @returns {number} */
 export function getMinimumPackageAgeHours() {
+  // Priority 1: CLI argument
+  const cliValue = validateMinimumPackageAgeHours(
+    cliArguments.getMinimumPackageAgeHours()
+  );
+  if (cliValue !== undefined) {
+    return cliValue;
+  }
+
+  // Priority 2: Environment variable
+  const envValue = validateMinimumPackageAgeHours(
+    environmentVariables.getMinimumPackageAgeHours()
+  );
+  if (envValue !== undefined) {
+    return envValue;
+  }
+
+  // Priority 3: Config file
+  const configValue = configFile.getMinimumPackageAgeHours();
+  if (configValue !== undefined) {
+    return configValue;
+  }
+
   return defaultMinimumPackageAge;
 }
 
+/**
+ * @param {string | undefined} value
+ * @returns {number | undefined}
+ */
+function validateMinimumPackageAgeHours(value) {
+  if (!value) {
+    return undefined;
+  }
+
+  const numericValue = Number(value);
+  if (Number.isNaN(numericValue)) {
+    return undefined;
+  }
+
+  if (numericValue > 0) {
+    return numericValue;
+  }
+
+  return undefined;
+}
+
 const defaultSkipMinimumPackageAge = false;
 export function skipMinimumPackageAge() {
   const cliValue = cliArguments.getSkipMinimumPackageAge();

package/src/environment/userInteraction.js

@@ -1,6 +1,5 @@
 // oxlint-disable no-console
 import chalk from "chalk";
-import ora from "ora";
 import { isCi } from "./environment.js";
 import {
   getLoggingLevel,
@@ -98,61 +97,6 @@ function writeOrBuffer(messageFunction) {
   }
 }
 
-/**
- * @typedef {Object} Spinner
- * @property {(message: string) => void} succeed
- * @property {(message: string) => void} fail
- * @property {() => void} stop
- * @property {(message: string) => void} setText
- */
-
-/**
- * @param {string} message
- *
- * @returns {Spinner}
- */
-function startProcess(message) {
-  if (isSilentMode()) {
-    return {
-      succeed: () => {},
-      fail: () => {},
-      stop: () => {},
-      setText: () => {},
-    };
-  }
-
-  if (isCi()) {
-    return {
-      succeed: (message) => {
-        writeInformation(message);
-      },
-      fail: (message) => {
-        writeError(message);
-      },
-      stop: () => {},
-      setText: (message) => {
-        writeInformation(message);
-      },
-    };
-  } else {
-    const spinner = ora(message).start();
-    return {
-      succeed: (message) => {
-        spinner.succeed(message);
-      },
-      fail: (message) => {
-        spinner.fail(message);
-      },
-      stop: () => {
-        spinner.stop();
-      },
-      setText: (message) => {
-        spinner.text = message;
-      },
-    };
-  }
-}
-
 function startBufferingLogs() {
   state.bufferOutput = true;
   state.bufferedMessages = [];
@@ -173,7 +117,6 @@ export const ui = {
   writeError,
   writeExitWithoutInstallingMaliciousPackages,
   emptyLine,
-  startProcess,
   startBufferingLogs,
   writeBufferedLogsAndStopBuffering,
 };

package/src/packagemanager/currentPackageManager.js

@@ -10,6 +10,7 @@ import {
 } from "./pnpm/createPackageManager.js";
 import { createYarnPackageManager } from "./yarn/createPackageManager.js";
 import { createPipPackageManager } from "./pip/createPackageManager.js";
+import { createUvPackageManager } from "./uv/createUvPackageManager.js";
 
