milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feature/pipx-2

Browse source
This commit is contained in:
Reinier Criel 2025-12-17 14:28:14 +01:00
commit b9de94f0f1
25 changed files with 401 additions and 660 deletions
Download patch file Download diff file Expand all files Collapse all files

42
.github/workflows/build-and-release.yml vendored
View file

@ -44,9 +44,7 @@ jobs:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
- name: Setup safe-chain
run: |
npm i -g @aikidosec/safe-chain
safe-chain setup-ci
run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
- name: Set the version in safe-chain package
run: npm --no-git-tag-version version ${{ needs.set-version.outputs.version }} --workspace=packages/safe-chain
@ -77,21 +75,35 @@ jobs:
- name: Rename binaries to include platform and architecture
run: |
mv binaries/safe-chain-macos-x64/safe-chain binaries/safe-chain-macos-x64/safe-chain-macos-x64
mv binaries/safe-chain-macos-arm64/safe-chain binaries/safe-chain-macos-arm64/safe-chain-macos-arm64
mv binaries/safe-chain-linux-x64/safe-chain binaries/safe-chain-linux-x64/safe-chain-linux-x64
mv binaries/safe-chain-linux-arm64/safe-chain binaries/safe-chain-linux-arm64/safe-chain-linux-arm64
mv binaries/safe-chain-win-x64/safe-chain.exe binaries/safe-chain-win-x64/safe-chain-win-x64.exe
mv binaries/safe-chain-win-arm64/safe-chain.exe binaries/safe-chain-win-arm64/safe-chain-win-arm64.exe
mkdir release-artifacts
mv binaries/safe-chain-macos-x64/safe-chain release-artifacts/safe-chain-macos-x64
mv binaries/safe-chain-macos-arm64/safe-chain release-artifacts/safe-chain-macos-arm64
mv binaries/safe-chain-linux-x64/safe-chain release-artifacts/safe-chain-linux-x64
mv binaries/safe-chain-linux-arm64/safe-chain release-artifacts/safe-chain-linux-arm64
mv binaries/safe-chain-win-x64/safe-chain.exe release-artifacts/safe-chain-win-x64.exe
mv binaries/safe-chain-win-arm64/safe-chain.exe release-artifacts/safe-chain-win-arm64.exe
- name: Move install scripts and hard-code version
env:
VERSION: ${{ needs.set-version.outputs.version }}
run: |
sed "s/\$(fetch_latest_version)/${VERSION}/" install-scripts/install-safe-chain.sh > release-artifacts/install-safe-chain.sh
sed "s/\$Version = Get-LatestVersion/\$Version = \"${VERSION}\"/" install-scripts/install-safe-chain.ps1 > release-artifacts/install-safe-chain.ps1
cp install-scripts/uninstall-safe-chain.sh release-artifacts/uninstall-safe-chain.sh
cp install-scripts/uninstall-safe-chain.ps1 release-artifacts/uninstall-safe-chain.ps1
- name: Upload binaries to existing GitHub Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release upload ${{ needs.set-version.outputs.version }} \
binaries/safe-chain-macos-x64/* \
binaries/safe-chain-macos-arm64/* \
binaries/safe-chain-linux-x64/* \
binaries/safe-chain-linux-arm64/* \
binaries/safe-chain-win-x64/* \
binaries/safe-chain-win-arm64/*
release-artifacts/safe-chain-macos-x64 \
release-artifacts/safe-chain-macos-arm64 \
release-artifacts/safe-chain-linux-x64 \
release-artifacts/safe-chain-linux-arm64 \
release-artifacts/safe-chain-win-x64.exe \
release-artifacts/safe-chain-win-arm64.exe \
release-artifacts/install-safe-chain.sh \
release-artifacts/install-safe-chain.ps1 \
release-artifacts/uninstall-safe-chain.sh \
release-artifacts/uninstall-safe-chain.ps1

20
.github/workflows/create-artifact.yml vendored
View file

@ -5,7 +5,7 @@ on:
workflow_call:
inputs:
version:
description: 'Version to set in package.json'
description: "Version to set in package.json"
required: false
type: string
@ -59,18 +59,22 @@ jobs:
with:
node-version: "20.x"
- name: Setup safe-chain
run: |
npm i -g @aikidosec/safe-chain
safe-chain setup-ci
- name: Setup safe-chain (Mac/Linux)
if: runner.os != 'Windows'
run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
- name: Set the version in safe-chain package
if: inputs.version != ''
run: npm --no-git-tag-version version ${{ inputs.version }} --workspace=packages/safe-chain
- name: Setup safe-chain (Windows)
if: runner.os == 'Windows'
shell: pwsh
run: iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci"
- name: Install dependencies
run: npm ci --ignore-scripts
- name: Set the version in safe-chain package
if: inputs.version != ''
run: npm --no-git-tag-version version ${{ inputs.version }} --workspace=packages/safe-chain --ignore-scripts
- name: Create binary
run: |
node build.js ${{ matrix.target }}

4
.github/workflows/test-on-pr.yml vendored
View file

@ -110,9 +110,7 @@ jobs:
node-version: "lts/*"
- name: Setup safe-chain
run: |
npm i -g @aikidosec/safe-chain@1.0.24
safe-chain setup-ci
run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
- name: Install dependencies (root)
run: npm ci

