milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Only allow wildcards for scoped packages (@scope/*)

Browse source
This commit is contained in:
Sander Declerck 2026-01-15 15:13:00 +01:00
parent 2d609066c8
commit 20cc62d6e1
No known key found for this signature in database
3 changed files with 4 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -214,16 +214,16 @@ You can set the minimum package age through multiple sources (in order of priori
### Excluding Packages
Exclude trusted packages from minimum age filtering via environment variable or config file (both are merged). Supports wildcard patterns with trailing `*`:
Exclude trusted packages from minimum age filtering via environment variable or config file (both are merged). Use `@scope/*` to trust all packages from an organization:
```shell
export SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*,react-*,lodash"
export SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*"
```
```json
{
"npm": {
"minimumPackageAgeExclusions": ["@aikidosec/*", "react-*", "lodash"]
"minimumPackageAgeExclusions": ["@aikidosec/*"]
}
}
```

2
packages/safe-chain/src/registryProxy/interceptors/npm/modifyNpmInfo.js
View file

@ -196,7 +196,7 @@ export function getHasSuppressedVersions() {
* @returns {boolean}
*/
function matchesExclusionPattern(packageName, pattern) {
if (pattern.endsWith("*")) {
if (pattern.endsWith("/*")) {
return packageName.startsWith(pattern.slice(0, -1));
}
return packageName === pattern;

26
packages/safe-chain/src/registryProxy/interceptors/npm/npmInterceptor.minPackageAge.spec.js
View file

@ -509,32 +509,6 @@ describe("npmInterceptor minimum package age", async () => {
assert.ok(Object.keys(modifiedJson.versions).includes("2.0.0"));
});
it("Should exclude packages matching wildcard pattern prefix-*", async () => {
minimumPackageAgeSettings = 5;
skipMinimumPackageAgeSetting = false;
minimumPackageAgeExclusionsSetting = ["react-*"];
const packageUrl = "https://registry.npmjs.org/react-dom";
const originalBody = JSON.stringify({
name: "react-dom",
["dist-tags"]: { latest: "18.0.0" },
versions: { ["17.0.0"]: {}, ["18.0.0"]: {} },
time: {
created: getDate(-365 * 24),
modified: getDate(-1),
["17.0.0"]: getDate(-100),
["18.0.0"]: getDate(-1), // Would normally be filtered
},
});
const modifiedBody = await runModifyNpmInfoRequest(packageUrl, originalBody);
const modifiedJson = JSON.parse(modifiedBody);
// All versions should remain since react-* matches react-dom
assert.equal(Object.keys(modifiedJson.versions).length, 2);
});
it("Should NOT exclude packages that don't match wildcard pattern", async () => {
minimumPackageAgeSettings = 5;
skipMinimumPackageAgeSetting = false;