[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-75755":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":9,"totalLinesOfCode":9,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":9,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":22,"hasPages":22,"topics":9,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":16,"starSnapshotCount":16,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},75755,"safe-chain","AikidoSec\u002Fsafe-chain","AikidoSec","Protect against malicious code installed via npm, yarn, pnpm, npx, pnpx, pip, uv and poetry with Aikido Safe Chain. Free to use, no tokens required.",null,"https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain","JavaScript",1534,92,9,70,0,23,54,256,69,100.91,false,"main","2026-06-12 04:01:18","![Aikido Safe Chain](https:\u002F\u002Fraw.githubusercontent.com\u002FAikidoSec\u002Fsafe-chain\u002Fmain\u002Fdocs\u002Fbanner.svg)\n\n# Aikido Safe Chain\n\n[![NPM Version](https:\u002F\u002Fimg.shields.io\u002Fnpm\u002Fv\u002F%40aikidosec%2Fsafe-chain?style=flat-square)](https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@aikidosec\u002Fsafe-chain)\n[![NPM Downloads](https:\u002F\u002Fimg.shields.io\u002Fnpm\u002Fdw\u002F%40aikidosec%2Fsafe-chain?style=flat-square)](https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@aikidosec\u002Fsafe-chain)\n\n- ✅ **Block malware on developer laptops and CI\u002FCD**\n- ✅ **Supports npm and PyPI** more package managers coming\n- ✅ **Blocks packages newer than 48 hours** without breaking your build\n- ✅ **Tokenless, free, no build data shared**\n\n## Need protection beyond npm & PyPI?\n\n[Aikido Endpoint](https:\u002F\u002Fwww.aikido.dev\u002Fprotect\u002Fendpoint-protection?utm_source=github.com&utm_medium=referral&utm_campaign=safechain) builds on Safe Chain, extending package and extension security across more ecosystems: **npm**, **PyPI**, **Maven**, **NuGet**, **VS Code**, **Open VSX** - (Cursor, Windsurf, Kiro, Vs Codium, ...), **Chrome extensions**, **Skills.sh AI skills** and more.\n\nGet centralized policy management, request-and-approval workflows, and visibility across every developer workstation in your org. Powered by the same Aikido Intel feed. Deploy it manually or manage it through your MDM tool (Jamf, Fleet, or Iru).\n\n---\n\nAikido Safe Chain supports the following package managers:\n\n- 📦 **npm**\n- 📦 **npx**\n- 📦 **yarn**\n- 📦 **pnpm**\n- 📦 **pnpx**\n- 📦 **rush**\n- 📦 **rushx**\n- 📦 **bun**\n- 📦 **bunx**\n- 📦 **pip**\n- 📦 **pip3**\n- 📦 **uv**\n- 📦 **poetry**\n- 📦 **uvx**\n- 📦 **pipx**\n- 📦 **pdm**\n\n# Usage\n\n![Aikido Safe Chain demo](https:\u002F\u002Fraw.githubusercontent.com\u002FAikidoSec\u002Fsafe-chain\u002Fmain\u002Fdocs\u002Fsafe-package-manager-demo.gif)\n\n## Installation\n\nInstalling the Aikido Safe Chain is easy with our one-line installer.\n\n### Unix\u002FLinux\u002FmacOS\n\n```shell\ncurl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh\n```\n\n### Windows (PowerShell)\n\n```powershell\niex (iwr \"https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.ps1\" -UseBasicParsing)\n```\n\n### Pinning to a specific version\n\nTo install a specific version instead of the latest, replace `latest` with the version number in the URL (available from version 1.3.2 onwards):\n\n**Unix\u002FLinux\u002FmacOS:**\n\n```shell\ncurl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Fdownload\u002Fx.x.x\u002Finstall-safe-chain.sh | sh\n```\n\n**Windows (PowerShell):**\n\n```powershell\niex (iwr \"https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Fdownload\u002Fx.x.x\u002Finstall-safe-chain.ps1\" -UseBasicParsing)\n```\n\nYou can find all available versions on the [releases page](https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases).\n\n### Verify the installation\n\n1. **❗Restart your terminal** to start using the Aikido Safe Chain.\n   - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, pip, pip3, poetry, uv, uvx, pipx and pdm are loaded correctly. If you do not restart your terminal, the aliases will not be available.