72
README.md
View file

@ -19,10 +19,10 @@ Aikido Safe Chain supports the following package managers:
- 📦 **pnpx**
- 📦 **bun**
- 📦 **bunx**
- 📦 **pip** (beta)
- 📦 **pip3** (beta)
- 📦 **uv** (beta)
- 📦 **poetry** (beta)
- 📦 **pip**
- 📦 **pip3**
- 📦 **uv**
- 📦 **poetry**
# Usage
@ -34,32 +34,32 @@ Installing the Aikido Safe Chain is easy with our one-line installer.
### Unix/Linux/macOS
**Default installation (JavaScript packages only):**
```shell
curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh
```
**Include Python support (pip/pip3/uv):**
```shell
curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --include-python
curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh
```
### Windows (PowerShell)
**Default installation (JavaScript packages only):**
```powershell
iex (iwr "https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1" -UseBasicParsing)
iex (iwr "https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.ps1" -UseBasicParsing)
```
**Include Python support (pip/pip3/uv):**
### Pinning to a specific version
```powershell
iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -includepython"
To install a specific version instead of the latest, replace `latest` with the version number in the URL (available from version 1.3.2 onwards):
**Unix/Linux/macOS:**
```shell
curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/x.x.x/install-safe-chain.sh | sh
```
**Windows (PowerShell):**
```powershell
iex (iwr "https://github.com/AikidoSec/safe-chain/releases/download/x.x.x/install-safe-chain.ps1" -UseBasicParsing)
```
You can find all available versions on the [releases page](https://github.com/AikidoSec/safe-chain/releases).
### Verify the installation
1. **❗Restart your terminal** to start using the Aikido Safe Chain.
@ -74,7 +74,7 @@ iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/inst
npm install safe-chain-test
```
For Python (if you enabled Python support):
For Python:
```shell
pip3 install safe-chain-pi-test
@ -121,13 +121,13 @@ To uninstall the Aikido Safe Chain, use our one-line uninstaller:
### Unix/Linux/macOS
```shell
curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/uninstall-safe-chain.sh | sh
curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/uninstall-safe-chain.sh | sh
```
### Windows (PowerShell)
```powershell
iex (iwr "https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/uninstall-safe-chain.ps1" -UseBasicParsing)
iex (iwr "https://github.com/AikidoSec/safe-chain/releases/latest/download/uninstall-safe-chain.ps1" -UseBasicParsing)
```
**❗Restart your terminal** after uninstalling to ensure all aliases are removed.
@ -193,30 +193,14 @@ Use the `--ci` flag to automatically configure Aikido Safe Chain for CI/CD envir
### Unix/Linux/macOS (GitHub Actions, Azure Pipelines, etc.)
**JavaScript only:**
```shell
curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
```
**With Python support:**
```shell
curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
```
### Windows (Azure Pipelines, etc.)
**JavaScript only:**
```powershell
iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci"
```
**With Python support:**
```powershell
iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1' -UseBasicParsing) } -ci -includepython"
iex "& { $(iwr 'https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.ps1' -UseBasicParsing) } -ci"
```
## Supported Platforms
@ -234,14 +218,12 @@ iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/inst
cache: "npm"
- name: Install safe-chain
run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
- name: Install dependencies
run: npm ci
```
> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv/poetry) support.
## Azure DevOps Example
```yaml
@ -250,13 +232,11 @@ iex "& { $(iwr 'https://raw.githubusercontent.com/AikidoSec/safe-chain/main/inst
versionSpec: "22.x"
displayName: "Install Node.js"
- script: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci --include-python
- script: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
displayName: "Install safe-chain"
- script: npm ci
displayName: "Install dependencies"
```
> **Note:** Remove `--include-python` if you don't need Python (pip/pip3/uv/poetry) support.
After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.

55
install-scripts/install-safe-chain.ps1
View file

@ -31,6 +31,46 @@ function Write-Error-Custom {
exit 1
}
# Get currently installed version of safe-chain
function Get-InstalledVersion {
# Check if safe-chain command exists
if (-not (Get-Command safe-chain -ErrorAction SilentlyContinue)) {
return $null
}
try {
# Execute safe-chain -v and capture output
$output = & safe-chain -v 2>&1
# Extract version from "Current safe-chain version: X.Y.Z" output
if ($output -match "Current safe-chain version:\s*(.+)") {
return $matches[1].Trim()
}
return $null
}
catch {
return $null
}
}
# Check if the requested version is already installed
function Test-VersionInstalled {
param([string]$RequestedVersion)
$installedVersion = Get-InstalledVersion
if ([string]::IsNullOrWhiteSpace($installedVersion)) {
return $false
}
# Strip leading 'v' from versions if present for comparison
$requestedClean = $RequestedVersion -replace '^v', ''
$installedClean = $installedVersion -replace '^v', ''
return $requestedClean -eq $installedClean
}
# Fetch latest release version tag from GitHub
function Get-LatestVersion {
try {
@ -115,14 +155,20 @@ function Install-SafeChain {
$Version = Get-LatestVersion
}
# Check if the requested version is already installed
if (Test-VersionInstalled -RequestedVersion $Version) {
Write-Info "safe-chain $Version is already installed"
return
}
# Build installation message
$installMsg = "Installing safe-chain $Version"
if ($includepython) {
$installMsg += " with python"
}
if ($ci) {
$installMsg += " in ci"
}
if ($includepython) {
Write-Warn "-includepython is deprecated and ignored. Python ecosystem is now included by default."
}
Write-Info $installMsg
@ -181,9 +227,6 @@ function Install-SafeChain {
# Build setup command based on parameters
$setupCmd = if ($ci) { "setup-ci" } else { "setup" }
$setupArgs = @()
if ($includepython) {
$setupArgs += "--include-python"
}
# Execute safe-chain setup
Write-Info "Running safe-chain $setupCmd $(if ($setupArgs) { $setupArgs -join ' ' })..."

