Merge remote-tracking branch 'origin/main' into pip-custom-registries

packages/safe-chain/src/config/cliArguments.js

@@ -1,11 +1,12 @@
+import { ui } from "../environment/userInteraction.js";
+
 /**
- * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined, includePython: boolean}}
+ * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined}}
  */
 const state = {
   loggingLevel: undefined,
   skipMinimumPackageAge: undefined,
   minimumPackageAgeHours: undefined,
-  includePython: false,
 };
 
 const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
@@ -34,8 +35,7 @@ export function initializeCliArguments(args) {
   setLoggingLevel(safeChainArgs);
   setSkipMinimumPackageAge(safeChainArgs);
   setMinimumPackageAgeHours(safeChainArgs);
-  setIncludePython(args);
-
+  checkDeprecatedPythonFlag(args);
   return remainingArgs;
 }
 
@@ -109,20 +109,6 @@ export function getMinimumPackageAgeHours() {
   return state.minimumPackageAgeHours;
 }
 
-/**
- * @param {string[]} args
- */
-function setIncludePython(args) {
-  // This flag doesn't have the --safe-chain- prefix because
-  // it is only used for the safe-chain command itself and
-  // not when wrapped around package manager commands.
-  state.includePython = hasFlagArg(args, "--include-python");
-}
-
-export function includePython() {
-  return state.includePython;
-}
-
 /**
  * @param {string[]} args
  * @param {string} flagName
@@ -136,3 +122,17 @@ function hasFlagArg(args, flagName) {
   }
   return false;
 }
+
+/**
+ * Emits a deprecation warning for legacy --include-python flag
+ *
+ * @param {string[]} args
+ * @returns {void}
+ */
+export function checkDeprecatedPythonFlag(args) {
+  if (hasFlagArg(args, "--include-python")) {
+    ui.writeWarning(
+      "--include-python is deprecated and ignored. Python tooling is included by default."
+    );
+  }
+}

packages/safe-chain/src/config/cliArguments.spec.js

@@ -6,6 +6,7 @@ import {
   getSkipMinimumPackageAge,
   getMinimumPackageAgeHours,
 } from "./cliArguments.js";
+import { ui } from "../environment/userInteraction.js";
 
 describe("initializeCliArguments", () => {
   it("should return all args when no safe-chain args are present", () => {
@@ -271,4 +272,40 @@ describe("initializeCliArguments", () => {
 
     assert.strictEqual(getMinimumPackageAgeHours(), "-24");
   });
+
+  it("should warn on deprecated --include-python for setup", () => {
+    const warnings = [];
+    const originalWriteWarning = ui.writeWarning;
+    ui.writeWarning = (msg, ..._rest) => {
+      warnings.push(String(msg));
+    };
+    try {
+      const argv = ["node", "safe-chain", "setup", "--include-python"];
+      initializeCliArguments(argv);
+      assert.ok(
+        warnings.some((m) => m.includes("--include-python is deprecated")),
+        "Expected a deprecation warning for --include-python in setup"
+      );
+    } finally {
+      ui.writeWarning = originalWriteWarning;
+    }
+  });
+
+  it("should warn on deprecated --include-python for setup-ci", () => {
+    const warnings = [];
+    const originalWriteWarning = ui.writeWarning;
+    ui.writeWarning = (msg, ..._rest) => {
+      warnings.push(String(msg));
+    };
+    try {
+      const argv = ["node", "safe-chain", "setup-ci", "--include-python"];
+      initializeCliArguments(argv);
+      assert.ok(
+        warnings.some((m) => m.includes("--include-python is deprecated")),
+        "Expected a deprecation warning for --include-python in setup-ci"
+      );
+    } finally {
+      ui.writeWarning = originalWriteWarning;
+    }
+  });
 });

packages/safe-chain/src/config/configFile.js

@@ -7,10 +7,14 @@ import { getEcoSystem } from "./settings.js";
 /**
  * @typedef {Object} SafeChainConfig
  *
- * This should be a number, but can be anything because it is user-input.
+ * We cannot trust the input and should add the necessary validations
+ * @property {unknown | Number} scanTimeout
+ * @property {unknown | Number} minimumPackageAgeHours
+ * @property {unknown | SafeChainRegistryConfiguration} npm
+ *
+ * @typedef {Object} SafeChainRegistryConfiguration
  * We cannot trust the input and should add the necessary validations.
- * @property {unknown} scanTimeout
- * @property {unknown} minimumPackageAgeHours
+ * @property {unknown | string[]} customRegistries
  */
 
