Bugfix

Prevent crashes from missing socket error handlers in #130

What's Changed

• Introduce silent mode to disable logging in #123
• Remove --safe-chain-malware-action flag in #125 and #126

Bugs fixed:

• Fix crash when a package does not contain a version (retracted packages) in #114
• Escape special chars in shell scripts in #91

Full Changelog: 1.1.5...1.1.6

Allow the safe-chain to act as a regular http proxy too

This change allows safe-chain to properly work with a local http-only registry. This also fixes a bug where http requests were rejected when going through the proxy (HTTP 400 Bad Request).

Reduce timeout limits when installing packages

Npm version >= 10.4.0 now relies on safe-chain's built-in proxy to block downloads of packages with malware. This fixes a timeout in the scanner while determining the change in packages for a given command.

Other changes

Add command to get the safe-chain version: safe-chain --version (or shorthand -v).

Full Changelog: 1.1.4...1.1.5

This release fixes a crash in safe-chain when the proxy client sends a TCP RST instead of FIN, resulting in ECONNRESET

This release fixes a TLS error when using yarn 3 or yarn 4 with a private registry.

Fixed a bug where the safe-chain proxy was writing to a closed stream.

Small update to README.md to reflect full package manager support and bun support (see release notes of 1.1.0)

Full Package Manager Support

Starting from version 1.1.0, Aikido Safe Chain now provides complete protection for all package managers. We've changed how we block malicious packages: instead of checking which packages are being installed, we run a lightweight proxy server that intercepts and blocks downloads of packages containing malware. This means full dependency tree protection for all package managers, not just npm.

Bun support

Aikido Safe Chain now protects both bun install and bunx commands, providing the same comprehensive malware detection for Bun users as other package managers.

This release also includes a bugfixes for Windows Powershell, to prevent duplicating empty lines in the startup script #76

CI / CD Support for GitHub Actions and Azure Pipelines

With the safe-chain setup-ci command, safe-chain can now wrap npm commands for CI / CD.

Now blocking package installation when scanning failed

Previously, safe-chain would still run the requested command if scanning failed. Now we block the installation and exit with code 1.

Other changes

• Updates to the docs of the shell integration, adding manual setup instructions.
• Fix broken pnpm commands on Windows when safe-chain is installed through npm
• Fix for fish shell integration

Improvements to shell integration

We now create the directory for the shell startup script if it does not exist. #56
We now use correct line endings for bash, zsh and fish on Windows. #31
Safe-chain setup doesn't remove empty lines in the shell startup script anymore. #61

Stricter dependency versions

Safe-chain's package.json now contains strict versions of its own dependencies instead of floating versions.

Other updates

README.md explains the limitations of scanning in certain package managers better.