Merge remote-tracking branch 'origin/main' into feature/pypi

2026-05-26 12:10:49 +00:00 · 2025-11-03 06:49:53 -08:00 · 2025-11-03 06:49:53 -08:00 · 548d416996
commit 548d416996
parent be5c4fb382 e0fbb7e18a
64 changed files with 1689 additions and 381 deletions
--- a/packages/safe-chain/src/api/aikido.js
+++ b/packages/safe-chain/src/api/aikido.js
@ -6,9 +6,19 @@ const malwareDatabaseUrls = {
  [ECOSYSTEM_PY]: "https://malware-list.aikido.dev/malware_pypi.json",
 };

+/**
+ * @typedef {Object} MalwarePackage
+ * @property {string} package_name
+ * @property {string} version
+ * @property {string} reason
+ */
+
+/**
+ * @returns {Promise<{malwareDatabase: MalwarePackage[], version: string | undefined}>}
+ */
 export async function fetchMalwareDatabase() {
  const ecosystem = getEcoSystem();
-  const malwareDatabaseUrl = malwareDatabaseUrls[ecosystem];
+  const malwareDatabaseUrl = malwareDatabaseUrls[/** @type {keyof typeof malwareDatabaseUrls} */ (ecosystem)];
  const response = await fetch(malwareDatabaseUrl);
  if (!response.ok) {
    throw new Error(`Error fetching ${ecosystem} malware database: ${response.statusText}`);
@ -20,14 +30,17 @@ export async function fetchMalwareDatabase() {
      malwareDatabase: malwareDatabase,
      version: response.headers.get("etag") || undefined,
    };
-  } catch (error) {
-    throw new Error(`Error parsing ${ecosystem} malware database: ${error.message}`);
+  } catch (/** @type {any} */ error) {
+    throw new Error(`Error parsing malware database: ${error.message}`);
  }
 }

+/**
+ * @returns {Promise<string | undefined>}
+ */
 export async function fetchMalwareDatabaseVersion() {
  const ecosystem = getEcoSystem();
-  const malwareDatabaseUrl = malwareDatabaseUrls[ecosystem];
+  const malwareDatabaseUrl = malwareDatabaseUrls[/** @type {keyof typeof malwareDatabaseUrls} */ (ecosystem)];
  const response = await fetch(malwareDatabaseUrl, {
    method: "HEAD",
  });
--- a/packages/safe-chain/src/api/npmApi.js
+++ b/packages/safe-chain/src/api/npmApi.js
@ -1,6 +1,11 @@
 import * as semver from "semver";
 import * as npmFetch from "npm-registry-fetch";

+/**
+ * @param {string} packageName
+ * @param {string | null} [versionRange]
+ * @returns {Promise<string | null>}
+ */
 export async function resolvePackageVersion(packageName, versionRange) {
  if (!versionRange) {
    versionRange = "latest";
@ -11,7 +16,10 @@ export async function resolvePackageVersion(packageName, versionRange) {
    return versionRange;
  }

-  const packageInfo = await getPackageInfo(packageName);
+  const packageInfo = (
+    /** @type {{"dist-tags"?: Record<string, string>, versions?: Record<string, unknown>} | null} */
+    await getPackageInfo(packageName)
+  );
  if (!packageInfo) {
    // It is possible that no version is found (could be a private package, or a package that doesn't exist)
    // In this case, we return null to indicate that we couldn't resolve the version
@ -19,7 +27,7 @@ export async function resolvePackageVersion(packageName, versionRange) {
  }

  const distTags = packageInfo["dist-tags"];
-  if (distTags && distTags[versionRange]) {
+  if (distTags && isDistTags(distTags) && distTags[versionRange]) {
    // If the version range is a dist-tag, return the version associated with that tag
    // e.g., "latest", "next", etc.
    return distTags[versionRange];
@ -41,6 +49,19 @@ export async function resolvePackageVersion(packageName, versionRange) {
  return null;
 }

+/**
+ *
+ * @param {unknown} distTags
+ * @returns {distTags is Record<string, string>}
+ */
+function isDistTags(distTags) {
+  return typeof distTags === "object";
+}
+
+/**
+ * @param {string} packageName
+ * @returns {Promise<Record<string, unknown> | null>}
+ */
 async function getPackageInfo(packageName) {
  try {
    return await npmFetch.json(packageName);