 /**
@@ -67,7 +71,7 @@ function validateMinimumPackageAgeHours(value) {
  */
 export function getMinimumPackageAgeHours() {
   const config = readConfigFile();
-  if (config.minimumPackageAgeHours) {
+  if (config.minimumPackageAgeHours !== undefined) {
     const validated = validateMinimumPackageAgeHours(
       config.minimumPackageAgeHours
     );
@@ -78,6 +82,28 @@ export function getMinimumPackageAgeHours() {
   return undefined;
 }
 
+/**
+ * Gets the custom npm registries from the config file (format parsing only, no validation)
+ * @returns {string[]}
+ */
+export function getNpmCustomRegistries() {
+  const config = readConfigFile();
+
+  if (!config || !config.npm) {
+    return [];
+  }
+
+  // TypeScript needs help understanding that config.npm exists and has customRegistries
+  const npmConfig = /** @type {SafeChainRegistryConfiguration} */ (config.npm);
+  const customRegistries = npmConfig.customRegistries;
+
+  if (!Array.isArray(customRegistries)) {
+    return [];
+  }
+
+  return customRegistries.filter((item) => typeof item === "string");
+}
+
 /**
  * @param {import("../api/aikido.js").MalwarePackage[]} data
  * @param {string | number} version
@@ -136,23 +162,26 @@ export function readDatabaseFromLocalCache() {
  * @returns {SafeChainConfig}
  */
 function readConfigFile() {
+  /** @type {SafeChainConfig} */
+  const emptyConfig = {
+    scanTimeout: undefined,
+    minimumPackageAgeHours: undefined,
+    npm: {
+      customRegistries: undefined,
+    },
+  };
+
   const configFilePath = getConfigFilePath();
 
   if (!fs.existsSync(configFilePath)) {
-    return {
-      scanTimeout: undefined,
-      minimumPackageAgeHours: undefined,
-    };
+    return emptyConfig;
   }
 
   try {
     const data = fs.readFileSync(configFilePath, "utf8");
     return JSON.parse(data);
   } catch {
-    return {
-      scanTimeout: undefined,
-      minimumPackageAgeHours: undefined,
-    };
+    return emptyConfig;
   }
 }
 

packages/safe-chain/src/config/configFile.spec.js

@@ -1,32 +1,24 @@
 import { describe, it, beforeEach, afterEach, mock } from "node:test";
 import assert from "node:assert";
 
-describe("getScanTimeout", () => {
+let configFileContent = undefined;
+mock.module("fs", {
+  namedExports: {
+    existsSync: () => configFileContent !== undefined,
+    readFileSync: () => configFileContent,
+    writeFileSync: (content) => (configFileContent = content),
+    mkdirSync: () => {},
+  },
+});
+
+describe("getScanTimeout", async () => {
   let originalEnv;
-  let fsMock;
-  let getScanTimeout;
+
+  const { getScanTimeout } = await import("./configFile.js");
 
   beforeEach(async () => {
     // Save original environment
     originalEnv = process.env.AIKIDO_SCAN_TIMEOUT_MS;
-
-    // Mock fs module
-    fsMock = {
-      existsSync: mock.fn(() => false),
-      readFileSync: mock.fn(() => "{}"),
-      writeFileSync: mock.fn(),
-      mkdirSync: mock.fn(),
-    };
-
-    mock.module("fs", {
-      namedExports: fsMock,
-    });
-
-    // Re-import the module to get the mocked version
-    const configFileModule = await import(
-      `./configFile.js?update=${Date.now()}`
-    );
-    getScanTimeout = configFileModule.getScanTimeout;
   });
 
   afterEach(() => {
@@ -37,14 +29,12 @@ describe("getScanTimeout", () => {
       delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
     }
 
