@aikidosec/safe-chain 1.2.4 → 1.3.1

package/README.md

@@ -19,10 +19,10 @@ Aikido Safe Chain supports the following package managers:
 - 📦 **pnpx**
 - 📦 **bun**
 - 📦 **bunx**
-- 📦 **pip** (beta)
-- 📦 **pip3** (beta)
-- 📦 **uv** (beta)
-- 📦 **poetry** (beta)
+- 📦 **pip**
+- 📦 **pip3**
+- 📦 **uv**
+- 📦 **poetry**
 
 # Usage
 
@@ -34,32 +34,16 @@ Installing the Aikido Safe Chain is easy with our one-line installer.
 
 ### Unix/Linux/macOS
 
-**Default installation (JavaScript packages only):**
-
 ```shell
 curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh
 ```
 
-**Include Python support (pip/pip3/uv):**
-
-```shell
-curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --include-python
-```
-
 ### Windows (PowerShell)
 
-**Default installation (JavaScript packages only):**
-
 ```powershell
 iex (iwr "https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1" -UseBasicParsing)
 ```
 
-**Include Python support (pip/pip3/uv):**
-
-```powershell
-iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -includepython"
-```
-
 ### Verify the installation
 
 1. **❗Restart your terminal** to start using the Aikido Safe Chain.
@@ -74,7 +58,7 @@ iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/inst
    npm install safe-chain-test
    ```
 
-   For Python (if you enabled Python support):
+   For Python:
 
    ```shell
    pip3 install safe-chain-pi-test
@@ -193,32 +177,16 @@ Use the `--ci` flag to automatically configure Aikido Safe Chain for CI/CD envir
 
 ### Unix/Linux/macOS (GitHub Actions, Azure Pipelines, etc.)
 
-**JavaScript only:**
-
 ```shell
 curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
 ```
 
-**With Python support:**
-
-```shell
-curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
-```
-
 ### Windows (Azure Pipelines, etc.)
 
-**JavaScript only:**
-
 ```powershell
 iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci"
 ```
 
-**With Python support:**
-
-```powershell
-iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci -includepython"
-```
-
 ## Supported Platforms
 
 - ✅ **GitHub Actions**
@@ -234,14 +202,12 @@ iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/inst
     cache: "npm"
 
 - name: Install safe-chain
-  run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
+  run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
 
 - name: Install dependencies
   run: npm ci
 ```
 
-> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv/poetry) support.
-
 ## Azure DevOps Example
 
 ```yaml
@@ -250,13 +216,11 @@ iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/inst
     versionSpec: "22.x"
   displayName: "Install Node.js"
 
-- script: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
+- script: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
   displayName: "Install safe-chain"
 
