Only install for install/download and wheel commands

2026-05-26 12:10:49 +00:00 · 2025-11-10 15:36:56 -08:00 · 2025-11-10 15:36:56 -08:00 · 6cc3ffc044
commit 6cc3ffc044
parent a502e4e49d
1 changed files with 25 additions and 3 deletions
--- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
+++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
@ -3,6 +3,26 @@ import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { installSafeChainCA } from "../../registryProxy/certUtils.js";

+/**
+ * Returns true if the pip command needs the Safe-chain CA installed.
+ * @param {string[]} args
+ * @returns {boolean}
+ */
+function needsCaInstalled(args) {
+  const known = new Set(["install", "wheel", "download"]);
+  let startIdx = 0;
+  if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
+    startIdx = 2;
+  }
+  for (let i = startIdx; i < args.length; i++) {
+    const token = args[i];
+    if (!token) continue;
+    if (token.startsWith("-")) continue; // skip flags
+    if (known.has(token)) return true;
+  }
+  return false;
+}
+
 /**
 * @param {string} command
 * @param {string[]} args
@ -11,9 +31,11 @@ import { installSafeChainCA } from "../../registryProxy/certUtils.js";
 */
 export async function runPip(command, args) {
  try {
-    // Install Safe Chain CA in OS trust store before running pip
-    // Py 3.14 requires that certs are properly installed in the OS trust store
+    // Only install CA for commands that download or build packages.
+    // This minimizes privilege prompts for read-only operations like 'list' or 'show'.
+    if (needsCaInstalled(args)) {
      await installSafeChainCA();
+    }
    const env = mergeSafeChainProxyEnvironmentVariables(process.env);
    const result = await safeSpawn(command, args, {
      stdio: "inherit",