 /**
  * @type {{packageManagerName: PackageManager | null}}
@@ -54,6 +55,8 @@ export function initializePackageManager(packageManagerName) {
     state.packageManagerName = createBunxPackageManager();
   } else if (packageManagerName === "pip") {
     state.packageManagerName = createPipPackageManager();
+  } else if (packageManagerName === "uv") {
+    state.packageManagerName = createUvPackageManager();
   } else {
     throw new Error("Unsupported package manager: " + packageManagerName);
   }

package/src/packagemanager/uv/createUvPackageManager.js

@@ -0,0 +1,18 @@
+import { runUv } from "./runUvCommand.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createUvPackageManager() {
+  return {
+    /**
+     * @param {string[]} args
+     */
+    runCommand: (args) => {
+      return runUv("uv", args);
+    },
+    // For uv, rely solely on MITM
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}

package/src/packagemanager/uv/runUvCommand.js

@@ -0,0 +1,71 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+
+/**
+ * Sets CA bundle environment variables used by Python libraries and uv.
+ * 
+ * @param {NodeJS.ProcessEnv} env - Env object
+ * @param {string} combinedCaPath - Path to the combined CA bundle
+ */
+function setUvCaBundleEnvironmentVariables(env, combinedCaPath) {
+  // SSL_CERT_FILE: Used by Python SSL libraries and underlying HTTP clients
+  if (env.SSL_CERT_FILE) {
+    ui.writeWarning("Safe-chain: User defined SSL_CERT_FILE found in environment. It will be overwritten.");
+  }
+  env.SSL_CERT_FILE = combinedCaPath;
+
+  // REQUESTS_CA_BUNDLE: Used by the requests library (which uv may use internally)
+  if (env.REQUESTS_CA_BUNDLE) {
+    ui.writeWarning("Safe-chain: User defined REQUESTS_CA_BUNDLE found in environment. It will be overwritten.");
+  }
+  env.REQUESTS_CA_BUNDLE = combinedCaPath;
+
+  // PIP_CERT: Some underlying pip operations may respect this
+  if (env.PIP_CERT) {
+    ui.writeWarning("Safe-chain: User defined PIP_CERT found in environment. It will be overwritten.");
+  }
+  env.PIP_CERT = combinedCaPath;
+}
+
+/**
+ * Runs a uv command with safe-chain's certificate bundle and proxy configuration.
+ * 
+ * uv respects standard environment variables for proxy and TLS configuration:
+ * - HTTP_PROXY / HTTPS_PROXY: Proxy settings
+ * - SSL_CERT_FILE / REQUESTS_CA_BUNDLE: CA bundle for TLS verification
+ * 
+ * Unlike pip (which requires a temporary config file for cert configuration), uv directly
+ * honors environment variables, so no config/ini file is needed.
+ * 
+ * @param {string} command - The uv command to execute (typically 'uv')
+ * @param {string[]} args - Command line arguments to pass to uv
+ * @returns {Promise<{status: number}>} Exit status of the uv command
+ */
+export async function runUv(command, args) {
+  try {
+    const env = mergeSafeChainProxyEnvironmentVariables(process.env);
+
+    const combinedCaPath = getCombinedCaBundlePath();
+    setUvCaBundleEnvironmentVariables(env, combinedCaPath);
+
+    // Note: uv uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration
+    // These are already set by mergeSafeChainProxyEnvironmentVariables
+
+    const result = await safeSpawn(command, args, {
+      stdio: "inherit",
+      env,
+    });
+
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError(`Error executing command: ${error.message}`);
+      ui.writeError(`Is '${command}' installed and available on your system?`);
+      return { status: 1 };
+    }
+  }
+}

package/src/scanning/index.js

@@ -29,36 +29,19 @@ export async function scanCommand(args) {
   }
 
   let timedOut = false;
-
-  const spinner = ui.startProcess(
-    "Safe-chain: Scanning for malicious packages..."
-  );
   /** @type {import("./audit/index.js").AuditResult | undefined} */
   let audit;
 
   await Promise.race([
     (async () => {
-      try {
-        const packageManager = getPackageManager();
-        const changes = await packageManager.getDependencyUpdatesForCommand(
-          args
-        );
-
-        if (timedOut) {
-          return;
-        }
-
-        if (changes.length > 0) {
-          spinner.setText(
-            `Safe-chain: Scanning ${changes.length} package(s)...`
-          );
-        }
+      const packageManager = getPackageManager();
+      const changes = await packageManager.getDependencyUpdatesForCommand(args);
 