 - script: npm ci
   displayName: "Install dependencies"
 ```
 
-> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv/poetry) support.
-
 After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.

package/bin/safe-chain.js

@@ -95,11 +95,6 @@ function writeHelp() {
       "safe-chain setup"
     )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, bun, bunx, pip and pip3.`
   );
-  ui.writeInformation(
-    `    ${chalk.yellow(
-      "--include-python"
-    )}: Experimental: include Python package managers (pip, pip3) in the setup.`
-  );
   ui.writeInformation(
     `- ${chalk.cyan(
       "safe-chain teardown"
@@ -110,11 +105,6 @@ function writeHelp() {
       "safe-chain setup-ci"
     )}: This will setup safe-chain for CI environments by creating shims and modifying the PATH.`
   );
-  ui.writeInformation(
-    `    ${chalk.yellow(
-      "--include-python"
-    )}: Experimental: include Python package managers (pip, pip3) in the setup.`
-  );
   ui.writeInformation(
     `- ${chalk.cyan("safe-chain --version")} (or ${chalk.cyan(
       "-v"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.2.4",
+  "version": "1.3.1",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",

package/src/config/cliArguments.js

@@ -1,11 +1,12 @@
+import { ui } from "../environment/userInteraction.js";
+
 /**
- * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined, includePython: boolean}}
+ * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined}}
  */
 const state = {
   loggingLevel: undefined,
   skipMinimumPackageAge: undefined,
   minimumPackageAgeHours: undefined,
-  includePython: false,
 };
 
 const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
@@ -34,8 +35,7 @@ export function initializeCliArguments(args) {
   setLoggingLevel(safeChainArgs);
   setSkipMinimumPackageAge(safeChainArgs);
   setMinimumPackageAgeHours(safeChainArgs);
-  setIncludePython(args);
-
+  checkDeprecatedPythonFlag(args);
   return remainingArgs;
 }
 
@@ -109,20 +109,6 @@ export function getMinimumPackageAgeHours() {
   return state.minimumPackageAgeHours;
 }
 
-/**
- * @param {string[]} args
- */
-function setIncludePython(args) {
-  // This flag doesn't have the --safe-chain- prefix because
-  // it is only used for the safe-chain command itself and
-  // not when wrapped around package manager commands.
-  state.includePython = hasFlagArg(args, "--include-python");
-}
-
-export function includePython() {
-  return state.includePython;
-}
-
 /**
  * @param {string[]} args
  * @param {string} flagName
@@ -136,3 +122,17 @@ function hasFlagArg(args, flagName) {
   }
   return false;
 }
+
+/**
+ * Emits a deprecation warning for legacy --include-python flag
+ *
+ * @param {string[]} args
+ * @returns {void}
+ */
+export function checkDeprecatedPythonFlag(args) {
+  if (hasFlagArg(args, "--include-python")) {
+    ui.writeWarning(
+      "--include-python is deprecated and ignored. Python tooling is included by default."
+    );
+  }
+}

package/src/shell-integration/setup-ci.js

@@ -5,8 +5,6 @@ import fs from "fs";
 import os from "os";
 import path from "path";
 import { fileURLToPath } from "url";
-import { includePython } from "../config/cliArguments.js";
-import { ECOSYSTEM_PY } from "../config/settings.js";
 
 /** @type {string} */
 // This checks the current file's dirname in a way that's compatible with:
@@ -162,9 +160,5 @@ function modifyPathForCi(shimsDir, binDir) {
 }
 
 function getToolsToSetup() {
-  if (includePython()) {
-    return knownAikidoTools;
-  } else {
-    return knownAikidoTools.filter((tool) => tool.ecoSystem !== ECOSYSTEM_PY);
-  }
+  return knownAikidoTools;
 }

package/src/shell-integration/setup.js

@@ -4,7 +4,6 @@ import { detectShells } from "./shellDetection.js";
 import { knownAikidoTools, getPackageManagerList, getScriptsDir } from "./helpers.js";
 import fs from "fs";
 import path from "path";
-import { includePython } from "../config/cliArguments.js";
 import { fileURLToPath } from "url";
 
 /** @type {string} */
@@ -118,7 +117,7 @@ function copyStartupFiles() {
     // Use absolute path for source
     const sourcePath = path.join(
       dirname,
-      includePython() ? "startup-scripts/include-python" : "startup-scripts",
+      "startup-scripts",
       file
     );
     fs.copyFileSync(sourcePath, targetPath);

package/src/shell-integration/startup-scripts/init-fish.fish

@@ -39,6 +39,33 @@ function npm
     wrapSafeChainCommand "npm" $argv
 end
 
+
+function pip
+    wrapSafeChainCommand "pip" $argv
+end
+
+function pip3
+    wrapSafeChainCommand "pip3" $argv
+end
+
+function uv
+    wrapSafeChainCommand "uv" $argv
+end
+
+function poetry
+    wrapSafeChainCommand "poetry" $argv
+end
+
+# `python -m pip`, `python -m pip3`.
+function python
+    wrapSafeChainCommand "python" $argv
+end
+
