@guardinstall/cli 0.1.4 → 0.1.6

package/dist/index.js

@@ -39,7 +39,7 @@ const program = new commander_1.Command();
 program
     .name('guardinstall')
     .description('A kernel-level behavioral sandbox for npm/pnpm/bun install scripts')
-    .version('0.1.3');
+    .version('0.1.6');
 program
     .command('install')
     .description('Run npm install with sandbox protection')

package/dist/installer.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.runPackageManager = void 0;
 const child_process_1 = require("child_process");
 const chalk_1 = __importDefault(require("chalk"));
+const child_process_2 = require("child_process");
 async function runPackageManager(pm, args) {
     const pmMap = {
         npm: 'npm',
@@ -21,16 +22,33 @@ async function runPackageManager(pm, args) {
         // Add --ignore-scripts flag
         args.push('--ignore-scripts');
     }
-    console.log(chalk_1.default.gray(`\n📦 Running: ${command} ${args.join(' ')}\n`));
+    // Remove --ignore-scripts from display (it's expected)
+    const displayArgs = args.filter(a => a !== '--ignore-scripts');
+    console.log(chalk_1.default.gray(`\n📦 Running: ${command} ${displayArgs.join(' ')} (with --ignore-scripts)\n`));
     return new Promise((resolve) => {
+        // Use spawn without shell to avoid npm arborist bug triggered by shell escaping
         const proc = (0, child_process_1.spawn)(command, args, {
             stdio: 'inherit',
-            shell: true
+            shell: false
         });
         let output = '';
         proc.stdout?.on('data', (d) => { output += d.toString(); });
         proc.stderr?.on('data', (d) => { output += d.toString(); });
         proc.on('close', (code) => {
+            // If npm fails with arborist error, try alternative approach
+            if (code !== 0 && command === 'npm') {
+                console.log(chalk_1.default.yellow('\n⚠️  npm encountered an error, trying with --no-audit --no-fund...\n'));
+                try {
+                    // Try running npm without audit/fund which sometimes triggers arborist issues
+                    const fallbackArgs = ['install', '--ignore-scripts', '--no-audit', '--no-fund', ...args.filter(a => a !== 'install' && a !== 'add' && a !== '--ignore-scripts')];
+                    const result = (0, child_process_2.execSync)(`npm ${fallbackArgs.join(' ')}`, { stdio: 'inherit', encoding: 'utf-8' });
+                    resolve({ success: true, output: result || '' });
+                    return;
+                }
+                catch (e) {
+                    // Fallback failed too
+                }
+            }
             resolve({
                 success: code === 0,
                 output

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@guardinstall/cli",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "CLI wrapper for guardinstall - intercepts and sandboxes install scripts",
   "main": "dist/index.js",
   "bin": {
@@ -13,8 +13,8 @@
     "test": "jest"
   },
   "dependencies": {
-    "@guardinstall/policy-engine": "0.1.4",
-    "@guardinstall/sandbox": "0.1.4",
+    "@guardinstall/policy-engine": "0.1.6",
+    "@guardinstall/sandbox": "0.1.6",
     "@npmcli/arborist": "7.5.4",
     "chalk": "4.1.2",
     "commander": "12.1.0"

package/src/index.ts

@@ -13,7 +13,7 @@ const program = new Command()
 program
   .name('guardinstall')
   .description('A kernel-level behavioral sandbox for npm/pnpm/bun install scripts')
-  .version('0.1.3')
+  .version('0.1.6')
 
 program
   .command('install')

package/src/installer.ts

@@ -1,5 +1,6 @@
 import { spawn } from 'child_process'
 import chalk from 'chalk'
+import { execSync } from 'child_process'
 
 export async function runPackageManager(
   pm: string,
@@ -23,12 +24,15 @@ export async function runPackageManager(
     args.push('--ignore-scripts')
   }
 
