From cb9f3ee145cbb5e133fe2b0fdca309b2c1b9b68c Mon Sep 17 00:00:00 2001 From: Uriel Corfa Date: Thu, 11 Dec 2025 13:58:56 +0100 Subject: [PATCH] Do not rely on asynchronous import of child_process. Importing child_process asynchronously causes loader errors when running the binary dist: $ ./dist/safe-chain python --safe-chain-logging=verbose Safe-chain: Bypassing safe-chain for non-pip invocation: python Failed to check for malicious packages: A dynamic import callback was not specified. $ Relying on a regular import does not cause this issue. There is no obvious reason for this import to be dynamic (in particular, there are no tests using this to mock the spawn function), so let's simplify. --- packages/safe-chain/src/packagemanager/pip/runPipCommand.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js index ad0d76d..83bc03e 100644 --- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js +++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js @@ -8,6 +8,7 @@ import fsSync from "node:fs"; import os from "node:os"; import path from "node:path"; import ini from "ini"; +import { spawn } from "child_process"; /** * Checks if this pip invocation should bypass safe-chain and spawn directly. @@ -77,7 +78,6 @@ export async function runPip(command, args) { if (shouldBypassSafeChain(command, args)) { ui.writeVerbose(`Safe-chain: Bypassing safe-chain for non-pip invocation: ${command} ${args.join(" ")}`); // Spawn the ORIGINAL command with ORIGINAL args - const { spawn } = await import("child_process"); return new Promise((_resolve) => { const proc = spawn(command, args, { stdio: "inherit" }); proc.on("exit", (/** @type {number | null} */ code) => {