+# `python3 -m pip`, `python3 -m pip3'.
+function python3
+    wrapSafeChainCommand "python3" $argv
+end
+
 function printSafeChainWarning
     set original_cmd $argv[1]
     

package/src/shell-integration/startup-scripts/init-posix.sh

@@ -35,6 +35,33 @@ function npm() {
   wrapSafeChainCommand "npm" "$@"
 }
 
+
+function pip() {
+  wrapSafeChainCommand "pip" "$@"
+}
+
+function pip3() {
+  wrapSafeChainCommand "pip3" "$@"
+}
+
+function uv() {
+  wrapSafeChainCommand "uv" "$@"
+}
+
+function poetry() {
+  wrapSafeChainCommand "poetry" "$@"
+}
+
+# `python -m pip`, `python -m pip3`.
+function python() {
+  wrapSafeChainCommand "python" "$@"
+}
+
+# `python3 -m pip`, `python3 -m pip3'.
+function python3() {
+  wrapSafeChainCommand "python3" "$@"
+}
+
 function printSafeChainWarning() {
   # \033[43;30m is used to set the background color to yellow and text color to black
   # \033[0m is used to reset the text formatting

package/src/shell-integration/startup-scripts/init-pwsh.ps1

@@ -1,5 +1,7 @@
 # Use cross-platform path separator (: on Unix, ; on Windows)
-$pathSeparator = if ($IsWindows) { ';' } else { ':' }
+# $IsWindows is only available in PowerShell Core 6.0+. If it doesn't exist, assume Windows PowerShell
+$isWindowsPlatform = if (Test-Path variable:IsWindows) { $IsWindows } else { $true }
+$pathSeparator = if ($isWindowsPlatform) { ';' } else { ':' }
 $safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
 $env:PATH = "$env:PATH$pathSeparator$safeChainBin"
 
@@ -38,6 +40,33 @@ function npm {
     Invoke-WrappedCommand "npm" $args
 }
 
+function pip {
+    Invoke-WrappedCommand "pip" $args
+}
+
+function pip3 {
+    Invoke-WrappedCommand "pip3" $args
+}
+
+function uv {
+    Invoke-WrappedCommand "uv" $args
+}
+
+function poetry {
+    Invoke-WrappedCommand "poetry" $args
+}
+
+# `python -m pip`, `python -m pip3`.
+function python {
+    Invoke-WrappedCommand 'python' $args
+}
+
+# `python3 -m pip`, `python3 -m pip3'.
+function python3 {
+    Invoke-WrappedCommand 'python3' $args
+}
+
+
 function Write-SafeChainWarning {
     param([string]$Command)
     

package/src/shell-integration/startup-scripts/include-python/init-fish.fish

@@ -1,98 +0,0 @@
-set -gx PATH $PATH $HOME/.safe-chain/bin
-
-function npx
-    wrapSafeChainCommand "npx" $argv
-end
-
-function yarn
-    wrapSafeChainCommand "yarn" $argv
-end
-
-function pnpm
-    wrapSafeChainCommand "pnpm" $argv
-end
-
-function pnpx
-    wrapSafeChainCommand "pnpx" $argv
-end
-
-function bun
-    wrapSafeChainCommand "bun" $argv
-end
-
-function bunx
-    wrapSafeChainCommand "bunx" $argv
-end
-
-function npm
-    # If args is just -v or --version and nothing else, just run the `npm -v` command
-    # This is because nvm uses this to check the version of npm
-    set argc (count $argv)
-    if test $argc -eq 1
-        switch $argv[1]
-            case "-v" "--version"
-                command npm $argv
-                return
-        end
-    end
-
-    wrapSafeChainCommand "npm" $argv
-end
-
-
-function pip
-    wrapSafeChainCommand "pip" $argv
-end
-
-function pip3
-    wrapSafeChainCommand "pip3" $argv
-end
-
-function uv
-    wrapSafeChainCommand "uv" $argv
-end
-
-function poetry
-    wrapSafeChainCommand "poetry" $argv
-end
-
-# `python -m pip`, `python -m pip3`.
-function python
-    wrapSafeChainCommand "python" $argv
-end
-
-# `python3 -m pip`, `python3 -m pip3'.
-function python3
-    wrapSafeChainCommand "python3" $argv
-end
-
-function printSafeChainWarning
-    set original_cmd $argv[1]
-    
-    # Fish equivalent of ANSI color codes: yellow background, black text for "Warning:"
-    set_color -b yellow black
-    printf "Warning:"
-    set_color normal
-    printf " safe-chain is not available to protect you from installing malware. %s will run without it.\n" $original_cmd
-    
-    # Cyan text for the install command
-    printf "Install safe-chain by using "
-    set_color cyan
-    printf "npm install -g @aikidosec/safe-chain"
-    set_color normal
-    printf ".\n"
-end
-
-function wrapSafeChainCommand
-    set original_cmd $argv[1]
-    set cmd_args $argv[2..-1]
-
-    if type -q safe-chain
-        # If the safe-chain command is available, just run it with the provided arguments
-        safe-chain $original_cmd $cmd_args
-    else
-        # If the safe-chain command is not available, print a warning and run the original command
-        printSafeChainWarning $original_cmd
-        command $original_cmd $cmd_args
-    end
-end

package/src/shell-integration/startup-scripts/include-python/init-posix.sh

@@ -1,85 +0,0 @@
-export PATH="$PATH:$HOME/.safe-chain/bin"
-
-function npx() {
-  wrapSafeChainCommand "npx" "$@"
-}
-
-function yarn() {
-  wrapSafeChainCommand "yarn" "$@"
-}
-
-function pnpm() {
-  wrapSafeChainCommand "pnpm" "$@"
-}
-
-function pnpx() {