48
install-scripts/install-safe-chain.sh
View file

@ -54,6 +54,38 @@ command_exists() {
command -v "$1" >/dev/null 2>&1
}
# Get currently installed version of safe-chain
get_installed_version() {
if ! command_exists safe-chain; then
echo ""
return
fi
# Extract version from "Current safe-chain version: X.Y.Z" output
installed_version=$(safe-chain -v 2>/dev/null | grep "Current safe-chain version:" | sed -E 's/.*: (.*)/\1/')
echo "$installed_version"
}
# Check if the requested version is already installed
is_version_installed() {
requested_version="$1"
installed_version=$(get_installed_version)
if [ -z "$installed_version" ]; then
return 1 # Not installed
fi
# Strip leading 'v' from versions if present for comparison
requested_clean=$(echo "$requested_version" | sed 's/^v//')
installed_clean=$(echo "$installed_version" | sed 's/^v//')
if [ "$requested_clean" = "$installed_clean" ]; then
return 0 # Same version installed
else
return 1 # Different version installed
fi
}
# Fetch latest release version tag from GitHub
fetch_latest_version() {
# Try using GitHub API to get the latest release tag
@ -135,7 +167,7 @@ parse_arguments() {
USE_CI_SETUP=true
;;
--include-python)
INCLUDE_PYTHON=true
warn "--include-python is deprecated and ignored. Python ecosystem is now included by default."
;;
*)
error "Unknown argument: $arg"
@ -148,7 +180,6 @@ parse_arguments() {
main() {
# Initialize argument flags
USE_CI_SETUP=false
INCLUDE_PYTHON=false
# Parse command-line arguments
parse_arguments "$@"
@ -159,11 +190,14 @@ main() {
VERSION=$(fetch_latest_version)
fi
# Check if the requested version is already installed
if is_version_installed "$VERSION"; then
info "safe-chain ${VERSION} is already installed"
exit 0
fi
# Build installation message
INSTALL_MSG="Installing safe-chain ${VERSION}"
if [ "$INCLUDE_PYTHON" = "true" ]; then
INSTALL_MSG="${INSTALL_MSG} with python"
fi
if [ "$USE_CI_SETUP" = "true" ]; then
INSTALL_MSG="${INSTALL_MSG} in ci"
fi
@ -209,10 +243,6 @@ main() {
SETUP_CMD="setup-ci"
fi
if [ "$INCLUDE_PYTHON" = "true" ]; then
SETUP_ARGS="--include-python"
fi
# Execute safe-chain setup
info "Running safe-chain $SETUP_CMD $SETUP_ARGS..."
if ! "$FINAL_FILE" $SETUP_CMD $SETUP_ARGS; then

10
packages/safe-chain/bin/safe-chain.js
View file

@ -95,11 +95,6 @@ function writeHelp() {
"safe-chain setup"
)}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, bun, bunx, pip and pip3.`
);
ui.writeInformation(
` ${chalk.yellow(
"--include-python"
)}: Experimental: include Python package managers (pip, pip3) in the setup.`
);
ui.writeInformation(
`- ${chalk.cyan(
"safe-chain teardown"
@ -110,11 +105,6 @@ function writeHelp() {
"safe-chain setup-ci"
)}: This will setup safe-chain for CI environments by creating shims and modifying the PATH.`
);
ui.writeInformation(
` ${chalk.yellow(
"--include-python"
)}: Experimental: include Python package managers (pip, pip3) in the setup.`
);
ui.writeInformation(
`- ${chalk.cyan("safe-chain --version")} (or ${chalk.cyan(
"-v"

36
packages/safe-chain/src/config/cliArguments.js
View file

@ -1,11 +1,12 @@
import { ui } from "../environment/userInteraction.js";
/**
* @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined, includePython: boolean}}
* @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined}}
*/
const state = {
loggingLevel: undefined,
skipMinimumPackageAge: undefined,
minimumPackageAgeHours: undefined,
includePython: false,
};
const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
@ -34,8 +35,7 @@ export function initializeCliArguments(args) {
setLoggingLevel(safeChainArgs);
setSkipMinimumPackageAge(safeChainArgs);
setMinimumPackageAgeHours(safeChainArgs);
setIncludePython(args);
checkDeprecatedPythonFlag(args);
return remainingArgs;
}
@ -109,20 +109,6 @@ export function getMinimumPackageAgeHours() {
return state.minimumPackageAgeHours;
}
/**
* @param {string[]} args
*/
function setIncludePython(args) {
// This flag doesn't have the --safe-chain- prefix because
// it is only used for the safe-chain command itself and
// not when wrapped around package manager commands.
state.includePython = hasFlagArg(args, "--include-python");
}
export function includePython() {
return state.includePython;
}
/**
* @param {string[]} args
* @param {string} flagName
@ -136,3 +122,17 @@ function hasFlagArg(args, flagName) {
}
return false;
}
/**
* Emits a deprecation warning for legacy --include-python flag
*
* @param {string[]} args
* @returns {void}
*/
export function checkDeprecatedPythonFlag(args) {
if (hasFlagArg(args, "--include-python")) {
ui.writeWarning(
"--include-python is deprecated and ignored. Python tooling is included by default."
);
}
}

37
packages/safe-chain/src/config/cliArguments.spec.js
View file

@ -6,6 +6,7 @@ import {
getSkipMinimumPackageAge,
getMinimumPackageAgeHours,
} from "./cliArguments.js";
import { ui } from "../environment/userInteraction.js";
describe("initializeCliArguments", () => {
it("should return all args when no safe-chain args are present", () => {
@ -271,4 +272,40 @@ describe("initializeCliArguments", () => {
assert.strictEqual(getMinimumPackageAgeHours(), "-24");
});
it("should warn on deprecated --include-python for setup", () => {
const warnings = [];
const originalWriteWarning = ui.writeWarning;
ui.writeWarning = (msg, ..._rest) => {
warnings.push(String(msg));
};
try {
const argv = ["node", "safe-chain", "setup", "--include-python"];
initializeCliArguments(argv);
assert.ok(
warnings.some((m) => m.includes("--include-python is deprecated")),
"Expected a deprecation warning for --include-python in setup"
);
} finally {
ui.writeWarning = originalWriteWarning;
}
});
it("should warn on deprecated --include-python for setup-ci", () => {
const warnings = [];
const originalWriteWarning = ui.writeWarning;
ui.writeWarning = (msg, ..._rest) => {
warnings.push(String(msg));
};
try {
const argv = ["node", "safe-chain", "setup-ci", "--include-python"];
initializeCliArguments(argv);
assert.ok(
warnings.some((m) => m.includes("--include-python is deprecated")),
"Expected a deprecation warning for --include-python in setup-ci"
);
} finally {
ui.writeWarning = originalWriteWarning;
}
});
});