-  console.log(chalk.gray(`\n📦 Running: ${command} ${args.join(' ')}\n`))
+  // Remove --ignore-scripts from display (it's expected)
+  const displayArgs = args.filter(a => a !== '--ignore-scripts')
+  console.log(chalk.gray(`\n📦 Running: ${command} ${displayArgs.join(' ')} (with --ignore-scripts)\n`))
 
   return new Promise((resolve) => {
+    // Use spawn without shell to avoid npm arborist bug triggered by shell escaping
     const proc = spawn(command, args, {
       stdio: 'inherit',
-      shell: true
+      shell: false
     })
 
     let output = ''
@@ -36,6 +40,20 @@ export async function runPackageManager(
     proc.stderr?.on('data', (d: Buffer) => { output += d.toString() })
 
     proc.on('close', (code) => {
+      // If npm fails with arborist error, try alternative approach
+      if (code !== 0 && command === 'npm') {
+        console.log(chalk.yellow('\n⚠️  npm encountered an error, trying with --no-audit --no-fund...\n'))
+        try {
+          // Try running npm without audit/fund which sometimes triggers arborist issues
+          const fallbackArgs = ['install', '--ignore-scripts', '--no-audit', '--no-fund', ...args.filter(a => a !== 'install' && a !== 'add' && a !== '--ignore-scripts')]
+          const result = execSync(`npm ${fallbackArgs.join(' ')}`, { stdio: 'inherit', encoding: 'utf-8' })
+          resolve({ success: true, output: result || '' })
+          return
+        } catch (e) {
+          // Fallback failed too
+        }
+      }
+      
       resolve({
         success: code === 0,
         output

package/dist/ink-reporter.js

@@ -1,49 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.InkReporter = void 0;
-const react_1 = __importDefault(require("react"));
-const ink_1 = require("ink");
-function InkReporter({ results, verdicts }) {
-    const blocked = verdicts.filter(v => v.severity === 'CRITICAL' || v.severity === 'HIGH');
-    const warned = verdicts.filter(v => v.severity === 'WARN');
-    const clean = results.filter(r => r.events.length === 0);
-    return (<ink_1.Box flexDirection="column">
-      <ink_1.Box borderStyle="bold" borderColor="blue">
-        <ink_1.Text bold blue>  guardinstall — Security Report  </ink_1.Text>
-      </ink_1.Box>
-
-      <ink_1.Newline />
-
-      {blocked.length > 0 && (<ink_1.Box flexDirection="column">
-          <ink_1.Text bold color="red">🚨 BLOCKED ({blocked.length} packages):</ink_1.Text>
-          {blocked.map(v => (<ink_1.Box flexDirection="column" key={v.package}>
-              <ink_1.Text color="red">  ⚠  {v.package}</ink_1.Text>
-              {v.findings.map((f, i) => (<ink_1.Text key={i} color="red">     [{f.severity}] {f.message}</ink_1.Text>))}
-            </ink_1.Box>))}
-          <ink_1.Newline />
-        </ink_1.Box>)}
-
-      {warned.length > 0 && (<ink_1.Box flexDirection="column">
-          <ink_1.Text bold color="yellow">⚠️  WARNINGS ({warned.length} packages):</ink_1.Text>
-          {warned.map(v => (<ink_1.Box flexDirection="column" key={v.package}>
-              <ink_1.Text color="yellow">  {v.package}</ink_1.Text>
-              {v.findings.map((f, i) => (<ink_1.Text key={i} color="yellow">     [{f.severity}] {f.message}</ink_1.Text>))}
-            </ink_1.Box>))}
-          <ink_1.Newline />
-        </ink_1.Box>)}
-
-      {clean.length > 0 && (<ink_1.Box flexDirection="column">
-          <ink_1.Text bold color="green">✓ CLEAN ({clean.length} packages):</ink_1.Text>
-          {clean.map(r => (<ink_1.Text key={r.package} color="green">  ✓ {r.package}</ink_1.Text>))}
-          <ink_1.Newline />
-        </ink_1.Box>)}
-
-      <ink_1.Box borderStyle="bold" borderColor="blue">
-        <ink_1.Text bold blue>  End of Report  </ink_1.Text>
-      </ink_1.Box>
-    </ink_1.Box>);
-}
-exports.InkReporter = InkReporter;