\n\n2. **Verify the installation** by running the verification command:\n\n   ```shell\n   npm safe-chain-verify\n   pnpm safe-chain-verify\n   pip safe-chain-verify\n   uv safe-chain-verify\n\n   # Any other supported package manager: {packagemanager} safe-chain-verify\n   ```\n\n   - The output should display \"OK: Safe-chain works!\" confirming that Aikido Safe Chain is properly installed and running.\n\n3. **(Optional) Test malware blocking** by attempting to install a test package:\n\n   For JavaScript\u002FNode.js:\n\n   ```shell\n   npm install safe-chain-test\n   ```\n\n   For Python:\n\n   ```shell\n   pip3 install safe-chain-pi-test\n   ```\n\n   - The output should show that Aikido Safe Chain is blocking the installation of these test packages as they are flagged as malware.\n\nWhen running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `rush`, `rushx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry`, `pipx` and `pdm` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.\n\nYou can check the installed version by running:\n\n```shell\nsafe-chain --version\n```\n\n## How it works\n\n### Malware Blocking\n\nThe Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, pip, pip3, uv, uvx, poetry, pipx or pdm commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https:\u002F\u002Fintel.aikido.dev\u002F?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.\n\n### Minimum package age\n\nSafe Chain applies minimum package age checks to supported ecosystems.\n\nCurrent enforcement differs by ecosystem:\n\n- npm-based package managers:\n  - during normal package resolution, Safe Chain suppresses versions that are newer than the configured minimum age from the package metadata returned by the registry\n  - for direct package download requests that bypass that metadata flow, Safe Chain can block the request itself using a cached list of newly released packages\n- Python package managers:\n  - during package resolution, Safe Chain suppresses too-young files and releases from PyPI metadata responses\n  - for direct package download requests that bypass that metadata flow, Safe Chain can block the request itself using a cached list of newly released packages\n\nBy default, the minimum package age is 48 hours. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.\n\n### Shell Integration\n\nThe Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, and Python package managers (pip, uv, uvx, poetry, pipx, pdm). It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:\n\n- ✅ **Bash**\n- ✅ **Zsh**\n- ✅ **Fish**\n- ✅ **PowerShell**\n- ✅ **PowerShell Core**\n\nMore information about the shell integration can be found in the [shell integration documentation](https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Fblob\u002Fmain\u002Fdocs\u002Fshell-integration.md).\n\n## Uninstallation\n\nTo uninstall the Aikido Safe Chain, use our one-line uninstaller:\n\n### Unix\u002FLinux\u002FmacOS\n\n```shell\ncurl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Funinstall-safe-chain.sh | sh\n```\n\n### Windows (PowerShell)\n\n```powershell\niex (iwr \"https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Funinstall-safe-chain.ps1\" -UseBasicParsing)\n```\n\n**❗Restart your terminal** after uninstalling to ensure all aliases are removed.\n\n# Configuration\n\n## Logging\n\nYou can control the output from Aikido Safe Chain using the `--safe-chain-logging` flag or the `SAFE_CHAIN_LOGGING` environment variable.\n\n### Configuration Options\n\nYou can set the logging level through multiple sources (in order of priority):\n\n1. **CLI Argument** (highest priority):\n   - `--safe-chain-logging=silent` - Suppresses all Aikido Safe Chain output except when malware is blocked. The package manager output is written to stdout as normal, and Safe Chain only writes a short message if it has blocked malware and causes the process to exit.