249
packages/safe-chain/src/config/configFile.spec.js
View file

@ -1,32 +1,24 @@
import { describe, it, beforeEach, afterEach, mock } from "node:test";
import assert from "node:assert";
describe("getScanTimeout", () => {
let configFileContent = undefined;
mock.module("fs", {
namedExports: {
existsSync: () => configFileContent !== undefined,
readFileSync: () => configFileContent,
writeFileSync: (content) => (configFileContent = content),
mkdirSync: () => {},
},
});
describe("getScanTimeout", async () => {
let originalEnv;
let fsMock;
let getScanTimeout;
const { getScanTimeout } = await import("./configFile.js");
beforeEach(async () => {
// Save original environment
originalEnv = process.env.AIKIDO_SCAN_TIMEOUT_MS;
// Mock fs module
fsMock = {
existsSync: mock.fn(() => false),
readFileSync: mock.fn(() => "{}"),
writeFileSync: mock.fn(),
mkdirSync: mock.fn(),
};
mock.module("fs", {
namedExports: fsMock,
});
// Re-import the module to get the mocked version
const configFileModule = await import(
`./configFile.js?update=${Date.now()}`
);
getScanTimeout = configFileModule.getScanTimeout;
});
afterEach(() => {
@ -37,14 +29,12 @@ describe("getScanTimeout", () => {
delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
}
// Reset all mocks
mock.restoreAll();
configFileContent = undefined;
});
it("should return default timeout of 10000ms when no config or env var is set", () => {
delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
// Mock: config file doesn't exist
fsMock.existsSync.mock.mockImplementation(() => false);
configFileContent = undefined;
const timeout = getScanTimeout();
@ -53,11 +43,7 @@ describe("getScanTimeout", () => {
it("should return timeout from config file when set", () => {
delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
// Mock: config file exists with scanTimeout: 5000
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: 5000 })
);
configFileContent = JSON.stringify({ scanTimeout: 5000 });
const timeout = getScanTimeout();
@ -66,11 +52,7 @@ describe("getScanTimeout", () => {
it("should prioritize environment variable over config file", () => {
process.env.AIKIDO_SCAN_TIMEOUT_MS = "20000";
// Mock: config file exists with scanTimeout: 5000
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: 5000 })
);
configFileContent = JSON.stringify({ scanTimeout: 5000 });
const timeout = getScanTimeout();
@ -79,11 +61,7 @@ describe("getScanTimeout", () => {
it("should handle invalid environment variable and fall back to config", () => {
process.env.AIKIDO_SCAN_TIMEOUT_MS = "invalid";
// Mock: config file exists with scanTimeout: 7000
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: 7000 })
);
configFileContent = JSON.stringify({ scanTimeout: 7000 });
const timeout = getScanTimeout();
@ -91,8 +69,7 @@ describe("getScanTimeout", () => {
});
it("should ignore zero and negative values and fall back to default", () => {
// Mock: config file doesn't exist
fsMock.existsSync.mock.mockImplementation(() => false);
configFileContent = undefined;
process.env.AIKIDO_SCAN_TIMEOUT_MS = "0";
@ -107,11 +84,7 @@ describe("getScanTimeout", () => {
it("should ignore textual non-numeric values in environment variable and fall back to config", () => {
process.env.AIKIDO_SCAN_TIMEOUT_MS = "fast";
// Mock: config file exists with scanTimeout: 8000
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: 8000 })
);
configFileContent = JSON.stringify({ scanTimeout: 8000 });
const timeout = getScanTimeout();
@ -120,11 +93,7 @@ describe("getScanTimeout", () => {
it("should ignore textual non-numeric values in config file and fall back to default", () => {
delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
// Mock: config file exists with scanTimeout: "slow"
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: "slow" })
);
configFileContent = JSON.stringify({ scanTimeout: "slow" });
const timeout = getScanTimeout();
@ -133,11 +102,7 @@ describe("getScanTimeout", () => {
it("should ignore textual non-numeric values in both env and config, fall back to default", () => {
process.env.AIKIDO_SCAN_TIMEOUT_MS = "quick";
// Mock: config file exists with scanTimeout: "medium"
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: "medium" })
);
configFileContent = JSON.stringify({ scanTimeout: "medium" });
const timeout = getScanTimeout();
@ -146,11 +111,7 @@ describe("getScanTimeout", () => {
it("should ignore mixed alphanumeric strings in environment variable", () => {
process.env.AIKIDO_SCAN_TIMEOUT_MS = "5000ms";
// Mock: config file exists with scanTimeout: 6000
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: 6000 })
);
configFileContent = JSON.stringify({ scanTimeout: 6000 });
const timeout = getScanTimeout();
@ -159,11 +120,7 @@ describe("getScanTimeout", () => {
it("should ignore mixed alphanumeric strings in config file", () => {
delete process.env.AIKIDO_SCAN_TIMEOUT_MS;
// Mock: config file exists with scanTimeout: "3000ms"
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: "3000ms" })
);
configFileContent = JSON.stringify({ scanTimeout: "3000ms" });
const timeout = getScanTimeout();
@ -171,37 +128,15 @@ describe("getScanTimeout", () => {
});
});
describe("getMinimumPackageAgeHours", () => {
let fsMock;
let getMinimumPackageAgeHours;
beforeEach(async () => {
// Mock fs module
fsMock = {
existsSync: mock.fn(() => false),
readFileSync: mock.fn(() => "{}"),
writeFileSync: mock.fn(),
mkdirSync: mock.fn(),
};
mock.module("fs", {
namedExports: fsMock,
});
// Re-import the module to get the mocked version
const configFileModule = await import(
`./configFile.js?update=${Date.now()}`
);
getMinimumPackageAgeHours = configFileModule.getMinimumPackageAgeHours;
});
describe("getMinimumPackageAgeHours", async () => {
const { getMinimumPackageAgeHours } = await import("./configFile.js");
afterEach(() => {
// Reset all mocks
mock.restoreAll();
configFileContent = undefined;
});
it("should return null when config file doesn't exist", () => {
fsMock.existsSync.mock.mockImplementation(() => false);
configFileContent = undefined;
const hours = getMinimumPackageAgeHours();
@ -209,10 +144,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should return null when config file exists but minimumPackageAgeHours is not set", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ scanTimeout: 5000 })
);
configFileContent = JSON.stringify({ scanTimeout: 5000 });
const hours = getMinimumPackageAgeHours();
@ -220,10 +152,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should return value from config file when set to valid number", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: 48 })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: 48 });
const hours = getMinimumPackageAgeHours();
@ -231,10 +160,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should handle string numbers in config file", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: "72" })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: "72" });
const hours = getMinimumPackageAgeHours();
@ -242,10 +168,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should handle decimal values", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: 1.5 })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: 1.5 });
const hours = getMinimumPackageAgeHours();
@ -253,21 +176,15 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should return null for non-numeric strings", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: "invalid" })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: "invalid" });
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, undefined);
});
it("should return null for values with units suffix", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: "48h" })
);
it("should return undefined for values with units suffix", () => {
configFileContent = JSON.stringify({ minimumPackageAgeHours: "48h" });
const hours = getMinimumPackageAgeHours();
@ -275,8 +192,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should handle malformed JSON and return null", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() => "{ invalid json");
configFileContent = "{ invalid json";
const hours = getMinimumPackageAgeHours();
@ -284,10 +200,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should return 0 when minimumPackageAgeHours is set to 0", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: 0 })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: 0 });
const hours = getMinimumPackageAgeHours();
@ -295,10 +208,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should return 0 when minimumPackageAgeHours is set to string '0'", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: "0" })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: "0" });
const hours = getMinimumPackageAgeHours();
@ -306,10 +216,7 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should handle negative numeric values", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: -24 })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: -24 });
const hours = getMinimumPackageAgeHours();
@ -317,86 +224,10 @@ describe("getMinimumPackageAgeHours", () => {
});
it("should handle negative string values", () => {
fsMock.existsSync.mock.mockImplementation(() => true);
fsMock.readFileSync.mock.mockImplementation(() =>
JSON.stringify({ minimumPackageAgeHours: "-48" })
);
configFileContent = JSON.stringify({ minimumPackageAgeHours: "-48" });
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, -48);
});
});
describe("environmentVariables - getMinimumPackageAgeHours", () => {
let originalEnv;
let getMinimumPackageAgeHours;
beforeEach(async () => {
// Save original environment
originalEnv = process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS;
// Re-import the module to get fresh version
const envModule = await import(
`./environmentVariables.js?update=${Date.now()}`
);
getMinimumPackageAgeHours = envModule.getMinimumPackageAgeHours;
});
afterEach(() => {
// Restore original environment
if (originalEnv !== undefined) {
process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS = originalEnv;
} else {
delete process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS;
}
});
it("should return undefined when environment variable is not set", () => {
delete process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS;
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, undefined);
});
it("should return value when environment variable is set to a number", () => {
process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS = "48";
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, "48");
});
it("should return '0' when environment variable is set to '0'", () => {
process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS = "0";
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, "0");
});
it("should return value when set to decimal", () => {
process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS = "1.5";
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, "1.5");
});
it("should return value even if non-numeric (validation happens in settings.js)", () => {
process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS = "invalid";
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, "invalid");
});
it("should return negative values (validation happens in settings.js)", () => {
process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS = "-24";
const hours = getMinimumPackageAgeHours();
assert.strictEqual(hours, "-24");
});
});