-  wrapSafeChainCommand "pnpx" "$@"
-}
-
-function bun() {
-  wrapSafeChainCommand "bun" "$@"
-}
-
-function bunx() {
-  wrapSafeChainCommand "bunx" "$@"
-}
-
-function npm() {
-  if [[ "$1" == "-v" || "$1" == "--version" ]] && [[ $# -eq 1 ]]; then
-    # If args is just -v or --version and nothing else, just run the npm version command
-    # This is because nvm uses this to check the version of npm
-    command npm "$@"
-    return
-  fi
-
-  wrapSafeChainCommand "npm" "$@"
-}
-
-
-function pip() {
-  wrapSafeChainCommand "pip" "$@"
-}
-
-function pip3() {
-  wrapSafeChainCommand "pip3" "$@"
-}
-
-function uv() {
-  wrapSafeChainCommand "uv" "$@"
-}
-
-function poetry() {
-  wrapSafeChainCommand "poetry" "$@"
-}
-
-# `python -m pip`, `python -m pip3`.
-function python() {
-  wrapSafeChainCommand "python" "$@"
-}
-
-# `python3 -m pip`, `python3 -m pip3'.
-function python3() {
-  wrapSafeChainCommand "python3" "$@"
-}
-
-function printSafeChainWarning() {
-  # \033[43;30m is used to set the background color to yellow and text color to black
-  # \033[0m is used to reset the text formatting
-  printf "\033[43;30mWarning:\033[0m safe-chain is not available to protect you from installing malware. %s will run without it.\n" "$1"
-  # \033[36m is used to set the text color to cyan
-  printf "Install safe-chain by using \033[36mnpm install -g @aikidosec/safe-chain\033[0m.\n"
-}
-
-function wrapSafeChainCommand() {
-  local original_cmd="$1"
-
-  if command -v safe-chain > /dev/null 2>&1; then
-    # If the aikido command is available, just run it with the provided arguments
-    safe-chain "$@"
-  else
-    # If the aikido command is not available, print a warning and run the original command
-    printSafeChainWarning "$original_cmd"
-
-    command "$original_cmd" "$@"
-  fi
-}

package/src/shell-integration/startup-scripts/include-python/init-pwsh.ps1

@@ -1,119 +0,0 @@
-# Use cross-platform path separator (: on Unix, ; on Windows)
-$pathSeparator = if ($IsWindows) { ';' } else { ':' }
-$safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
-$env:PATH = "$env:PATH$pathSeparator$safeChainBin"
-
-function npx {
-    Invoke-WrappedCommand "npx" $args
-}
-
-function yarn {
-    Invoke-WrappedCommand "yarn" $args
-}
-
-function pnpm {
-    Invoke-WrappedCommand "pnpm" $args
-}
-
-function pnpx {
-    Invoke-WrappedCommand "pnpx" $args
-}
-
-function bun {
-    Invoke-WrappedCommand "bun" $args
-}
-
-function bunx {
-    Invoke-WrappedCommand "bunx" $args
-}
-
-function npm {
-    # If args is just -v or --version and nothing else, just run the npm version command
-    # This is because nvm uses this to check the version of npm
-    if (($args.Length -eq 1) -and (($args[0] -eq "-v") -or ($args[0] -eq "--version"))) {
-        Invoke-RealCommand "npm" $args
-        return
-    }
-
-    Invoke-WrappedCommand "npm" $args
-}
-
-function pip {
-    Invoke-WrappedCommand "pip" $args
-}
-
-function pip3 {
-    Invoke-WrappedCommand "pip3" $args
-}
-
-function uv {
-    Invoke-WrappedCommand "uv" $args
-}
-
-function poetry {
-    Invoke-WrappedCommand "poetry" $args
-}
-
-# `python -m pip`, `python -m pip3`.
-function python {
-    Invoke-WrappedCommand 'python' $args
-}
-
-# `python3 -m pip`, `python3 -m pip3'.
-function python3 {
-    Invoke-WrappedCommand 'python3' $args
-}
-
-
-function Write-SafeChainWarning {
-    param([string]$Command)
-    
-    # PowerShell equivalent of ANSI color codes: yellow background, black text for "Warning:"
-    Write-Host "Warning:" -BackgroundColor Yellow -ForegroundColor Black -NoNewline
-    Write-Host " safe-chain is not available to protect you from installing malware. $Command will run without it."
-    
-    # Cyan text for the install command
-    Write-Host "Install safe-chain by using " -NoNewline
-    Write-Host "npm install -g @aikidosec/safe-chain" -ForegroundColor Cyan -NoNewline
-    Write-Host "."
-}
-
-function Test-CommandAvailable {
-    param([string]$Command)
-    
-    try {
-        Get-Command $Command -ErrorAction Stop | Out-Null
-        return $true
-    }
-    catch {
-        return $false
-    }
-}
-
-function Invoke-RealCommand {
-    param(
-        [string]$Command,
-        [string[]]$Arguments
-    )
-    
-    # Find the real executable to avoid calling our wrapped functions
-    $realCommand = Get-Command -Name $Command -CommandType Application | Select-Object -First 1
-    if ($realCommand) {
-        & $realCommand.Source @Arguments
-    }
-}
-
-function Invoke-WrappedCommand {
-    param(
-        [string]$OriginalCmd,
-        [string[]]$Arguments
-    )
-
-    if (Test-CommandAvailable "safe-chain") {
-        & safe-chain $OriginalCmd @Arguments
-    }
-    else {
-        Write-SafeChainWarning $OriginalCmd
-        Invoke-RealCommand $OriginalCmd $Arguments
-    }
-}