Exit installation instead of prompting the user

packages/safe-chain/src/scanning/index.js

@@ -4,6 +4,7 @@ import { setTimeout } from "timers/promises";
 import chalk from "chalk";
 import { getPackageManager } from "../packagemanager/currentPackageManager.js";
 import { ui } from "../environment/userInteraction.js";
+import { getMalwareAction, MALWARE_ACTION_PROMPT } from "../config/settings.js";
 
 export function shouldScanCommand(args) {
   if (!args || args.length === 0) {
@@ -59,10 +60,7 @@ export async function scanCommand(args) {
     spinner.succeed("No malicious packages detected.");
   } else {
     printMaliciousChanges(audit.disallowedChanges, spinner);
-    await acceptRiskOrExit(
-      "Do you want to continue with the installation despite the risks?",
-      false
-    );
+    await onMalwareFound();
   }
 }
 
@@ -74,19 +72,23 @@ function printMaliciousChanges(changes, spinner) {
   }
 }
 
-async function acceptRiskOrExit(message, defaultValue) {
+async function onMalwareFound() {
   ui.emptyLine();
-  const continueInstall = await ui.confirm({
-    message: message,
-    default: defaultValue,
-  });
 
-  if (continueInstall) {
-    ui.writeInformation("Continuing with the installation...");
-    return;
+  if (getMalwareAction() === MALWARE_ACTION_PROMPT) {
+    const continueInstall = await ui.confirm({
+      message:
+        "Malicious packages were found. Do you want to continue with the installation?",
+      default: false,
+    });
+
+    if (continueInstall) {
+      ui.writeWarning("Continuing with the installation despite the risks...");
+      return;
+    }
   }
 
-  ui.writeInformation("Exiting without installing packages.");
+  ui.writeError("Exiting without installing malicious packages.");
   ui.emptyLine();
   process.exit(1);
 }

packages/safe-chain/src/scanning/index.scanCommand.spec.js

@@ -1,6 +1,10 @@
 import assert from "node:assert/strict";
 import { describe, it, mock } from "node:test";
 import { setTimeout } from "node:timers/promises";
+import {
+  MALWARE_ACTION_PROMPT,
+  MALWARE_ACTION_BLOCK,
+} from "../config/settings.js";
 
 describe("scanCommand", async () => {
   const getScanTimeoutMock = mock.fn(() => 1000);
@@ -11,6 +15,7 @@ describe("scanCommand", async () => {
     fail: () => {},
   }));
   const mockConfirm = mock.fn(() => true);
+  let malwareAction = MALWARE_ACTION_PROMPT;
 
   // import { getPackageManager } from "../packagemanager/currentPackageManager.js";
   mock.module("../packagemanager/currentPackageManager.js", {
@@ -46,6 +51,14 @@ describe("scanCommand", async () => {
     },
   });
 
+  mock.module("../config/settings.js", {
+    namedExports: {
+      getMalwareAction: () => malwareAction,
+      MALWARE_ACTION_PROMPT,
+      MALWARE_ACTION_BLOCK,
+    },
+  });
+
   // import { auditChanges, MAX_LENGTH_EXCEEDED } from "./audit/index.js";
   mock.module("./audit/index.js", {
     namedExports: {
@@ -177,4 +190,99 @@ describe("scanCommand", async () => {
     assert.equal(failureMessage.toLowerCase().includes("timeout"), false);
     assert.equal(failureMessage.toLowerCase().includes("malicious"), true);
   });
+
+  it("should exit immediately when malicious changes are detected in block mode", async () => {
+    // Set malware action to block mode for this test
+    malwareAction = MALWARE_ACTION_BLOCK;
+    
+    // Reset mock call count
+    mockConfirm.mock.resetCalls();
+    
+    let failureMessageWasSet = false;
+    let exitCode = null;
+    
+    mockStartProcess.mock.mockImplementationOnce(() => ({
+      setText: () => {},
+      succeed: () => {},
+      fail: () => {
+        failureMessageWasSet = true;
+      },
+    }));
+    
+    mockGetDependencyUpdatesForCommand.mock.mockImplementation(() => [
+      { name: "malicious", version: "1.0.0" },
+    ]);
+
+    // Mock process.exit
+    const originalExit = process.exit;
+    process.exit = mock.fn((code) => {
+      exitCode = code;
+      throw new Error("Process exit called"); // Prevent actual exit
+    });
+
+    try {
+      await assert.rejects(
+        scanCommand(["install", "malicious"]),
+        /Process exit called/
+      );
+    } finally {
+      // Restore original process.exit
+      process.exit = originalExit;
+      // Reset malware action back to prompt mode for other tests
+      malwareAction = MALWARE_ACTION_PROMPT;
+    }
+
+    assert.equal(failureMessageWasSet, true);
+    assert.equal(exitCode, 1);
+    // Confirm should not have been called in block mode
+    assert.equal(mockConfirm.mock.callCount(), 0);
+  });
+
+  it("should exit immediately when malicious changes are detected in block mode without prompting", async () => {
+    // Set malware action to block mode for this test
+    malwareAction = MALWARE_ACTION_BLOCK;
+    
+    // Reset mock call count
+    mockConfirm.mock.resetCalls();
+    
+    let processExited = false;
+    let userWasPrompted = false;
+    
+    mockStartProcess.mock.mockImplementationOnce(() => ({
+      setText: () => {},
+      succeed: () => {},
+      fail: () => {},
+    }));
+    
+    mockGetDependencyUpdatesForCommand.mock.mockImplementation(() => [
+      { name: "malicious", version: "1.0.0" },
+    ]);
+
+    mockConfirm.mock.mockImplementationOnce(() => {
+      userWasPrompted = true;
+      return false;
+    });
+
+    // Mock process.exit
+    const originalExit = process.exit;
+    process.exit = mock.fn(() => {
+      processExited = true;
+      throw new Error("Process exit called"); // Prevent actual exit
+    });
+
+    try {
+      await assert.rejects(
+        scanCommand(["install", "malicious"]),
+        /Process exit called/
+      );
+    } finally {
+      // Restore original process.exit
+      process.exit = originalExit;
+      // Reset malware action back to prompt mode for other tests
+      malwareAction = MALWARE_ACTION_PROMPT;
+    }
+
+    assert.equal(processExited, true);
+    assert.equal(userWasPrompted, false);
+  });
 });