\n\n     ```shell\n     npm install express --safe-chain-logging=silent\n     ```\n\n   - `--safe-chain-logging=verbose` - Enables detailed diagnostic output from Aikido Safe Chain. Useful for troubleshooting issues or understanding what Safe Chain is doing behind the scenes.\n\n     ```shell\n     npm install express --safe-chain-logging=verbose\n     ```\n\n2. **Environment Variable**:\n\n   ```shell\n   export SAFE_CHAIN_LOGGING=verbose\n   npm install express\n   ```\n\n   Valid values: `silent`, `normal`, `verbose`\n\n   This is useful for setting a default logging level for all package manager commands in your terminal session or CI\u002FCD environment.\n\n## Minimum Package Age\n\nYou can configure how long packages must exist before Safe Chain allows their installation. By default, packages must be at least 48 hours old before they can be installed.\n\nFor npm-based package managers, this check currently has two enforcement modes:\n\n- Safe Chain suppresses too-young versions from package metadata during normal dependency resolution.\n- Safe Chain blocks direct package download requests when they are matched against the cached newly released packages list.\n\nFor Python package managers, this check currently has two enforcement modes:\n\n- Safe Chain suppresses too-young files and releases from PyPI metadata during dependency resolution.\n- Safe Chain blocks direct package download requests when they are matched against the cached newly released packages list.\n\n### Configuration Options\n\nYou can set the minimum package age through multiple sources (in order of priority):\n\n1. **CLI Argument** (highest priority):\n\n   ```shell\n   npm install express --safe-chain-minimum-package-age-hours=48\n   ```\n\n2. **Environment Variable**:\n\n   ```shell\n   export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS=48\n   npm install express\n   ```\n\n3. **Config File** (`~\u002F.safe-chain\u002Fconfig.json`):\n\n   ```json\n   {\n     \"minimumPackageAgeHours\": 48\n   }\n   ```\n\n### Excluding Packages\n\nExclude trusted packages from minimum age filtering via environment variable or config file (both are merged). Use `@scope\u002F*` to trust all packages from an organization:\n\n```shell\nexport SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS=\"@aikidosec\u002F*\"\n```\n\n```json\n{\n  \"npm\": {\n    \"minimumPackageAgeExclusions\": [\"@aikidosec\u002F*\"]\n  },\n  \"pip\": {\n    \"minimumPackageAgeExclusions\": [\"requests\"]\n  }\n}\n```\n\n## Custom Registries\n\nConfigure Safe Chain to scan packages from custom or private registries.\n\nSupported ecosystems:\n\n- Node.js\n- Python\n\n### Configuration Options\n\nYou can set custom registries through environment variable or config file. Both sources are merged together.\n\n1. **Environment Variable** (comma-separated):\n\n   ```shell\n   export SAFE_CHAIN_NPM_CUSTOM_REGISTRIES=\"npm.company.com,registry.internal.net\"\n   export SAFE_CHAIN_PIP_CUSTOM_REGISTRIES=\"pip.company.com,registry.internal.net\"\n   ```\n\n2. **Config File** (`~\u002F.safe-chain\u002Fconfig.json`):\n\n   ```json\n   {\n     \"npm\": {\n       \"customRegistries\": [\"npm.company.com\", \"registry.internal.net\"]\n     },\n     \"pip\": {\n       \"customRegistries\": [\"pip.company.com\", \"registry.internal.net\"]\n     }\n   }\n   ```\n\n## PYPI Configuration File\n\nIf you rely on a `pip.conf` file for pip configuration you must point pip at it explicitly via the `PIP_CONFIG_FILE` environment variable so Safe Chain can merge it.\n\nSafe Chain runs pip behind its MITM proxy and writes a temporary pip configuration file to inject its certificate and proxy settings. When `PIP_CONFIG_FILE` is set, Safe Chain merges its settings into a copy of your file (your original file is never modified) so your `index-url`, credentials, and other options are preserved. When `PIP_CONFIG_FILE` is not set, pip's user-level config (e.g. `~\u002F.config\u002Fpip\u002Fpip.conf`) might be overridden by Safe Chain's temporary file and your settings will not be picked up.