Wrap bun with safe-chain to block downloads of packages with malware

2026-05-26 12:10:49 +00:00 · 2025-10-08 15:12:06 +02:00 · 2025-10-08 15:12:06 +02:00 · 43dcba8802
commit 43dcba8802
parent 16c76de0f3
11 changed files with 184 additions and 5 deletions
--- a/packages/safe-chain/src/shell-integration/helpers.js
+++ b/packages/safe-chain/src/shell-integration/helpers.js
@ -9,8 +9,9 @@ export const knownAikidoTools = [
  { tool: "yarn", aikidoCommand: "aikido-yarn" },
  { tool: "pnpm", aikidoCommand: "aikido-pnpm" },
  { tool: "pnpx", aikidoCommand: "aikido-pnpx" },
-  // When adding a new tool here, also update the expected alias in the tests (setup.spec.js, teardown.spec.js)
-  // and add the documentation for the new tool in the README.md
+  { tool: "bun", aikidoCommand: "aikido-bun" },
+  { tool: "bunx", aikidoCommand: "aikido-bunx" },
+  // When adding a new tool here, also update the documentation for the new tool in the README.md
 ];

 /**
@ -18,15 +19,15 @@ export const knownAikidoTools = [
 * Example: "npm, npx, yarn, pnpm, and pnpx commands"
 */
 export function getPackageManagerList() {
-  const tools = knownAikidoTools.map(t => t.tool);
+  const tools = knownAikidoTools.map((t) => t.tool);
  if (tools.length <= 1) {
-    return `${tools[0] || ''} commands`;
+    return `${tools[0] || ""} commands`;
  }
  if (tools.length === 2) {
    return `${tools[0]} and ${tools[1]} commands`;
  }
  const lastTool = tools.pop();
-  return `${tools.join(', ')}, and ${lastTool} commands`;
+  return `${tools.join(", ")}, and ${lastTool} commands`;
 }

 export function doesExecutableExistOnSystem(executableName) {
--- a/packages/safe-chain/src/shell-integration/startup-scripts/init-fish.fish
+++ b/packages/safe-chain/src/shell-integration/startup-scripts/init-fish.fish
@ -46,6 +46,14 @@ function pnpx
    wrapSafeChainCommand "pnpx" "aikido-pnpx" $argv
 end

+function bun
+    wrapSafeChainCommand "bun" "aikido-bun" $argv
+end
+
+function bunx
+    wrapSafeChainCommand "bunx" "aikido-bunx" $argv
+end
+
 function npm
    # If args is just -v or --version and nothing else, just run the `npm -v` command
    # This is because nvm uses this to check the version of npm
--- a/packages/safe-chain/src/shell-integration/startup-scripts/init-posix.sh
+++ b/packages/safe-chain/src/shell-integration/startup-scripts/init-posix.sh
@ -42,6 +42,14 @@ function pnpx() {
  wrapSafeChainCommand "pnpx" "aikido-pnpx" "$@"
 }

+function bun() {
+  wrapSafeChainCommand "bun" "aikido-bun" "$@"
+}
+
+function bunx() {
+  wrapSafeChainCommand "bunx" "aikido-bunx" "$@"
+}
+
 function npm() {
  if [[ "$1" == "-v" || "$1" == "--version" ]] && [[ $# -eq 1 ]]; then
    # If args is just -v or --version and nothing else, just run the npm version command
--- a/packages/safe-chain/src/shell-integration/startup-scripts/init-pwsh.ps1
+++ b/packages/safe-chain/src/shell-integration/startup-scripts/init-pwsh.ps1
@ -68,6 +68,14 @@ function pnpx {
    Invoke-WrappedCommand "pnpx" "aikido-pnpx" $args
 }

+function bun {
+    Invoke-WrappedCommand "bun" "aikido-bun" $args
+}
+
+function bunx {
+    Invoke-WrappedCommand "bunx" "aikido-bunx" $args
+}
+
 function npm {
    # If args is just -v or --version and nothing else, just run the npm version command
    # This is because nvm uses this to check the version of npm