Implement a proxy blocking tarball requests for packages containing malware.

2026-05-26 12:10:49 +00:00 · 2025-09-30 13:52:21 +02:00 · 2025-09-30 13:52:21 +02:00 · e2afcb16e3
commit e2afcb16e3
parent 04cb001006
16 changed files with 633 additions and 33 deletions
--- a/packages/safe-chain/src/packagemanager/pnpm/runPnpmCommand.js
+++ b/packages/safe-chain/src/packagemanager/pnpm/runPnpmCommand.js
@ -1,13 +1,20 @@
 import { ui } from "../../environment/userInteraction.js";
-import { safeSpawnSync } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";

-export function runPnpmCommand(args, toolName = "pnpm") {
+export async function runPnpmCommand(args, toolName = "pnpm") {
  try {
    let result;
    if (toolName === "pnpm") {
-      result = safeSpawnSync("pnpm", args, { stdio: "inherit" });
+      result = await safeSpawn("pnpm", args, {
+        stdio: "inherit",
+        env: mergeSafeChainProxyEnvironmentVariables(process.env),
+      });
    } else if (toolName === "pnpx") {
-      result = safeSpawnSync("pnpx", args, { stdio: "inherit" });
+      result = await safeSpawn("pnpx", args, {
+        stdio: "inherit",
+        env: mergeSafeChainProxyEnvironmentVariables(process.env),
+      });
    } else {
      throw new Error(`Unsupported tool name for aikido-pnpm: ${toolName}`);
    }