8
packages/safe-chain/src/shell-integration/setup-ci.js
View file

@ -5,8 +5,6 @@ import fs from "fs";
import os from "os";
import path from "path";
import { fileURLToPath } from "url";
import { includePython } from "../config/cliArguments.js";
import { ECOSYSTEM_PY } from "../config/settings.js";
/** @type {string} */
// This checks the current file's dirname in a way that's compatible with:
@ -162,9 +160,5 @@ function modifyPathForCi(shimsDir, binDir) {
}
function getToolsToSetup() {
if (includePython()) {
return knownAikidoTools;
} else {
return knownAikidoTools.filter((tool) => tool.ecoSystem !== ECOSYSTEM_PY);
}
return knownAikidoTools;
}

3
packages/safe-chain/src/shell-integration/setup.js
View file

@ -4,7 +4,6 @@ import { detectShells } from "./shellDetection.js";
import { knownAikidoTools, getPackageManagerList, getScriptsDir } from "./helpers.js";
import fs from "fs";
import path from "path";
import { includePython } from "../config/cliArguments.js";
import { fileURLToPath } from "url";
/** @type {string} */
@ -118,7 +117,7 @@ function copyStartupFiles() {
// Use absolute path for source
const sourcePath = path.join(
dirname,
includePython() ? "startup-scripts/include-python" : "startup-scripts",
"startup-scripts",
file
);
fs.copyFileSync(sourcePath, targetPath);

98
packages/safe-chain/src/shell-integration/startup-scripts/include-python/init-fish.fish
View file