-        audit = await auditChanges(changes);
-      } catch (/** @type any */ error) {
-        spinner.fail(`Safe-chain: Error while scanning.`);
-        throw error;
+      if (timedOut) {
+        return;
       }
+
+      audit = await auditChanges(changes);
     })(),
     setTimeout(getScanTimeout()).then(() => {
       timedOut = true;
@@ -66,15 +49,13 @@ export async function scanCommand(args) {
   ]);
 
   if (timedOut) {
-    spinner.fail("Safe-chain: Timeout exceeded while scanning.");
     throw new Error("Timeout exceeded while scanning npm install command.");
   }
 
   if (!audit || audit.isAllowed) {
-    spinner.stop();
     return 0;
   } else {
-    printMaliciousChanges(audit.disallowedChanges, spinner);
+    printMaliciousChanges(audit.disallowedChanges);
     onMalwareFound();
     return 1;
   }
@@ -82,12 +63,12 @@ export async function scanCommand(args) {
 
 /**
  * @param {import("./audit/index.js").PackageChange[]} changes
- * @param spinner {import("../environment/userInteraction.js").Spinner}
- *
  * @return {void}
  */
-function printMaliciousChanges(changes, spinner) {
-  spinner.fail("Safe-chain: " + chalk.bold("Malicious changes detected:"));
+function printMaliciousChanges(changes) {
+  ui.writeInformation(
+    chalk.red("✖") + " Safe-chain: " + chalk.bold("Malicious changes detected:")
+  );
 
   for (const change of changes) {
     ui.writeInformation(` - ${change.name}@${change.version}`);

package/src/shell-integration/helpers.js

@@ -22,6 +22,7 @@ export const knownAikidoTools = [
   { tool: "pnpx", aikidoCommand: "aikido-pnpx", ecoSystem: ECOSYSTEM_JS },
   { tool: "bun", aikidoCommand: "aikido-bun", ecoSystem: ECOSYSTEM_JS },
   { tool: "bunx", aikidoCommand: "aikido-bunx", ecoSystem: ECOSYSTEM_JS },
+  { tool: "uv", aikidoCommand: "aikido-uv", ecoSystem: ECOSYSTEM_PY },
   { tool: "pip", aikidoCommand: "aikido-pip", ecoSystem: ECOSYSTEM_PY },
   { tool: "pip3", aikidoCommand: "aikido-pip3", ecoSystem: ECOSYSTEM_PY },
   { tool: "python", aikidoCommand: "aikido-python", ecoSystem: ECOSYSTEM_PY },

package/src/shell-integration/startup-scripts/include-python/init-fish.fish

@@ -77,6 +77,10 @@ function pip3
     wrapSafeChainCommand "pip3" "aikido-pip3" $argv
 end
 
+function uv
+    wrapSafeChainCommand "uv" "aikido-uv" $argv
+end
+
 # `python -m pip`, `python -m pip3`.
 function python
     wrapSafeChainCommand "python" "aikido-python" $argv

package/src/shell-integration/startup-scripts/include-python/init-posix.sh

@@ -69,6 +69,10 @@ function pip3() {
   wrapSafeChainCommand "pip3" "aikido-pip3" "$@"
 }
 
+function uv() {
+  wrapSafeChainCommand "uv" "aikido-uv" "$@"
+}
+
 # `python -m pip`, `python -m pip3`.
 function python() {
   wrapSafeChainCommand "python" "aikido-python" "$@"

package/src/shell-integration/startup-scripts/include-python/init-pwsh.ps1

@@ -95,6 +95,10 @@ function pip3 {
     Invoke-WrappedCommand "pip3" "aikido-pip3" $args
 }
 
+function uv {
+    Invoke-WrappedCommand "uv" "aikido-uv" $args
+}
+
 # `python -m pip`, `python -m pip3`.
 function python {
     Invoke-WrappedCommand 'python' 'aikido-python' $args