feat(command-blocker): ✨ Block npx commands for reproducibility

knoopx · knoopx · commit 0d63f2d0cb5e · 2025-09-05T19:54:35.000+02:00
Enhanced command blocking by adding support for `npx` commands. This ensures reproducible builds by advising users to use `bunx` instead. The change includes specific error messages for both direct `npx` commands and those used in piped commands.

- Added test cases for blocking `npx` commands.
- Updated blocked command messages to include `npx` guidance.
diff --git a/command-blocker.test.ts b/command-blocker.test.ts
@@ -45,6 +45,17 @@ describe("Command Blocker", () => {
       );
     });
 
+    it("should block npx command", async () => {
+      const input = { tool: "bash" };
+      const output = { args: { command: "npx create-react-app my-app" } };
+
+      await expect(
+        plugin["tool.execute.before"](input, output)
+      ).rejects.toThrow(
+        "`npx` is blocked to ensure reproducible builds. Use `bunx` (faster, more reliable) instead. Examples: `bunx create-react-app my-app` instead of `npx create-react-app my-app`"
+      );
+    });
+
     it("should block pip command", async () => {
       const input = { tool: "bash" };
       const output = { args: { command: "pip install requests" } };
@@ -240,6 +251,20 @@ describe("Command Blocker", () => {
       ).rejects.toThrow();
     });
 
+    it("should block npx in piped commands", async () => {
+      const input1 = { tool: "bash" };
+      const output1 = { args: { command: 'echo "npx create-react-app" | sh' } };
+      await expect(
+        plugin["tool.execute.before"](input1, output1)
+      ).rejects.toThrow();
+
+      const input2 = { tool: "bash" };
+      const output2 = { args: { command: "npx eslint | grep error" } };
+      await expect(
+        plugin["tool.execute.before"](input2, output2)
+      ).rejects.toThrow();
+    });
+
     it("should block pip in piped commands", async () => {
       const input1 = { tool: "bash" };
       const output1 = {
diff --git a/command-blocker.ts b/command-blocker.ts
@@ -11,6 +11,7 @@ interface ReadOnlyFiles {
 const BLOCKED_COMMAND_MESSAGES: BlockedCommandMessages = {
   node: "`node` is blocked to ensure reproducible builds. Use `bun` (faster, more reliable) or `bunx` for running scripts. Example: `bun run dev` instead of `node server.js`",
   npm: "`npm` is blocked to ensure reproducible builds. Use `bun` (faster, more reliable) instead. Examples: `bun install` instead of `npm install`, `bun run build` instead of `npm run build`",
+  npx: "`npx` is blocked to ensure reproducible builds. Use `bunx` (faster, more reliable) instead. Examples: `bunx create-react-app my-app` instead of `npx create-react-app my-app`",
   pip: "`pip` is blocked to ensure reproducible builds. Use `uv` or `uvx` for dependency management. Example: `uv add requests` instead of `pip install requests`",
   python:
     "`python` is blocked to ensure environment isolation. Use `uv` for dependency management or `uvx` for running tools. Virtual environment python (e.g., `.venv/bin/python`) is allowed. Example: `uv run python script.py`",