@ -1,98 +0,0 @@
set -gx PATH $PATH $HOME/.safe-chain/bin
function npx
wrapSafeChainCommand "npx" $argv
end
function yarn
wrapSafeChainCommand "yarn" $argv
end
function pnpm
wrapSafeChainCommand "pnpm" $argv
end
function pnpx
wrapSafeChainCommand "pnpx" $argv
end
function bun
wrapSafeChainCommand "bun" $argv
end
function bunx
wrapSafeChainCommand "bunx" $argv
end
function npm
# If args is just -v or --version and nothing else, just run the `npm -v` command
# This is because nvm uses this to check the version of npm
set argc (count $argv)
if test $argc -eq 1
switch $argv[1]
case "-v" "--version"
command npm $argv
return
end
end
wrapSafeChainCommand "npm" $argv
end
function pip
wrapSafeChainCommand "pip" $argv
end
function pip3
wrapSafeChainCommand "pip3" $argv
end
function uv
wrapSafeChainCommand "uv" $argv
end
function poetry
wrapSafeChainCommand "poetry" $argv
end
# `python -m pip`, `python -m pip3`.
function python
wrapSafeChainCommand "python" $argv
end
# `python3 -m pip`, `python3 -m pip3'.
function python3
wrapSafeChainCommand "python3" $argv
end
function printSafeChainWarning
set original_cmd $argv[1]
# Fish equivalent of ANSI color codes: yellow background, black text for "Warning:"
set_color -b yellow black
printf "Warning:"
set_color normal
printf " safe-chain is not available to protect you from installing malware. %s will run without it.\n" $original_cmd
# Cyan text for the install command
printf "Install safe-chain by using "
set_color cyan
printf "npm install -g @aikidosec/safe-chain"
set_color normal
printf ".\n"
end
function wrapSafeChainCommand
set original_cmd $argv[1]
set cmd_args $argv[2..-1]
if type -q safe-chain
# If the safe-chain command is available, just run it with the provided arguments
safe-chain $original_cmd $cmd_args
else
# If the safe-chain command is not available, print a warning and run the original command
printSafeChainWarning $original_cmd
command $original_cmd $cmd_args
end
end

85
packages/safe-chain/src/shell-integration/startup-scripts/include-python/init-posix.sh
View file

@ -1,85 +0,0 @@
export PATH="$PATH:$HOME/.safe-chain/bin"
function npx() {
wrapSafeChainCommand "npx" "$@"
}
function yarn() {
wrapSafeChainCommand "yarn" "$@"
}
function pnpm() {
wrapSafeChainCommand "pnpm" "$@"
}
function pnpx() {
wrapSafeChainCommand "pnpx" "$@"
}
function bun() {
wrapSafeChainCommand "bun" "$@"
}
function bunx() {
wrapSafeChainCommand "bunx" "$@"
}
function npm() {
if [[ "$1" == "-v" || "$1" == "--version" ]] && [[ $# -eq 1 ]]; then
# If args is just -v or --version and nothing else, just run the npm version command
# This is because nvm uses this to check the version of npm
command npm "$@"
return
fi
wrapSafeChainCommand "npm" "$@"
}
function pip() {
wrapSafeChainCommand "pip" "$@"
}
function pip3() {
wrapSafeChainCommand "pip3" "$@"
}
function uv() {
wrapSafeChainCommand "uv" "$@"
}
function poetry() {
wrapSafeChainCommand "poetry" "$@"
}
# `python -m pip`, `python -m pip3`.
function python() {
wrapSafeChainCommand "python" "$@"
}
# `python3 -m pip`, `python3 -m pip3'.
function python3() {
wrapSafeChainCommand "python3" "$@"
}
function printSafeChainWarning() {
# \033[43;30m is used to set the background color to yellow and text color to black
# \033[0m is used to reset the text formatting
printf "\033[43;30mWarning:\033[0m safe-chain is not available to protect you from installing malware. %s will run without it.\n" "$1"
# \033[36m is used to set the text color to cyan
printf "Install safe-chain by using \033[36mnpm install -g @aikidosec/safe-chain\033[0m.\n"
}
function wrapSafeChainCommand() {
local original_cmd="$1"
if command -v safe-chain > /dev/null 2>&1; then
# If the aikido command is available, just run it with the provided arguments
safe-chain "$@"
else
# If the aikido command is not available, print a warning and run the original command
printSafeChainWarning "$original_cmd"
command "$original_cmd" "$@"
fi
}

119
packages/safe-chain/src/shell-integration/startup-scripts/include-python/init-pwsh.ps1
View file

@ -1,119 +0,0 @@
# Use cross-platform path separator (: on Unix, ; on Windows)
$pathSeparator = if ($IsWindows) { ';' } else { ':' }
$safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
$env:PATH = "$env:PATH$pathSeparator$safeChainBin"
function npx {
Invoke-WrappedCommand "npx" $args
}
function yarn {
Invoke-WrappedCommand "yarn" $args
}
function pnpm {
Invoke-WrappedCommand "pnpm" $args
}
function pnpx {
Invoke-WrappedCommand "pnpx" $args
}
function bun {
Invoke-WrappedCommand "bun" $args
}
function bunx {
Invoke-WrappedCommand "bunx" $args
}
function npm {
# If args is just -v or --version and nothing else, just run the npm version command
# This is because nvm uses this to check the version of npm
if (($args.Length -eq 1) -and (($args[0] -eq "-v") -or ($args[0] -eq "--version"))) {
Invoke-RealCommand "npm" $args
return
}
Invoke-WrappedCommand "npm" $args
}
function pip {
Invoke-WrappedCommand "pip" $args
}
function pip3 {
Invoke-WrappedCommand "pip3" $args
}
function uv {
Invoke-WrappedCommand "uv" $args
}
function poetry {
Invoke-WrappedCommand "poetry" $args
}
# `python -m pip`, `python -m pip3`.
function python {
Invoke-WrappedCommand 'python' $args
}
# `python3 -m pip`, `python3 -m pip3'.
function python3 {
Invoke-WrappedCommand 'python3' $args
}
function Write-SafeChainWarning {
param([string]$Command)
# PowerShell equivalent of ANSI color codes: yellow background, black text for "Warning:"
Write-Host "Warning:" -BackgroundColor Yellow -ForegroundColor Black -NoNewline
Write-Host " safe-chain is not available to protect you from installing malware. $Command will run without it."
# Cyan text for the install command
Write-Host "Install safe-chain by using " -NoNewline
Write-Host "npm install -g @aikidosec/safe-chain" -ForegroundColor Cyan -NoNewline
Write-Host "."
}
function Test-CommandAvailable {
param([string]$Command)
try {
Get-Command $Command -ErrorAction Stop | Out-Null
return $true
}
catch {
return $false
}
}
function Invoke-RealCommand {
param(
[string]$Command,
[string[]]$Arguments
)
# Find the real executable to avoid calling our wrapped functions
$realCommand = Get-Command -Name $Command -CommandType Application | Select-Object -First 1
if ($realCommand) {
& $realCommand.Source @Arguments
}
}
function Invoke-WrappedCommand {
param(
[string]$OriginalCmd,
[string[]]$Arguments
)
if (Test-CommandAvailable "safe-chain") {
& safe-chain $OriginalCmd @Arguments
}
else {
Write-SafeChainWarning $OriginalCmd
Invoke-RealCommand $OriginalCmd $Arguments
}
}