-    // Reset all mocks
-    mock.restoreAll();
+    configFileContent = undefined;
   });
 
   it("should return default timeout of 10000ms when no config or env var is set", () => {
     delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
-    // Mock: config file doesn't exist
-    fsMock.existsSync.mock.mockImplementation(() => false);
+    configFileContent = undefined;
 
     const timeout = getScanTimeout();
 
@@ -53,11 +43,7 @@ describe("getScanTimeout", () => {
 
   it("should return timeout from config file when set", () => {
     delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
-    // Mock: config file exists with scanTimeout: 5000
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: 5000 })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: 5000 });
 
     const timeout = getScanTimeout();
 
@@ -66,11 +52,7 @@ describe("getScanTimeout", () => {
 
   it("should prioritize environment variable over config file", () => {
     process.env.AIKIDO_SCAN_TIMEOUT_MS = "20000";
-    // Mock: config file exists with scanTimeout: 5000
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: 5000 })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: 5000 });
 
     const timeout = getScanTimeout();
 
@@ -79,11 +61,7 @@ describe("getScanTimeout", () => {
 
   it("should handle invalid environment variable and fall back to config", () => {
     process.env.AIKIDO_SCAN_TIMEOUT_MS = "invalid";
-    // Mock: config file exists with scanTimeout: 7000
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: 7000 })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: 7000 });
 
     const timeout = getScanTimeout();
 
@@ -91,8 +69,7 @@ describe("getScanTimeout", () => {
   });
 
   it("should ignore zero and negative values and fall back to default", () => {
-    // Mock: config file doesn't exist
-    fsMock.existsSync.mock.mockImplementation(() => false);
+    configFileContent = undefined;
 
     process.env.AIKIDO_SCAN_TIMEOUT_MS = "0";
 
@@ -107,11 +84,7 @@ describe("getScanTimeout", () => {
 
   it("should ignore textual non-numeric values in environment variable and fall back to config", () => {
     process.env.AIKIDO_SCAN_TIMEOUT_MS = "fast";
-    // Mock: config file exists with scanTimeout: 8000
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: 8000 })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: 8000 });
 
     const timeout = getScanTimeout();
 
@@ -120,11 +93,7 @@ describe("getScanTimeout", () => {
 
   it("should ignore textual non-numeric values in config file and fall back to default", () => {
     delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
-    // Mock: config file exists with scanTimeout: "slow"
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: "slow" })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: "slow" });
 
     const timeout = getScanTimeout();
 
@@ -133,11 +102,7 @@ describe("getScanTimeout", () => {
 
   it("should ignore textual non-numeric values in both env and config, fall back to default", () => {
     process.env.AIKIDO_SCAN_TIMEOUT_MS = "quick";
-    // Mock: config file exists with scanTimeout: "medium"
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: "medium" })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: "medium" });
 
     const timeout = getScanTimeout();
 
@@ -146,11 +111,7 @@ describe("getScanTimeout", () => {
 
   it("should ignore mixed alphanumeric strings in environment variable", () => {
     process.env.AIKIDO_SCAN_TIMEOUT_MS = "5000ms";
-    // Mock: config file exists with scanTimeout: 6000
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: 6000 })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: 6000 });
 
     const timeout = getScanTimeout();
 
@@ -159,11 +120,7 @@ describe("getScanTimeout", () => {
 
   it("should ignore mixed alphanumeric strings in config file", () => {
     delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
-    // Mock: config file exists with scanTimeout: "3000ms"
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: "3000ms" })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: "3000ms" });
 
     const timeout = getScanTimeout();
 
@@ -171,37 +128,15 @@ describe("getScanTimeout", () => {
   });
 });
 
-describe("getMinimumPackageAgeHours", () => {
-  let fsMock;
-  let getMinimumPackageAgeHours;
-
-  beforeEach(async () => {
-    // Mock fs module
-    fsMock = {
-      existsSync: mock.fn(() => false),
-      readFileSync: mock.fn(() => "{}"),
-      writeFileSync: mock.fn(),
-      mkdirSync: mock.fn(),
-    };
-
-    mock.module("fs", {
-      namedExports: fsMock,
-    });
-
-    // Re-import the module to get the mocked version
-    const configFileModule = await import(
-      `./configFile.js?update=${Date.now()}`
-    );
-    getMinimumPackageAgeHours = configFileModule.getMinimumPackageAgeHours;
-  });
+describe("getMinimumPackageAgeHours", async () => {
+  const { getMinimumPackageAgeHours } = await import("./configFile.js");
 
   afterEach(() => {
-    // Reset all mocks
-    mock.restoreAll();
+    configFileContent = undefined;
   });
 
   it("should return null when config file doesn't exist", () => {
-    fsMock.existsSync.mock.mockImplementation(() => false);
+    configFileContent = undefined;
 
     const hours = getMinimumPackageAgeHours();
 
