@aikidosec/safe-chain 1.1.9 → 1.2.0

package/README.md

@@ -1,48 +1,71 @@
+![Aikido Safe Chain](./docs/banner.svg)
+
 # Aikido Safe Chain
 
-The Aikido Safe Chain **prevents developers from installing malware** on their workstations while developing in the Javascript ecosystem (through npm, npx, yarn, pnpm, pnpx, bun and bunx). It's **free** to use and does not require any token.
+[![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Fsafe-chain?style=flat-square)](https://www.npmjs.com/package/@aikidosec/safe-chain)
+[![NPM Downloads](https://img.shields.io/npm/dw/%40aikidosec%2Fsafe-chain?style=flat-square)](https://www.npmjs.com/package/@aikidosec/safe-chain)
 
-The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, or pip/pip3 from downloading or running the malware.
+- ✅ **Block malware on developer laptops and CI/CD**
+- ✅ **Supports npm and PyPI** more package managers coming
+- ✅ **Blocks packages newer than 24 hours** without breaking your build
+- ✅ **Tokenless, free, no build data shared**
 
 Aikido Safe Chain works on Node.js version 16 and above and supports the following package managers:
 
-- ✅ **npm**
-- ✅ **npx**
-- ✅ **yarn**
-- ✅ **pnpm**
-- ✅ **pnpx**
-- ✅ **bun**
-- ✅ **bunx**
-- ✅ **pip** (beta)
-- ✅ **pip3** (beta)
+- 📦 **npm**
+- 📦 **npx**
+- 📦 **yarn**
+- 📦 **pnpm**
+- 📦 **pnpx**
+- 📦 **bun**
+- 📦 **bunx**
+- 📦 **pip** (beta)
+- 📦 **pip3** (beta)
+- 📦 **uv** (beta)
 
 # Usage
 
 ## Installation
 
-Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
+Installing the Aikido Safe Chain is easy with our one-line installer.
 
-1. **Install the Aikido Safe Chain package globally** using npm:
-   ```shell
-   npm install -g @aikidosec/safe-chain
-   ```
-2. **Setup the shell integration** by running:
+> ⚠️ **Already installed via npm?** See the [migration guide](docs/npm-to-binary-migration.md) to switch to the binary version.
 
-   ```shell
-   safe-chain setup
-   ```
+### Unix/Linux/macOS
 
-   To enable Python (pip/pip3) support (beta), use the `--include-python` flag:
+**Default installation (JavaScript packages only):**
 
-   ```shell
-   safe-chain setup --include-python
-   ```
+```shell
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh
+```
 
-3. **❗Restart your terminal** to start using the Aikido Safe Chain.
+**Include Python support (pip/pip3/uv):**
+
+```shell
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --include-python
+```
+
+### Windows (PowerShell)
+
+**Default installation (JavaScript packages only):**
+
+```powershell
+iex (iwr "https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1" -UseBasicParsing)
+```
+
+**Include Python support (pip/pip3/uv):**
+
+```powershell
+iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -includepython"
+```
+
+### Verify the installation
+
+1. **❗Restart your terminal** to start using the Aikido Safe Chain.
 
    - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, bun, bunx, and pip/pip3 are loaded correctly. If you do not restart your terminal, the aliases will not be available.
 
-4. **Verify the installation** by running one of the following commands:
+2. **Verify the installation** by running one of the following commands:
 
    For JavaScript/Node.js:
 
@@ -50,7 +73,7 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
    npm install safe-chain-test
    ```
 
-   For Python (beta):
+   For Python (if you enabled Python support):
 
    ```shell
    pip3 install safe-chain-pi-test
@@ -58,7 +81,7 @@ Installing the Aikido Safe Chain is easy. You just need 3 simple steps:
 
    - The output should show that Aikido Safe Chain is blocking the installation of these test packages as they are flagged as malware.
 
-When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, or `pip3` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
+When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `uv`, `pip`, or `pip3` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
 
 You can check the installed version by running:
 
@@ -70,17 +93,17 @@ safe-chain --version
 
 ### Malware Blocking
 
-The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, `pip`, or `pip3` commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
+The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, `pip`, or `pip3` commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
 
 ### Minimum package age (npm only)
 
-For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can bypass this protection for specific installs using the `--safe-chain-skip-minimum-package-age` flag.
+For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours (by default) until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.
 
-⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to PyPI/pip.
+⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to Python package managers (uv, pip, pip3).
 
