@westbayberry/dg 1.1.5 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.mjs +983 -618
- package/dist/postinstall.mjs +38 -13
- package/dist/python-hook/dg_pip_hook.py +15 -1
- package/package.json +2 -2
package/dist/postinstall.mjs
CHANGED
|
@@ -111,16 +111,29 @@ var ECOSYSTEMS = [
|
|
|
111
111
|
"mamba"
|
|
112
112
|
];
|
|
113
113
|
var UNIX_SHIM_BODY = `#!/bin/sh
|
|
114
|
+
nonce=$(cat "$HOME/.dg/state/shim-nonce" 2>/dev/null)
|
|
114
115
|
if [ -n "\${DG_SHIM_ACTIVE:-}" ]; then
|
|
115
116
|
cleaned_path=$(printf '%s' "$PATH" | awk -v RS=':' -v ORS=':' '$0 != ENVIRON["HOME"]"/.dg/shims"' | sed 's/:$//')
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
117
|
+
# Only honor DG_SHIM_ACTIVE as the recursion guard when it equals the
|
|
118
|
+
# on-disk nonce \u2014 that is the value our own wrapper sets before running the
|
|
119
|
+
# real installer. A non-matching value was set outside dg (stale or a
|
|
120
|
+
# bypass attempt) and must NOT skip scanning.
|
|
121
|
+
if [ -n "$nonce" ] && [ "$DG_SHIM_ACTIVE" = "$nonce" ]; then
|
|
122
|
+
real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
|
|
123
|
+
if [ -n "$real_bin" ]; then
|
|
124
|
+
exec "$real_bin" "$@"
|
|
125
|
+
fi
|
|
126
|
+
echo "dg: real __ECOSYSTEM__ not found on PATH" >&2
|
|
127
|
+
exit 127
|
|
128
|
+
fi
|
|
129
|
+
if [ -z "$nonce" ]; then
|
|
130
|
+
echo "dg: shim nonce missing (reinstall dg) \u2014 cannot verify; passing through __ECOSYSTEM__ UNSCANNED." >&2
|
|
131
|
+
real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
|
|
132
|
+
if [ -n "$real_bin" ]; then exec "$real_bin" "$@"; fi
|
|
133
|
+
exit 127
|
|
119
134
|
fi
|
|
120
|
-
echo "dg:
|
|
121
|
-
exit 127
|
|
135
|
+
echo "dg: ignoring externally-set DG_SHIM_ACTIVE (nonce mismatch); scanning __ECOSYSTEM__." >&2
|
|
122
136
|
fi
|
|
123
|
-
nonce=$(cat "$HOME/.dg/state/shim-nonce" 2>/dev/null)
|
|
124
137
|
dg_entry=$(cat "$HOME/.dg/state/dg-entry" 2>/dev/null)
|
|
125
138
|
if [ -n "$dg_entry" ] && [ -x "$dg_entry" ]; then
|
|
126
139
|
DG_SHIM_ACTIVE="$nonce" DG_SHIM_PARENT_PATH="$PATH" exec "$dg_entry" __wrap __ECOSYSTEM__ "$@"
|
|
@@ -140,6 +153,8 @@ exit 127
|
|
|
140
153
|
`;
|
|
141
154
|
var WINDOWS_SHIM_BODY = `@echo off
|
|
142
155
|
setlocal enabledelayedexpansion
|
|
156
|
+
set "DG_SHIM_NONCE="
|
|
157
|
+
if exist "%USERPROFILE%\\.dg\\state\\shim-nonce" set /p DG_SHIM_NONCE=<"%USERPROFILE%\\.dg\\state\\shim-nonce"
|
|
143
158
|
if not "%DG_SHIM_ACTIVE%"=="" (
|
|
144
159
|
set "_dg_realpath="
|
|
145
160
|
for /f "tokens=*" %%i in ('where __ECOSYSTEM__ 2^>nul') do (
|
|
@@ -147,15 +162,25 @@ if not "%DG_SHIM_ACTIVE%"=="" (
|
|
|
147
162
|
if not defined _dg_realpath set "_dg_realpath=%%i"
|
|
148
163
|
)
|
|
149
164
|
)
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
165
|
+
rem Only honor DG_SHIM_ACTIVE as the recursion guard when it equals the nonce.