\n\n## Malware List Base URL\n\nConfigure Safe Chain to fetch malware databases and new packages lists from a custom mirror URL. This allows you to host your own copy of the Aikido malware database.\n\n### Configuration Options\n\nYou can set the malware list base URL through multiple sources (in order of priority):\n\n1. **CLI Argument** (highest priority):\n\n   ```shell\n   npm install express --safe-chain-malware-list-base-url=https:\u002F\u002Fyour-mirror.com\n   ```\n\n2. **Environment Variable**:\n\n   ```shell\n   export SAFE_CHAIN_MALWARE_LIST_BASE_URL=https:\u002F\u002Fyour-mirror.com\n   npm install express\n   ```\n\n3. **Config File** (`~\u002F.safe-chain\u002Fconfig.json`):\n\n   ```json\n   {\n     \"malwareListBaseUrl\": \"https:\u002F\u002Fyour-mirror.com\"\n   }\n   ```\n\nThe base URL should point to a server that mirrors the structure of `https:\u002F\u002Fmalware-list.aikido.dev\u002F`, including the following paths:\n- `\u002Fmalware_predictions.json` (JavaScript ecosystem malware database)\n- `\u002Fmalware_pypi.json` (Python ecosystem malware database)\n- `\u002Freleases\u002Fnpm.json` (JavaScript new packages list)\n- `\u002Freleases\u002Fpypi.json` (Python new packages list)\n\n## Custom Install Directory\n\nBy default, Safe Chain installs itself into `~\u002F.safe-chain`. You can change this by passing an explicit install directory to the installer. This is useful for system-wide installations (e.g. inside a Docker image) or when you need to avoid conflicts with other tools.\n\nWhen set, all Safe Chain data (binary, shims, scripts, config) is placed under the custom directory instead of `~\u002F.safe-chain`.\n\n### Unix\u002FLinux\u002FmacOS\n\n```shell\ncurl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh -s -- --install-dir \u002Fusr\u002Flocal\u002F.safe-chain\n```\n\n### Windows\n\n```powershell\niex \"& { $(iwr 'https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.ps1' -UseBasicParsing) } -InstallDir 'C:\\ProgramData\\safe-chain'\"\n```\n\n# Usage in CI\u002FCD\n\nYou can protect your CI\u002FCD pipelines from malicious packages by integrating Aikido Safe Chain into your build process. This ensures that any packages installed during your automated builds are checked for malware before installation.\n\n## Installation for CI\u002FCD\n\nUse the `--ci` flag to automatically configure Aikido Safe Chain for CI\u002FCD environments. This sets up executable shims in the PATH instead of shell aliases.\n\n### Unix\u002FLinux\u002FmacOS (GitHub Actions, Azure Pipelines, etc.)\n\n```shell\ncurl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh -s -- --ci\n```\n\n### Windows (Azure Pipelines, etc.)\n\n```powershell\niex \"& { $(iwr 'https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.ps1' -UseBasicParsing) } -ci\"\n```\n\n## Supported Platforms\n\n- ✅ **GitHub Actions**\n- ✅ **Azure Pipelines**\n- ✅ **CircleCI**\n- ✅ **Jenkins**\n- ✅ **Bitbucket Pipelines**\n- ✅ **GitLab Pipelines**\n\n## GitHub Actions Example\n\n```yaml\n- name: Setup Node.js\n  uses: actions\u002Fsetup-node@v4\n  with:\n    node-version: \"22\"\n    cache: \"npm\"\n\n- name: Install safe-chain\n  run: curl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh -s -- --ci\n\n- name: Install dependencies\n  run: npm ci\n```\n\n## Azure DevOps Example\n\n```yaml\n- task: NodeTool@0\n  inputs:\n    versionSpec: \"22.x\"\n  displayName: \"Install Node.js\"\n\n- script: curl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh -s -- --ci\n  displayName: \"Install safe-chain\"\n\n- script: npm ci\n  displayName: \"Install dependencies\"\n```\n\n## CircleCI Example\n\n```yaml\nversion: 2.1\njobs:\n  build:\n    docker:\n      - image: cimg\u002Fnode:lts\n    steps:\n      - checkout\n      - run: |\n          curl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FAikidoSec\u002Fsafe-chain\u002Fmain\u002Finstall-scripts\u002Finstall-safe-chain.sh | sh -s -- --ci\n      - run: npm ci\nworkflows:\n  build_and_test:\n    jobs:\n      - build\n```\n\n## Jenkins Example\n\nNote: This assumes Node.js and npm are installed on the Jenkins agent.