 ### Shell Integration
 
-The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, bun, bunx, and pip commands. It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
+The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, bun, bunx, and Python package managers (uv, pip). It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
 
 - ✅ **Bash**
 - ✅ **Zsh**
@@ -126,27 +149,72 @@ You can control the output from Aikido Safe Chain using the `--safe-chain-loggin
   npm install express --safe-chain-logging=verbose
   ```
 
+## Minimum Package Age
+
+You can configure how long packages must exist before Safe Chain allows their installation. By default, packages must be at least 24 hours old before they can be installed through npm-based package managers.
+
+### Configuration Options
+
+You can set the minimum package age through multiple sources (in order of priority):
+
+1. **CLI Argument** (highest priority):
+
+   ```shell
+   npm install express --safe-chain-minimum-package-age-hours=48
+   ```
+
+2. **Environment Variable**:
+
+   ```shell
+   export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS=48
+   npm install express
+   ```
+
+3. **Config File** (`~/.aikido/config.json`):
+
+   ```json
+   {
+     "minimumPackageAgeHours": 48
+   }
+   ```
+
 # Usage in CI/CD
 
 You can protect your CI/CD pipelines from malicious packages by integrating Aikido Safe Chain into your build process. This ensures that any packages installed during your automated builds are checked for malware before installation.
 
 For optimal protection in CI/CD environments, we recommend using **npm >= 10.4.0** as it provides full dependency tree scanning. Other package managers currently offer limited scanning of install command arguments only.
 
-## Setup
+## Installation for CI/CD
+
+Use the `--ci` flag to automatically configure Aikido Safe Chain for CI/CD environments. This sets up executable shims in the PATH instead of shell aliases.
+
+### Unix/Linux/macOS (GitHub Actions, Azure Pipelines, etc.)
 
-To use Aikido Safe Chain in CI/CD environments, run the following command after installing the package:
+**JavaScript only:**
 
 ```shell
-safe-chain setup-ci
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
 ```
 
-To enable Python (pip/pip3) support (beta) in CI/CD, use the `--include-python` flag:
+**With Python support:**
 
 ```shell
-safe-chain setup-ci --include-python
+curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
 ```
 
-This automatically configures your CI environment to use Aikido Safe Chain for all package manager commands.
+### Windows (Azure Pipelines, etc.)
+
+**JavaScript only:**
+
+```powershell
+iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci"
+```
+
+**With Python support:**
+
+```powershell
+iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci -includepython"
+```
 
 ## Supported Platforms
 
@@ -162,16 +230,15 @@ This automatically configures your CI environment to use Aikido Safe Chain for a
     node-version: "22"
     cache: "npm"
 
-- name: Setup safe-chain
-  run: |
-    npm i -g @aikidosec/safe-chain
-    safe-chain setup-ci
+- name: Install safe-chain
+  run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
 
 - name: Install dependencies
-  run: |
-    npm ci
+  run: npm ci
 ```
 
+> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv) support.
+
 ## Azure DevOps Example
 
 ```yaml
@@ -180,14 +247,13 @@ This automatically configures your CI environment to use Aikido Safe Chain for a
     versionSpec: "22.x"
   displayName: "Install Node.js"
 
-- script: |
-    npm i -g @aikidosec/safe-chain
-    safe-chain setup-ci
-  displayName: "Install safe chain"
+- script: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
+  displayName: "Install safe-chain"
 
-- script: |
-    npm ci
-  displayName: "npm install and build"
+- script: npm ci
+  displayName: "Install dependencies"
 ```
 
+> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv) support.
+
 After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.

package/bin/aikido-bun.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "bun";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-bunx.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "bunx";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-npm.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "npm";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-npx.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "npx";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pip.js

@@ -13,6 +13,8 @@ setCurrentPipInvocation(PIP_INVOCATIONS.PIP);
 
 initializePackageManager(PIP_PACKAGE_MANAGER);
 
-// Pass through only user-supplied pip args
-var exitCode = await main(process.argv.slice(2));
-process.exit(exitCode);
+(async () => {
+  // Pass through only user-supplied pip args
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pip3.js

@@ -14,6 +14,8 @@ setCurrentPipInvocation(PIP_INVOCATIONS.PIP3);
 // Create package manager
 initializePackageManager(PIP_PACKAGE_MANAGER);
 
