Some fixes

2026-05-26 20:20:49 +00:00 · 2025-10-24 13:47:22 -07:00 · 2025-10-24 13:47:22 -07:00 · 9914c0ccb3
commit 9914c0ccb3
parent 6b2db6dace
5 changed files with 11 additions and 19 deletions
--- a/packages/safe-chain/src/packagemanager/pip/createPackageManager.js
+++ b/packages/safe-chain/src/packagemanager/pip/createPackageManager.js
@ -7,10 +7,6 @@ import {
  pipWheelCommand,
 } from "./utils/pipCommands.js";

-/**
- * Creates a package manager
- * @param {string} [command="pip"] - The pip command to use (e.g., "pip", "pip3") defaults to "pip"
- */
 export function createPipPackageManager(command = "pip") {
  function isSupportedCommand(args) {
    const scanner = findDependencyScannerForCommand(
--- a/packages/safe-chain/src/packagemanager/pip/parsing/parsePackagesFromInstallArgs.js
+++ b/packages/safe-chain/src/packagemanager/pip/parsing/parsePackagesFromInstallArgs.js
@ -101,8 +101,7 @@ function isPipOptionWithParameter(arg) {
 }

 function parsePipSpec(spec) {
-  // Ignore obvious URLs and paths
-  // These cannot be scanned from the malware database
+  // Ignore obvious URLs and paths, rely on mitm scanner
  const lower = spec.toLowerCase();
  if (
    lower.startsWith("git+") ||
@ -116,7 +115,7 @@ function parsePipSpec(spec) {
    spec.startsWith("../") ||
    spec.startsWith("/")
  ) {
-    return { name: spec, version: "latest" };
+    return null;
  }

  // Strip extras: package[extra1,extra2]
--- a/packages/safe-chain/src/packagemanager/pip/parsing/parsePackagesFromInstallArgs.spec.js
+++ b/packages/safe-chain/src/packagemanager/pip/parsing/parsePackagesFromInstallArgs.spec.js
@ -40,9 +40,8 @@ describe("parsePackagesFromInstallArgs", () => {
    ]);
  });

-  it("should parse multiple constraints", () => {
+  it("should skip ranges", () => {
    const result = parsePackagesFromInstallArgs(["install", "requests>=2,<3"]);
-    // Range specifiers should be skipped since they don't provide exact versions
    assert.deepEqual(result, []);
  });

@ -69,7 +68,7 @@ describe("parsePackagesFromInstallArgs", () => {
    ]);
  });

-  it("should treat VCS/URL/path specs as names (no version)", () => {
+  it("should skip VCS/URL/path)", () => {
    const result = parsePackagesFromInstallArgs([
      "install",
      "git+https://github.com/pallets/flask.git",
@ -77,12 +76,7 @@ describe("parsePackagesFromInstallArgs", () => {
      "file:/tmp/pkg.whl",
      "./localpkg",
    ]);
-    assert.deepEqual(result, [
-      { name: "git+https://github.com/pallets/flask.git", version: "latest", type: "add" },
-      { name: "https://files.pythonhosted.org/packages/foo/bar.whl", version: "latest", type: "add" },
-      { name: "file:/tmp/pkg.whl", version: "latest", type: "add" },
-      { name: "./localpkg", version: "latest", type: "add" },
-    ]);
+    assert.deepEqual(result, []);
  });

  it("should return empty array for no packages", () => {