npm - @aikidosec/safe-chain - Versions diffs - 1.5.0 → 1.5.2 - Mend

@aikidosec/safe-chain 1.5.0 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +15 -1
package/npm-shrinkwrap.json +1 -1
package/package.json +1 -1
package/src/registryProxy/registryProxy.js +6 -3
package/src/scanning/malwareDatabase.js +41 -38
package/src/scanning/newPackagesListCache.js +16 -19

package/README.md CHANGED Viewed

@@ -10,6 +10,14 @@
 - ✅ **Blocks packages newer than 48 hours** without breaking your build
 - ✅ **Tokenless, free, no build data shared**
+## Need protection beyond npm & PyPI?
+[Aikido Endpoint](https://www.aikido.dev/protect/endpoint-protection?utm_source=github.com&utm_medium=referral&utm_campaign=safechain) builds on Safe Chain, extending package and extension security across more ecosystems: **npm**, **PyPI**, **Maven**, **NuGet**, **VS Code**, **Open VSX** - (Cursor, Windsurf, Kiro, Vs Codium, ...), **Chrome extensions**, **Skills.sh AI skills** and more.
+Get centralized policy management, request-and-approval workflows, and visibility across every developer workstation in your org. Powered by the same Aikido Intel feed. Deploy it manually or manage it through your MDM tool (Jamf, Fleet, or Iru).
+---
 Aikido Safe Chain supports the following package managers:
 - 📦 **npm**
@@ -282,6 +290,12 @@ You can set custom registries through environment variable or config file. Both
    }
    ```
+## PYPI Configuration File
+If you rely on a `pip.conf` file for pip configuration you must point pip at it explicitly via the `PIP_CONFIG_FILE` environment variable so Safe Chain can merge it.
+Safe Chain runs pip behind its MITM proxy and writes a temporary pip configuration file to inject its certificate and proxy settings. When `PIP_CONFIG_FILE` is set, Safe Chain merges its settings into a copy of your file (your original file is never modified) so your `index-url`, credentials, and other options are preserved. When `PIP_CONFIG_FILE` is not set, pip's user-level config (e.g. `~/.config/pip/pip.conf`) might be overridden by Safe Chain's temporary file and your settings will not be picked up.
 ## Malware List Base URL
 Configure Safe Chain to fetch malware databases and new packages lists from a custom mirror URL. This allows you to host your own copy of the Aikido malware database.
@@ -463,7 +477,7 @@ steps:
       name: Install
       script:
         - curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
-        - export PATH=~/.safe-chain/shims:$PATH
+        - export PATH=~/.safe-chain/shims:~/.safe-chain/bin:$PATH
         - npm ci
 ```

package/npm-shrinkwrap.json CHANGED Viewed

@@ -3112,7 +3112,7 @@
     },
     "packages/safe-chain": {
       "name": "@aikidosec/safe-chain",
-      "version": "1.5.0",
+      "version": "1.5.2",
       "license": "AGPL-3.0-or-later",
       "dependencies": {
         "certifi": "14.5.15",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.5.0",
+  "version": "1.5.2",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",

package/src/registryProxy/registryProxy.js CHANGED Viewed

@@ -42,7 +42,7 @@ function getSafeChainProxyEnvironmentVariables() {
     return {};
   }
-  const proxyUrl = `http://localhost:${state.port}`;
+  const proxyUrl = `http://127.0.0.1:${state.port}`;
   const caCertPath = getCombinedCaBundlePath();
   return {
@@ -95,8 +95,11 @@ function createProxyServer() {
  */
 function startServer(server) {
   return new Promise((resolve, reject) => {
-    // Passing port 0 makes the OS assign an available port
-    server.listen(0, () => {
+    // Bind to loopback only. Without an explicit host, Node listens on every
+    // interface, turning the proxy into an unauthenticated forward proxy that
+    // anyone reachable on the network can use to hit the victim's localhost,
+    // intranet, or cloud metadata endpoints. Port 0 lets the OS pick a port.
+    server.listen(0, "127.0.0.1", () => {
       const address = server.address();
       if (address && typeof address === "object") {
         state.port = address.port;

package/src/scanning/malwareDatabase.js CHANGED Viewed

@@ -15,8 +15,12 @@ import { getEcoSystem, ECOSYSTEM_PY } from "../config/settings.js";
  * @property {function(string, string): boolean} isMalware
  */
-/** @type {MalwareDatabase | null} */
-let cachedMalwareDatabase = null;
+// Caching the Promise (rather than the resolved database) prevents duplicate fetches. If we cached the resolved
+// value, multiple callers could pass the null-check before the first fetch completes (because each `await` yields
+// control back to the event loop, allowing other callers to run). Since the Promise assignment is synchronous, all