-// Pass through only user-supplied pip args
-var exitCode = await main(process.argv.slice(2));
-process.exit(exitCode);
+(async () => {
+  // Pass through only user-supplied pip args
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pnpm.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "pnpm";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-pnpx.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "pnpx";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-python.js

@@ -11,18 +11,20 @@ setEcoSystem(ECOSYSTEM_PY);
 // Strip nodejs and wrapper script from args
 let argv = process.argv.slice(2);
 
-if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
-	setEcoSystem(ECOSYSTEM_PY);
-	setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP);
-	initializePackageManager(PIP_PACKAGE_MANAGER);
+(async () => {
+  if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
+    setEcoSystem(ECOSYSTEM_PY);
+    setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP);
+    initializePackageManager(PIP_PACKAGE_MANAGER);
 
-  // Strip off the '-m pip' or '-m pip3' from the args
-  argv = argv.slice(2);
+    // Strip off the '-m pip' or '-m pip3' from the args
+    argv = argv.slice(2);
 
-  var exitCode = await main(argv);
-	process.exit(exitCode);
-} else {
-	// Forward to real python binary for non-pip flows
-	const { spawn } = await import('child_process');
-	spawn('python', argv, { stdio: 'inherit' });
-}
+    var exitCode = await main(argv);
+    process.exit(exitCode);
+  } else {
+    // Forward to real python binary for non-pip flows
+    const { spawn } = await import('child_process');
+    spawn('python', argv, { stdio: 'inherit' });
+  }
+})();

package/bin/aikido-python3.js

@@ -11,18 +11,20 @@ setEcoSystem(ECOSYSTEM_PY);
 // Strip nodejs and wrapper script from args
 let argv = process.argv.slice(2);
 
-if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
-	setEcoSystem(ECOSYSTEM_PY);
-	setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP);
-	initializePackageManager(PIP_PACKAGE_MANAGER);
+(async () => {
+  if (argv[0] === '-m' && (argv[1] === 'pip' || argv[1] === 'pip3')) {
+    setEcoSystem(ECOSYSTEM_PY);
+    setCurrentPipInvocation(argv[1] === 'pip3' ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP);
+    initializePackageManager(PIP_PACKAGE_MANAGER);
 
-  // Strip off the '-m pip' or '-m pip3' from the args
-	argv = argv.slice(2);
+    // Strip off the '-m pip' or '-m pip3' from the args
+    argv = argv.slice(2);
 
-  var exitCode = await main(argv);
-	process.exit(exitCode);
-} else {
-	// Forward to real python3 binary for non-pip flows
-	const { spawn } = await import('child_process');
-	spawn('python3', argv, { stdio: 'inherit' });
-}
+    var exitCode = await main(argv);
+    process.exit(exitCode);
+  } else {
+    // Forward to real python3 binary for non-pip flows
+    const { spawn } = await import('child_process');
+    spawn('python3', argv, { stdio: 'inherit' });
+  }
+})();

package/bin/aikido-uv.js

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
+
+// Set eco system
+setEcoSystem(ECOSYSTEM_PY);
+
+initializePackageManager("uv");
+
+(async () => {
+  // Pass through only user-supplied uv args
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-yarn.js

@@ -7,6 +7,8 @@ import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
 setEcoSystem(ECOSYSTEM_JS);
 const packageManagerName = "yarn";
 initializePackageManager(packageManagerName);
-var exitCode = await main(process.argv.slice(2));
 
-process.exit(exitCode);
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/safe-chain.js

@@ -1,12 +1,37 @@
 #!/usr/bin/env node
 
 import chalk from "chalk";
-import { createRequire } from "module";
 import { ui } from "../src/environment/userInteraction.js";
 import { setup } from "../src/shell-integration/setup.js";
 import { teardown } from "../src/shell-integration/teardown.js";
 import { setupCi } from "../src/shell-integration/setup-ci.js";
 import { initializeCliArguments } from "../src/config/cliArguments.js";
+import { setEcoSystem } from "../src/config/settings.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+import { main } from "../src/main.js";
+import path from "path";
+import { fileURLToPath } from "url";
+import fs from "fs";
+import { knownAikidoTools } from "../src/shell-integration/helpers.js";
+import {
+  PIP_INVOCATIONS,
+  PIP_PACKAGE_MANAGER,
+  setCurrentPipInvocation,
+} from "../src/packagemanager/pip/pipSettings.js";
+
+/** @type {string} */
+// This checks the current file's dirname in a way that's compatible with:
+//  - Modulejs (import.meta.url)
+//  - ES modules (__dirname)
+// This is needed because safe-chain's npm package is built using ES modules,
+// but building the binaries requires commonjs.
+let dirname;
+if (import.meta.url) {
+  const filename = fileURLToPath(import.meta.url);
+  dirname = path.dirname(filename);
+} else {
+  dirname = __dirname;
+}
 
 if (process.argv.length < 3) {
   ui.writeError("No command provided. Please provide a command to execute.");
@@ -19,19 +44,35 @@ initializeCliArguments(process.argv);
 
 const command = process.argv[2];
 
