Support for PDM package manager (Python)#399
Conversation
PDM is a modern Python package manager using pyproject.toml (PEP 621). Uses the same MITM-only proxy approach as poetry/uv/pipx — all malware detection and minimum package age enforcement happens at the proxy layer by intercepting PyPI requests.
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| * @param {NodeJS.ProcessEnv} env - Environment object to modify | ||
| * @param {string} combinedCaPath - Path to the combined CA bundle | ||
| */ | ||
| function setPdmCaBundleEnvironmentVariables(env, combinedCaPath) { |
There was a problem hiding this comment.
setPdmCaBundleEnvironmentVariables mutates its 'env' parameter by assigning SSL_CERT_FILE / REQUESTS_CA_BUNDLE / PIP_CERT, causing side effects on the caller-provided object; avoid modifying the input argument directly.
Details
✨ AI Reasoning
A function added in this change modifies the passed-in 'env' object by assigning properties on it. Mutating a parameter makes it harder to reason about the original value and can produce surprising side effects for callers. The change alters program state via the argument rather than returning a new modified value, which increases coupling between caller and callee and can hide where environment changes occur.
🔧 How do I fix it?
Create new local variables instead of reassigning parameters. Use different variable names to clearly distinguish between input and modified values.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
The install message in `safe-chain setup` help was hardcoding a stale list of package managers (missing uv, uvx, poetry, pipx, pdm). Use the existing getPackageManagerList() helper so the list stays in sync with knownAikidoTools.
| await shell.runCommand("cd /tmp/test-pdm-malware && pdm init --non-interactive"); | ||
|
|
||
| const result = await shell.runCommand( | ||
| "cd /tmp/test-pdm-malware && pdm add safe-chain-pi-test" |
There was a problem hiding this comment.
safe-chain-pi-test is no longer published (PYPI pulled it SIGH) , so these tests will start failing. The other pypi package mgr specs (poetry, uv, pip) use numpy==2.4.4 as the malware proxy. That one is already added to malwarelistmirror so just changing the name here should be fine
There was a problem hiding this comment.
Damn that's inconvenient from pypi. Have updated the pdm tests to use numpy==2.4.4, and also fixed the failing bun test. E2E tests are passing locally for me now
There was a problem hiding this comment.
I appreciate that! Have a PR open for fixing those bun tests but not merged yet.
The safe-chain-pi-test package no longer exists on PyPI. Aikido now patches numpy==2.4.4 into the malware list for tests, matching the pattern already used in the poetry e2e suite.
The user-facing message is "Safe-chain: blocked N malicious package downloads", not "blocked by safe-chain" (which only appears in the proxy's HTTP response, not the rendered CLI output).
Bun retries blocked downloads, so the count in "blocked N malicious package downloads" can be >1. Match on the surrounding text rather than a fixed count to keep the assertion robust. Also drops the brittle "pdm update updates dependencies" case.
2 participants
Summary
Summary by Aikido
🚀 New Features
More info