@@ -209,10 +144,7 @@ describe("getMinimumPackageAgeHours", () => {
   });
 
   it("should return null when config file exists but minimumPackageAgeHours is not set", () => {
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ scanTimeout: 5000 })
-    );
+    configFileContent = JSON.stringify({ scanTimeout: 5000 });
 
     const hours = getMinimumPackageAgeHours();
 
@@ -220,10 +152,7 @@ describe("getMinimumPackageAgeHours", () => {
   });
 
   it("should return value from config file when set to valid number", () => {
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ minimumPackageAgeHours: 48 })
-    );
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: 48 });
 
     const hours = getMinimumPackageAgeHours();
 
@@ -231,10 +160,7 @@ describe("getMinimumPackageAgeHours", () => {
   });
 
   it("should handle string numbers in config file", () => {
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ minimumPackageAgeHours: "72" })
-    );
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: "72" });
 
     const hours = getMinimumPackageAgeHours();
 
@@ -242,10 +168,7 @@ describe("getMinimumPackageAgeHours", () => {
   });
 
   it("should handle decimal values", () => {
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ minimumPackageAgeHours: 1.5 })
-    );
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: 1.5 });
 
     const hours = getMinimumPackageAgeHours();
 
@@ -253,21 +176,15 @@ describe("getMinimumPackageAgeHours", () => {
   });
 
   it("should return null for non-numeric strings", () => {
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ minimumPackageAgeHours: "invalid" })
-    );
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: "invalid" });
 
     const hours = getMinimumPackageAgeHours();
 
     assert.strictEqual(hours, undefined);
   });
 
-  it("should return null for values with units suffix", () => {
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() =>
-      JSON.stringify({ minimumPackageAgeHours: "48h" })
-    );
+  it("should return undefined for values with units suffix", () => {
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: "48h" });
 
     const hours = getMinimumPackageAgeHours();
 
@@ -275,11 +192,131 @@ describe("getMinimumPackageAgeHours", () => {
   });
 
   it("should handle malformed JSON and return null", () => {
-    fsMock.existsSync.mock.mockImplementation(() => true);
-    fsMock.readFileSync.mock.mockImplementation(() => "{ invalid json");
+    configFileContent = "{ invalid json";
 
     const hours = getMinimumPackageAgeHours();
 
     assert.strictEqual(hours, undefined);
   });
+
+  it("should return 0 when minimumPackageAgeHours is set to 0", () => {
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: 0 });
+
+    const hours = getMinimumPackageAgeHours();
+
+    assert.strictEqual(hours, 0);
+  });
+
+  it("should return 0 when minimumPackageAgeHours is set to string '0'", () => {
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: "0" });
+
+    const hours = getMinimumPackageAgeHours();
+
+    assert.strictEqual(hours, 0);
+  });
+
+  it("should handle negative numeric values", () => {
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: -24 });
+
+    const hours = getMinimumPackageAgeHours();
+
+    assert.strictEqual(hours, -24);
+  });
+
+  it("should handle negative string values", () => {
+    configFileContent = JSON.stringify({ minimumPackageAgeHours: "-48" });
+
+    const hours = getMinimumPackageAgeHours();
+
+    assert.strictEqual(hours, -48);
+  });
+});
+
+describe("getNpmCustomRegistries", async () => {
+  const { getNpmCustomRegistries } = await import("./configFile.js");
+
+  afterEach(() => {
+    configFileContent = undefined;
+  });
+
+  it("should return empty array when config file doesn't exist", () => {
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
+
+  it("should return empty array when npm config is not set", () => {
+    configFileContent = JSON.stringify({ scanTimeout: 5000 });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
+
+  it("should return empty array when customRegistries is not an array", () => {
+    configFileContent = JSON.stringify({
+      npm: { customRegistries: "not-an-array" },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
+
+  it("should return array of custom registries when set", () => {
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: ["npm.company.com", "registry.internal.net"],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com",
+      "registry.internal.net",
+    ]);
+  });
+
+  it("should filter out non-string values", () => {
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: [
+          "npm.company.com",
+          123,
+          null,
+          "registry.internal.net",
+          undefined,
+          {},
+        ],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com",
+      "registry.internal.net",
+    ]);
+  });
+
+  it("should return empty array for empty customRegistries array", () => {
+    configFileContent = JSON.stringify({
+      npm: { customRegistries: [] },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
+
+  it("should handle malformed JSON and return empty array", () => {
+    configFileContent = "{ invalid json";
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
 });