+// concurrent callers see it immediately and share a single fetch.
+/** @type {Promise<MalwareDatabase> | null} */
+let cachedMalwareDatabasePromise = null;
 /**
  * Normalize package name for comparison.
@@ -34,45 +38,44 @@ function normalizePackageName(name) {
   return name;
 }
-export async function openMalwareDatabase() {
-  if (cachedMalwareDatabase) {
-    return cachedMalwareDatabase;
-  }
-  const malwareDatabase = await getMalwareDatabase();
-  /**
-   * @param {string} name
-   * @param {string} version
-   * @returns {string}
-   */
-  function getPackageStatus(name, version) {
-    const normalizedName = normalizePackageName(name);
-    const packageData = malwareDatabase.find(
-      (pkg) => {
-        const normalizedPkgName = normalizePackageName(pkg.package_name);
-        return normalizedPkgName === normalizedName &&
-          (pkg.version === version || pkg.version === "*");
+export function openMalwareDatabase() {
+  if (!cachedMalwareDatabasePromise) {
+    cachedMalwareDatabasePromise = getMalwareDatabase().then((malwareDatabase) => {
+      /**
+       * @param {string} name
+       * @param {string} version
+       * @returns {string}
+       */
+      function getPackageStatus(name, version) {
+        const normalizedName = normalizePackageName(name);
+        const packageData = malwareDatabase.find(
+          (pkg) => {
+            const normalizedPkgName = normalizePackageName(pkg.package_name);
+            return normalizedPkgName === normalizedName &&
+              (pkg.version === version || pkg.version === "*");
+          }
+        );
+        if (!packageData) {
+          return MALWARE_STATUS_OK;
+        }
+        return packageData.reason;
       }
-    );
-    if (!packageData) {
-      return MALWARE_STATUS_OK;
-    }
-    return packageData.reason;
+      return {
+        getPackageStatus,
+        isMalware: (/** @type {string} */ name, /** @type {string} */ version) => {
+          const status = getPackageStatus(name, version);
+          return isMalwareStatus(status);
+        },
+      };
+    }).catch((error) => {
+      cachedMalwareDatabasePromise = null;
+      throw error;
+    });
   }
-  // This implicitly caches the malware database
-  //  that's closed over by the getPackageStatus function
-  cachedMalwareDatabase = {
-    getPackageStatus,
-    isMalware: (name, version) => {
-      const status = getPackageStatus(name, version);
-      return isMalwareStatus(status);
-    },
-  };
-  return cachedMalwareDatabase;
+  return cachedMalwareDatabasePromise;
 }
 /**

package/src/scanning/newPackagesListCache.js CHANGED Viewed

@@ -16,30 +16,27 @@ import { warnOnceAboutUnavailableDatabase } from "./newPackagesDatabaseWarnings.
  */
 // Shared per-process cache to avoid rebuilding the same feed-backed database on each request.
-/** @type {NewPackagesDatabase | null} */
-let cachedNewPackagesDatabase = null;
+// Caching the Promise (rather than the resolved database) prevents duplicate fetches. If we cached the resolved
+// value, multiple callers could pass the null-check before the first fetch completes (because each `await` yields
+// control back to the event loop, allowing other callers to run). Since the Promise assignment is synchronous, all
+// concurrent callers see it immediately and share a single fetch.
+/** @type {Promise<NewPackagesDatabase> | null} */
+let cachedNewPackagesDatabasePromise = null;
 /**
  * @returns {Promise<NewPackagesDatabase>}
  */
-export async function openNewPackagesDatabase() {
-  if (cachedNewPackagesDatabase) {
-    return cachedNewPackagesDatabase;
+export function openNewPackagesDatabase() {
+  if (!cachedNewPackagesDatabasePromise) {
+    cachedNewPackagesDatabasePromise = getNewPackagesList()
+      .then((newPackagesList) => buildNewPackagesDatabase(newPackagesList))
+      .catch((/** @type {any} */ error) => {
+        warnOnceAboutUnavailableDatabase(error);
+        cachedNewPackagesDatabasePromise = null;
+        return { isNewlyReleasedPackage: () => false };
+      });
   }
-  /** @type {import("../api/aikido.js").NewPackageEntry[]} */
-  let newPackagesList;
-  try {
-    newPackagesList = await getNewPackagesList();
-  } catch (/** @type {any} */ error) {
-    warnOnceAboutUnavailableDatabase(error);
-    cachedNewPackagesDatabase = { isNewlyReleasedPackage: () => false };
-    return cachedNewPackagesDatabase;
-  }
-  cachedNewPackagesDatabase = buildNewPackagesDatabase(newPackagesList);
-  return cachedNewPackagesDatabase;
+  return cachedNewPackagesDatabasePromise;
 }
 /**