27
packages/safe-chain/src/shell-integration/startup-scripts/init-fish.fish
View file

@ -39,6 +39,33 @@ function npm
wrapSafeChainCommand "npm" $argv
end
function pip
wrapSafeChainCommand "pip" $argv
end
function pip3
wrapSafeChainCommand "pip3" $argv
end
function uv
wrapSafeChainCommand "uv" $argv
end
function poetry
wrapSafeChainCommand "poetry" $argv
end
# `python -m pip`, `python -m pip3`.
function python
wrapSafeChainCommand "python" $argv
end
# `python3 -m pip`, `python3 -m pip3'.
function python3
wrapSafeChainCommand "python3" $argv
end
function printSafeChainWarning
set original_cmd $argv[1]

27
packages/safe-chain/src/shell-integration/startup-scripts/init-posix.sh
View file

@ -35,6 +35,33 @@ function npm() {
wrapSafeChainCommand "npm" "$@"
}
function pip() {
wrapSafeChainCommand "pip" "$@"
}
function pip3() {
wrapSafeChainCommand "pip3" "$@"
}
function uv() {
wrapSafeChainCommand "uv" "$@"
}
function poetry() {
wrapSafeChainCommand "poetry" "$@"
}
# `python -m pip`, `python -m pip3`.
function python() {
wrapSafeChainCommand "python" "$@"
}
# `python3 -m pip`, `python3 -m pip3'.
function python3() {
wrapSafeChainCommand "python3" "$@"
}
function printSafeChainWarning() {
# \033[43;30m is used to set the background color to yellow and text color to black
# \033[0m is used to reset the text formatting

31
packages/safe-chain/src/shell-integration/startup-scripts/init-pwsh.ps1
View file

@ -1,5 +1,7 @@
# Use cross-platform path separator (: on Unix, ; on Windows)
$pathSeparator = if ($IsWindows) { ';' } else { ':' }
# $IsWindows is only available in PowerShell Core 6.0+. If it doesn't exist, assume Windows PowerShell
$isWindowsPlatform = if (Test-Path variable:IsWindows) { $IsWindows } else { $true }
$pathSeparator = if ($isWindowsPlatform) { ';' } else { ':' }
$safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
$env:PATH = "$env:PATH$pathSeparator$safeChainBin"
@ -38,6 +40,33 @@ function npm {
Invoke-WrappedCommand "npm" $args
}
function pip {
Invoke-WrappedCommand "pip" $args
}
function pip3 {
Invoke-WrappedCommand "pip3" $args
}
function uv {
Invoke-WrappedCommand "uv" $args
}
function poetry {
Invoke-WrappedCommand "poetry" $args
}
# `python -m pip`, `python -m pip3`.
function python {
Invoke-WrappedCommand 'python' $args
}
# `python3 -m pip`, `python3 -m pip3'.
function python3 {
Invoke-WrappedCommand 'python3' $args
}
function Write-SafeChainWarning {
param([string]$Command)

8
test/e2e/certbundle.e2e.spec.js
View file

@ -231,7 +231,7 @@ describe("E2E: NODE_EXTRA_CA_CERTS merging", () => {
it(`pip install works without NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
await shell.runCommand("safe-chain setup");
await shell.runCommand("unset NODE_EXTRA_CA_CERTS");
const result = await shell.runCommand(
@ -247,7 +247,7 @@ describe("E2E: NODE_EXTRA_CA_CERTS merging", () => {
it(`pip install works with valid NODE_EXTRA_CA_CERTS set`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
await shell.runCommand("safe-chain setup");
// Create a temporary valid certificate
await shell.runCommand("cp /etc/ssl/certs/ca-certificates.crt /tmp/pip-valid-certs.pem");
@ -265,7 +265,7 @@ describe("E2E: NODE_EXTRA_CA_CERTS merging", () => {
it(`pip install handles non-existent NODE_EXTRA_CA_CERTS gracefully`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
await shell.runCommand("safe-chain setup");
const result = await shell.runCommand(
'export NODE_EXTRA_CA_CERTS="/tmp/nonexistent-pip-certs.pem" && pip3 install --break-system-packages requests'
@ -281,7 +281,7 @@ describe("E2E: NODE_EXTRA_CA_CERTS merging", () => {
it(`pip install handles invalid NODE_EXTRA_CA_CERTS gracefully`, async () => {
const shell = await container.openShell("zsh");
await shell.runCommand("safe-chain setup --include-python");
await shell.runCommand("safe-chain setup");
// Create invalid cert
await shell.runCommand(