packages/safe-chain/src/config/environmentVariables.js

@@ -6,8 +6,20 @@ export function getMinimumPackageAgeHours() {
   return process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS;
 }
 
+/**
+ * Gets the custom npm registries from environment variable
+ * Expected format: comma-separated list of registry domains
+ * Example: "npm.company.com,registry.internal.net"
+ * @returns {string | undefined}
+ */
+export function getNpmCustomRegistries() {
+  return process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+}
+
 /**
  * Gets the custom pip registries from environment variable
+ * Expected format: comma-separated list of registry domains
+ * Example: "pip.company.com,registry.internal.net"
  * @returns {string | undefined}
  */
 export function getPipCustomRegistries() {

packages/safe-chain/src/config/settings.js

@@ -81,7 +81,7 @@ function validateMinimumPackageAgeHours(value) {
     return undefined;
   }
 
-  if (numericValue > 0) {
+  if (numericValue >= 0) {
     return numericValue;
   }
 
@@ -99,29 +99,66 @@ export function skipMinimumPackageAge() {
   return defaultSkipMinimumPackageAge;
 }
 
-/** @type {string[]} */
-const defaultPipCustomRegistries = [];
-/** @returns {string[]} */
-export function getPipCustomRegistries() {
-  // Priority 1: Environment variable
-  const envValue = validatePipCustomRegistries(
-    environmentVariables.getPipCustomRegistries()
-  );
-  if (envValue !== undefined) {
-    return envValue;
-  }
-
-  return defaultPipCustomRegistries;
+/**
+ * Normalizes a registry URL by removing protocol if present
+ * @param {string} registry
+ * @returns {string}
+ */
+function normalizeRegistry(registry) {
+  // Remove protocol (http://, https://) if present
+  return registry.replace(/^https?:\/\//, "");
 }
 
 /**
- * @param {string | undefined} value
- * @returns {string[] | undefined}
+ * Parses comma-separated registries from environment variable
+ * @param {string | undefined} envValue
+ * @returns {string[]}
  */
-function validatePipCustomRegistries(value) {
-  if (!value) {
-    return undefined;
+function parseRegistriesFromEnv(envValue) {
+  if (!envValue || typeof envValue !== "string") {
+    return [];
   }
 
-  return value.split(",");
+  // Split by comma and trim whitespace
+  return envValue
+    .split(",")
+    .map((registry) => registry.trim())
+    .filter((registry) => registry.length > 0);
+}
+
+/**
+ * Gets the custom npm registries from both environment variable and config file (merged)
+ * @returns {string[]}
+ */
+export function getNpmCustomRegistries() {
+  const envRegistries = parseRegistriesFromEnv(
+    environmentVariables.getNpmCustomRegistries()
+  );
+  const configRegistries = configFile.getNpmCustomRegistries();
+
+  // Merge both sources and remove duplicates
+  const allRegistries = [...envRegistries, ...configRegistries];
+  const uniqueRegistries = [...new Set(allRegistries)];
+
+  // Normalize each registry (remove protocol if any)
+  return uniqueRegistries.map(normalizeRegistry);
+}
+
+/**
+ * Gets the custom npm registries from both environment variable and config file (merged)
+ * @returns {string[]}
+ */
+export function getPipCustomRegistries() {
+  const envRegistries = parseRegistriesFromEnv(
+    environmentVariables.getPipCustomRegistries()
+  );
+  // const configRegistries = configFile.getPipCustomRegistries();
+
+  // Merge both sources and remove duplicates
+  // const allRegistries = [...envRegistries, ...configRegistries];
+  const allRegistries = [...envRegistries];
+  const uniqueRegistries = [...new Set(allRegistries)];
+
+  // Normalize each registry (remove protocol if any)
+  return uniqueRegistries.map(normalizeRegistry);
 }