|
|
166
|
+
if "%DG_SHIM_ACTIVE%"=="!DG_SHIM_NONCE!" (
|
|
167
|
+
if defined _dg_realpath (
|
|
168
|
+
"!_dg_realpath!" %*
|
|
169
|
+
exit /b !errorlevel!
|
|
170
|
+
)
|
|
171
|
+
echo dg: real __ECOSYSTEM__ not found on PATH 1>&2
|
|
172
|
+
exit /b 127
|
|
173
|
+
)
|
|
174
|
+
if "!DG_SHIM_NONCE!"=="" (
|
|
175
|
+
echo dg: shim nonce missing ^(reinstall dg^) -- passing through __ECOSYSTEM__ UNSCANNED. 1>&2
|
|
176
|
+
if defined _dg_realpath (
|
|
177
|
+
"!_dg_realpath!" %*
|
|
178
|
+
exit /b !errorlevel!
|
|
179
|
+
)
|
|
180
|
+
exit /b 127
|
|
153
181
|
)
|
|
154
|
-
echo dg:
|
|
155
|
-
exit /b 127
|
|
182
|
+
echo dg: ignoring externally-set DG_SHIM_ACTIVE ^(nonce mismatch^); scanning __ECOSYSTEM__. 1>&2
|
|
156
183
|
)
|
|
157
|
-
set "DG_SHIM_NONCE="
|
|
158
|
-
if exist "%USERPROFILE%\\.dg\\state\\shim-nonce" set /p DG_SHIM_NONCE=<"%USERPROFILE%\\.dg\\state\\shim-nonce"
|
|
159
184
|
set "DG_ENTRY="
|
|
160
185
|
if exist "%USERPROFILE%\\.dg\\state\\dg-entry" set /p DG_ENTRY=<"%USERPROFILE%\\.dg\\state\\dg-entry"
|
|
161
186
|
set "DG_SHIM_ACTIVE=!DG_SHIM_NONCE!"
|
|
@@ -32,10 +32,24 @@ def _build_dg_wrapped_run(orig_run):
|
|
|
32
32
|
|
|
33
33
|
os.environ["DG_PIP_HOOK_ACTIVE"] = "1"
|
|
34
34
|
try:
|
|
35
|
-
|
|
35
|
+
# Resolve the absolute dg-entry rather than a bare "dg" on PATH:
|
|
36
|
+
# a PATH entry ahead of the real dg would otherwise intercept every
|
|
37
|
+
# hooked install. Fall back to "dg" only if the entry isn't usable.
|
|
38
|
+
dg_cmd = "dg"
|
|
39
|
+
try:
|
|
40
|
+
entry_path = os.path.join(os.path.expanduser("~"), ".dg", "state", "dg-entry")
|
|
41
|
+
if sys.platform != "win32" and os.path.isfile(entry_path):
|
|
42
|
+
with open(entry_path, "r") as fh:
|
|
43
|
+
candidate = fh.read().strip()
|
|
44
|
+
if candidate and os.access(candidate, os.X_OK):
|
|
45
|
+
dg_cmd = candidate
|
|
46
|
+
except Exception:
|
|
47
|
+
dg_cmd = "dg"
|
|
48
|
+
cmd = [dg_cmd, "__wrap", "pip-hook", "--"] + list(sys.argv[1:])
|
|
36
49
|
try:
|
|
37
50
|
proc = subprocess.run(cmd)
|
|
38
51
|
except FileNotFoundError:
|
|
52
|
+
sys.stderr.write("dg: scanner not found; pip install proceeding UNSCANNED.\n")
|
|
39
53
|
return orig_run(self, options, args)
|
|
40
54
|
if proc.returncode != 0:
|
|
41
55
|
return proc.returncode
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@westbayberry/dg",
|
|
3
|
-
"version": "1.1
|
|
3
|
+
"version": "1.2.1",
|
|
4
4
|
"type": "module",
|
|
5
|
-
"description": "Supply chain security scanner for npm and Python dependencies
|
|
5
|
+
"description": "Supply chain security scanner for npm and Python dependencies",
|
|
6
6
|
"bin": {
|
|
7
7
|
"dependency-guardian": "dist/index.mjs",
|
|
8
8
|
"dg": "dist/index.mjs"
|