\n\n```groovy\npipeline {\n  agent any\n\n  environment {\n    \u002F\u002F Jenkins does not automatically persist PATH updates from setup-ci,\n    \u002F\u002F so add the shims + binary directory explicitly for all stages.\n    \u002F\u002F If you installed into a custom directory, replace ~\u002F.safe-chain with that path here.\n    PATH = \"${env.HOME}\u002F.safe-chain\u002Fshims:${env.HOME}\u002F.safe-chain\u002Fbin:${env.PATH}\"\n  }\n\n  stages {\n    stage('Install safe-chain') {\n      steps {\n        sh '''\n          set -euo pipefail\n\n          # Install Safe Chain for CI\n          curl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh -s -- --ci\n        '''\n      }\n    }\n\n    stage('Install project dependencies etc...') {\n      steps {\n        sh '''\n          set -euo pipefail\n          npm ci\n        '''\n      }\n    }\n  }\n}\n```\n\n## Bitbucket Pipelines Example\n\n```yaml\nimage: node:22\n\nsteps:\n  - step:\n      name: Install\n      script:\n        - curl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh -s -- --ci\n        - export PATH=~\u002F.safe-chain\u002Fshims:~\u002F.safe-chain\u002Fbin:$PATH\n        - npm ci\n```\n\nAfter setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.\n\n## GitLab Pipelines Example\n\nTo add safe-chain in GitLab pipelines, you need to install it in the image running the pipeline. This can be done by:\n\n1. Define a dockerfile to run your build\n\n   ```dockerfile\n   FROM node:lts\n\n   # Install safe-chain\n   RUN curl -fsSL https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Freleases\u002Flatest\u002Fdownload\u002Finstall-safe-chain.sh | sh -s -- --ci\n\n   # Add safe-chain to PATH (update paths if you used a custom install dir)\n   ENV PATH=\"\u002Froot\u002F.safe-chain\u002Fshims:\u002Froot\u002F.safe-chain\u002Fbin:${PATH}\"\n   ```\n\n2. Build the Docker image in your CI pipeline\n\n   ```yaml\n   build-image:\n     stage: build-image\n     image: docker:latest\n     services:\n       - docker:dind\n     script:\n       - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY\n       - docker build -t $CI_REGISTRY_IMAGE:latest .\n       - docker push $CI_REGISTRY_IMAGE:latest\n   ```\n\n3. Use the image in your pipeline:\n   ```yaml\n   npm-ci:\n     stage: install\n     image: $CI_REGISTRY_IMAGE:latest\n     script:\n       - npm ci\n   ```\n\nThe full pipeline for this example looks like this:\n\n```yaml\nstages:\n  - build-image\n  - install\n\nbuild-image:\n  stage: build-image\n  image: docker:latest\n  services:\n    - docker:dind\n  script:\n    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY\n    - docker build -t $CI_REGISTRY_IMAGE:latest .\n    - docker push $CI_REGISTRY_IMAGE:latest\n\nnpm-ci:\n  stage: install\n  image: $CI_REGISTRY_IMAGE:latest\n  script:\n    - npm ci\n```\n\n# Troubleshooting\n\nHaving issues? See the [Troubleshooting Guide](.\u002Fdocs\u002Ftroubleshooting) for help with common problems.\n\n# Report Issues\n\nIf you encounter problems:\n\n1. Visit [GitHub Issues](https:\u002F\u002Fgithub.com\u002FAikidoSec\u002Fsafe-chain\u002Fissues)\n2. Include:\n   * Operating system and version\n   * Shell type and version\n   * `safe-chain --version` output\n   * Output from verification commands\n   * Verbose logs of the failing command (add the `--safe-chain-logging=verbose` argument)\n","Aikido Safe Chain 是一个用于保护开发者免受通过 npm、yarn、pnpm、npx、pip、uv 和 poetry 等包管理器安装的恶意代码侵害的工具。其核心功能包括阻止新近发布的（48小时内）可疑软件包，以及支持多种主流的 JavaScript 和 Python 包管理器，而无需任何令牌或共享构建数据。该工具特别适合于需要在开发人员笔记本电脑和 CI\u002FCD 环境中增强安全性的场景下使用，能够有效防止潜在的供应链攻击。此外，对于寻求更广泛生态系统覆盖的企业，Aikido 提供了额外的端点保护解决方案。",2,"2026-06-11 03:53:15","trending"]