packages/safe-chain/src/config/settings.spec.js

@@ -0,0 +1,249 @@
+import { describe, it, beforeEach, afterEach, mock } from "node:test";
+import assert from "node:assert";
+
+let configFileContent = undefined;
+mock.module("fs", {
+  namedExports: {
+    existsSync: () => configFileContent !== undefined,
+    readFileSync: () => configFileContent,
+    writeFileSync: (content) => (configFileContent = content),
+    mkdirSync: () => {},
+  },
+});
+
+describe("getNpmCustomRegistries", async () => {
+  let originalEnv;
+  const { getNpmCustomRegistries } = await import("./settings.js");
+
+  beforeEach(() => {
+    originalEnv = process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+  });
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = originalEnv;
+    } else {
+      delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    }
+    configFileContent = undefined;
+  });
+
+  it("should return empty array when no registries configured", () => {
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
+
+  it("should return registries without protocol", () => {
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: ["npm.company.com", "registry.internal.net"],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com",
+      "registry.internal.net",
+    ]);
+  });
+
+  it("should strip https:// protocol from registries", () => {
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: [
+          "https://npm.company.com",
+          "https://registry.internal.net",
+        ],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com",
+      "registry.internal.net",
+    ]);
+  });
+
+  it("should strip http:// protocol from registries", () => {
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: [
+          "http://npm.company.com",
+          "http://registry.internal.net",
+        ],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com",
+      "registry.internal.net",
+    ]);
+  });
+
+  it("should handle mixed protocols and no protocol", () => {
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: [
+          "https://npm.company.com",
+          "registry.internal.net",
+          "http://private.registry.io",
+        ],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com",
+      "registry.internal.net",
+      "private.registry.io",
+    ]);
+  });
+
+  it("should preserve registry path after stripping protocol", () => {
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: [
+          "https://npm.company.com/custom/path",
+          "registry.internal.net/npm",
+        ],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com/custom/path",
+      "registry.internal.net/npm",
+    ]);
+  });
+
+  it("should parse comma-separated registries from environment variable", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
+      "env1.registry.com,env2.registry.net";
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "env1.registry.com",
+      "env2.registry.net",
+    ]);
+  });
+
+  it("should trim whitespace from environment variable registries", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
+      "  env1.registry.com  ,  env2.registry.net  ";
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "env1.registry.com",
+      "env2.registry.net",
+    ]);
+  });
+
+  it("should merge environment variable and config file registries", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "env1.registry.com";
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: ["config1.registry.net"],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "env1.registry.com",
+      "config1.registry.net",
+    ]);
+  });
+
+  it("should remove duplicate registries when merging env and config", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
+      "npm.company.com,env.registry.com";
+    configFileContent = JSON.stringify({
+      npm: {
+        customRegistries: ["npm.company.com", "config.registry.net"],
+      },
+    });
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "npm.company.com",
+      "env.registry.com",
+      "config.registry.net",
+    ]);
+  });
+
+  it("should normalize protocols from environment variable registries", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
+      "https://env1.registry.com,http://env2.registry.net";
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "env1.registry.com",
+      "env2.registry.net",
+    ]);
+  });
+
+  it("should handle empty strings in comma-separated list", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES =
+      "env1.registry.com,,env2.registry.net,";
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, [
+      "env1.registry.com",
+      "env2.registry.net",
+    ]);
+  });
+
+  it("should handle single registry in environment variable", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "single.registry.com";
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, ["single.registry.com"]);
+  });
+
+  it("should return empty array for empty environment variable", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "";
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
+
+  it("should return empty array for whitespace-only environment variable", () => {
+    delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+    process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "   ,  ,  ";
+    configFileContent = undefined;
+
+    const registries = getNpmCustomRegistries();
+
+    assert.deepStrictEqual(registries, []);
+  });
+});