Add Rush support (for monorepos)

[mcmeeking]

Summary

Adds support for Microsoft's Rush (used for monorepos).

Changes

• New CLI wrappers: aikido-rush and aikido-rushx
• Registers Rush in package manager initialisation
• Implements Rush command runner with proxy env normalisation
• Adds dependency pre-scan support for rush add (package extraction & version resolution)
• Includes Rush in shell integration tool mappings and CI shim coverage
• Updates README and CLI help text to list Rush as a supported package manager
• Adds Rush-focused tests

Closes

• [Feature request] Add support for Rush (for monorepos) #381

Summary by Aikido

Security Issues: 0	Quality Issues: 0	Resolved Issues: 0

🚀 New Features

• Added Rush and Rushx monorepo package manager support and tests

^{More info}

[reiniercriel]

Hi thanks for the contribution! Left a few comments here.

[mcmeeking]

@reiniercriel, I've added a util which resolves the failures (due to Rush's requirement that specific semver versions are used in the rush.json config). Expecting fails on Node 18 and 20 still until the changes from #453 are merged, but should be fine after that.

[reiniercriel]

@reiniercriel, I've added a util which resolves the failures (due to Rush's requirement that specific semver versions are used in the rush.json config). Expecting fails on Node 18 and 20 still until the changes from #453 are merged, but should be fine after that.

Hi @mcmeeking #453 was merged, can you merge main into your branch, that should hopefully resolve the remaining issues!

[mcmeeking]

@reiniercriel, thanks - merged now. I had to add a --safe-chain-skip-minimum-package-age to the test run as it was catching Rush's PNPM bootstrap of pnpm@11.1.0 😅

Should be good to go now.

[reiniercriel]

@mcmeeking looks like one little change will be needed still for "safe-chain proxy blocks malicious package downloads during rush update", for a couple of Node versions. Test works fine but I think the expected output is a little different than what is actually shown.

[mcmeeking]

@mcmeeking looks like one little change will be needed still for "safe-chain proxy blocks malicious package downloads during rush update", for a couple of Node versions. Test works fine but I think the expected output is a little different than what is actually shown.

@reiniercriel - got it this time I think, just making it a generic digit match to avoid flakes moving forward.

[reiniercriel]

Thanks @mcmeeking ! I'll talk to the team and will try to make a release today or tomorrow.

[mcmeeking]

Awesome, thanks for your help getting it merged!