-if (command === "help" || command === "--help" || command === "-h") {
+const tool = knownAikidoTools.find((tool) => tool.tool === command);
+
+if (tool && tool.internalPackageManagerName === PIP_PACKAGE_MANAGER) {
+  (async function () {
+    await executePip(tool);
+  })();
+} else if (tool) {
+  const args = process.argv.slice(3);
+
+  setEcoSystem(tool.ecoSystem);
+  initializePackageManager(tool.internalPackageManagerName);
+
+  (async () => {
+    var exitCode = await main(args);
+    process.exit(exitCode);
+  })();
+} else if (command === "help" || command === "--help" || command === "-h") {
   writeHelp();
   process.exit(0);
-}
-
-if (command === "setup") {
+} else if (command === "setup") {
   setup();
 } else if (command === "teardown") {
   teardown();
 } else if (command === "setup-ci") {
   setupCi();
 } else if (command === "--version" || command === "-v" || command === "-v") {
-  ui.writeInformation(`Current safe-chain version: ${getVersion()}`);
+  (async () => {
+    ui.writeInformation(`Current safe-chain version: ${await getVersion()}`);
+  })();
 } else {
   ui.writeError(`Unknown command: ${command}.`);
   ui.emptyLine();
@@ -87,8 +128,63 @@ function writeHelp() {
   ui.emptyLine();
 }
 
-function getVersion() {
-  const require = createRequire(import.meta.url);
-  const packageJson = require("../package.json");
-  return packageJson.version;
+async function getVersion() {
+  const packageJsonPath = path.join(dirname, "..", "package.json");
+
+  const data = await fs.promises.readFile(packageJsonPath);
+  const json = JSON.parse(data.toString("utf8"));
+
+  if (json && json.version) {
+    return json.version;
+  }
+
+  return "0.0.0";
+}
+
+/**
+ * @param {import("../src/shell-integration/helpers.js").AikidoTool} tool
+ */
+async function executePip(tool) {
+  // Scanners for pip / pip3 / python / python3 use a slightly different approach:
+  //  - They all use the same PIP_PACKAGE_MANAGER internally, but need some setup to be able to do so
+  //     - It needs to set which tool to run (pip / pip3 / python / python3)
+  //     - For python and python3, the -m pip/pip3 args are removed and later added again by the package manager
+  //  - Python / python3 skips safe-chain if not being run with -m pip or -m pip3
+
+  let args = process.argv.slice(3);
+  setEcoSystem(tool.ecoSystem);
+  initializePackageManager(PIP_PACKAGE_MANAGER);
+
+  let shouldSkip = false;
+  if (tool.tool === "pip") {
+    setCurrentPipInvocation(PIP_INVOCATIONS.PIP);
+  } else if (tool.tool === "pip3") {
+    setCurrentPipInvocation(PIP_INVOCATIONS.PIP3);
+  } else if (tool.tool === "python") {
+    if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
+      setCurrentPipInvocation(
+        args[1] === "pip3" ? PIP_INVOCATIONS.PY_PIP3 : PIP_INVOCATIONS.PY_PIP
+      );
+      args = args.slice(2);
+    } else {
+      shouldSkip = true;
+    }
+  } else if (tool.tool === "python3") {
+    if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
+      setCurrentPipInvocation(
+        args[1] === "pip3" ? PIP_INVOCATIONS.PY3_PIP3 : PIP_INVOCATIONS.PY3_PIP
+      );
+      args = args.slice(2);
+    } else {
+      shouldSkip = true;
+    }
+  }
+
+  if (shouldSkip) {
+    const { spawn } = await import("child_process");
+    spawn(tool.tool, args, { stdio: "inherit" });
+  } else {
+    var exitCode = await main(args);
+    process.exit(exitCode);
+  }
 }