45
test/e2e/include-python-deprecation.e2e.spec.js Normal file
View file

@ -0,0 +1,45 @@
import { describe, it, before, beforeEach, afterEach } from "node:test";
import { DockerTestContainer } from "./DockerTestContainer.js";
import assert from "node:assert";
describe("E2E: deprecated --include-python handling", () => {
let container;
before(async () => {
DockerTestContainer.buildImage();
});
beforeEach(async () => {
container = new DockerTestContainer();
await container.start();
});
afterEach(async () => {
if (container) {
await container.stop();
container = null;
}
});
for (let shell of ["bash", "zsh"]) {
it(`safe-chain setup warns and continues for ${shell}`, async () => {
const sh = await container.openShell(shell);
const result = await sh.runCommand("safe-chain setup --include-python");
assert.ok(
result.output.toLowerCase().includes("deprecated and ignored"),
`Expected warning about deprecated --include-python. Output was:\n${result.output}`
);
});
it(`safe-chain setup-ci warns and continues for ${shell}`, async () => {
const sh = await container.openShell(shell);
const result = await sh.runCommand("safe-chain setup-ci --include-python");
assert.ok(
result.output.toLowerCase().includes("deprecated and ignored"),
`Expected warning about deprecated --include-python. Output was:\n${result.output}`
);
});
}
});

10
test/e2e/pip-ci.e2e.spec.js
View file

@ -86,7 +86,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
// Setup safe-chain CI shims
const installationShell = await container.openShell(shell);
await installationShell.runCommand(
"safe-chain setup-ci --include-python"
"safe-chain setup-ci"
);
// Add $HOME/.safe-chain/shims to PATH for subsequent shells
@ -115,7 +115,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
it(`setup-ci routes python -m pip through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand(
"safe-chain setup-ci --include-python"
"safe-chain setup-ci"
);
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.zshrc"
@ -138,7 +138,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
it(`setup-ci routes python3 -m pip through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand(
"safe-chain setup-ci --include-python"
"safe-chain setup-ci"
);
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.zshrc"
@ -161,7 +161,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
it(`setup-ci routes pip through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand(
"safe-chain setup-ci --include-python"
"safe-chain setup-ci"
);
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.zshrc"
@ -184,7 +184,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
it(`setup-ci routes pip3 through safe-chain for ${shell}`, async () => {
const installationShell = await container.openShell(shell);
await installationShell.runCommand(
"safe-chain setup-ci --include-python"
"safe-chain setup-ci"
);
await installationShell.runCommand(
"echo 'export PATH=\"$HOME/.safe-chain/shims:$PATH\"' >> ~/.zshrc"

2
test/e2e/pip.e2e.spec.js
View file

@ -15,7 +15,7 @@ describe("E2E: pip coverage", () => {
await container.start();
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python");
await installationShell.runCommand("safe-chain setup");
// Clear pip cache before each test to ensure fresh downloads through proxy
await installationShell.runCommand("pip3 cache purge");

2
test/e2e/poetry.e2e.spec.js
View file

@ -15,7 +15,7 @@ describe("E2E: poetry coverage", () => {
await container.start();
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python");
await installationShell.runCommand("safe-chain setup");
// Clear poetry cache
await installationShell.runCommand("command poetry cache clear pypi --all -n");

21
test/e2e/teardown-dirs.e2e.spec.js
View file

@ -57,20 +57,18 @@ describe("E2E: safe-chain teardown command", () => {
assert.ok(checkScriptsGone.output.includes("missing"), "Scripts directory should be removed after teardown");
});
it("safe-chain teardown removes shims directory created by setup-ci --include-python", async () => {
it("safe-chain teardown removes shims directory created by setup-ci", async () => {
const shell = await container.openShell("bash");
// Run setup-ci with --include-python
await shell.runCommand("safe-chain setup-ci --include-python");
// Run setup-ci
await shell.runCommand("safe-chain setup-ci");
// Verify shims directory exists
const checkShimsExist = await shell.runCommand("test -d ~/.safe-chain/shims && echo 'exists' || echo 'missing'");
assert.ok(checkShimsExist.output.includes("exists"), "Shims directory should exist after setup-ci --include-python");
assert.ok(checkShimsExist.output.includes("exists"), "Shims directory should exist after setup-ci");
// Verify Python shims were created
const checkPythonShims = await shell.runCommand("test -f ~/.safe-chain/shims/pip && echo 'exists' || echo 'missing'");
assert.ok(checkPythonShims.output.includes("exists"), "Python shims should exist after setup-ci --include-python");
assert.ok(checkPythonShims.output.includes("exists"), "Python shims should exist after setup-ci");
// Run teardown
await shell.runCommand("safe-chain teardown");
@ -79,15 +77,14 @@ describe("E2E: safe-chain teardown command", () => {
assert.ok(checkShimsGone.output.includes("missing"), "Shims directory should be removed after teardown");
});
it("safe-chain teardown removes scripts directory created by setup --include-python", async () => {
it("safe-chain teardown removes scripts directory created by setup", async () => {
const shell = await container.openShell("bash");
// Run setup with --include-python
await shell.runCommand("safe-chain setup --include-python");
// Run setup
await shell.runCommand("safe-chain setup");
// Verify scripts directory exists
const checkScriptsExist = await shell.runCommand("test -d ~/.safe-chain/scripts && echo 'exists' || echo 'missing'");
assert.ok(checkScriptsExist.output.includes("exists"), "Scripts directory should exist after setup --include-python");
assert.ok(checkScriptsExist.output.includes("exists"), "Scripts directory should exist after setup");
// Run teardown
await shell.runCommand("safe-chain teardown");

2
test/e2e/uv.e2e.spec.js
View file

@ -15,7 +15,7 @@ describe("E2E: uv coverage", () => {
await container.start();
const installationShell = await container.openShell("zsh");
await installationShell.runCommand("safe-chain setup --include-python");
await installationShell.runCommand("safe-chain setup");
// Clear uv cache
await installationShell.runCommand("uv cache clean");