@socketsecurity/lib 1.3.2 → 1.3.3

package/dist/packages/provenance.js.map

@@ -2,6 +2,6 @@
   "version": 3,
   "sources": ["../../src/packages/provenance.ts"],
   "sourcesContent": ["/**\n * @fileoverview Package provenance and attestation verification utilities.\n */\n\nimport { NPM_REGISTRY_URL } from '#constants/agents'\n\nimport { createCompositeAbortSignal, createTimeoutSignal } from '../abort'\nimport type { ProvenanceOptions } from '../packages'\nimport { parseUrl } from '../url'\n\n// IMPORTANT: Do not use destructuring here - use direct assignment instead.\n// tsgo has a bug that incorrectly transpiles destructured exports, resulting in\n// `exports.SomeName = void 0;` which causes runtime errors.\n// See: https://github.com/SocketDev/socket-packageurl-js/issues/3\nconst ArrayIsArray = Array.isArray\n\nconst SLSA_PROVENANCE_V0_2 = 'https://slsa.dev/provenance/v0.2'\nconst SLSA_PROVENANCE_V1_0 = 'https://slsa.dev/provenance/v1'\n\nlet _fetcher: typeof import('make-fetch-happen') | undefined\n/*@__NO_SIDE_EFFECTS__*/\nfunction getFetcher() {\n  if (_fetcher === undefined) {\n    const makeFetchHappen =\n      /*@__PURE__*/ require('../external/make-fetch-happen')\n    // Lazy load constants to avoid circular dependencies.\n    const { getPacoteCachePath } =\n      /*@__PURE__*/ require('../constants/packages')\n    _fetcher = makeFetchHappen.defaults({\n      cachePath: getPacoteCachePath(),\n      // Prefer-offline: Staleness checks for cached data will be bypassed, but\n      // missing data will be requested from the server.\n      // https://github.com/npm/make-fetch-happen?tab=readme-ov-file#--optscache\n      cache: 'force-cache',\n    })\n  }\n  return _fetcher as typeof import('make-fetch-happen')\n}\n\n/**\n * Extract and filter SLSA provenance attestations from attestation data.\n */\nfunction getAttestations(attestationData: unknown): unknown[] {\n  const data = attestationData as { attestations?: unknown[] }\n  if (!data.attestations || !ArrayIsArray(data.attestations)) {\n    return []\n  }\n\n  return data.attestations.filter((attestation: unknown) => {\n    const att = attestation as { predicateType?: string }\n    return (\n      att.predicateType === SLSA_PROVENANCE_V0_2 ||\n      att.predicateType === SLSA_PROVENANCE_V1_0\n    )\n  })\n}\n\n/**\n * Find the first attestation with valid provenance data.\n */\nfunction findProvenance(attestations: unknown[]): unknown {\n  for (const attestation of attestations) {\n    const att = attestation as {\n      bundle?: { dsseEnvelope?: { payload?: string } }\n      predicate?: unknown\n    }\n    try {\n      let predicate = att.predicate\n\n      // If predicate is not directly available, try to decode from DSSE envelope\n      if (!predicate && att.bundle?.dsseEnvelope?.payload) {\n        try {\n          const decodedPayload = Buffer.from(\n            att.bundle.dsseEnvelope.payload,\n            'base64',\n          ).toString('utf8')\n          const statement = JSON.parse(decodedPayload)\n          predicate = statement.predicate\n        } catch {\n          // Failed to decode, continue to next attestation\n          continue\n        }\n      }\n\n      const predicateData = predicate as {\n        buildDefinition?: { externalParameters?: unknown }\n      }\n      if (predicateData?.buildDefinition?.externalParameters) {\n        return {\n          predicate,\n          externalParameters: predicateData.buildDefinition.externalParameters,\n        }\n      }\n      // c8 ignore start - Error handling for malformed attestation data should continue processing other attestations.\n    } catch {\n      // Continue checking other attestations if one fails to parse\n    }\n    // c8 ignore stop\n  }\n  return undefined\n}\n\n/**\n * Check if a value indicates a trusted publisher (GitHub or GitLab).\n */\nfunction isTrustedPublisher(value: unknown): boolean {\n  if (typeof value !== 'string' || !value) {\n    return false\n  }\n\n  let url = parseUrl(value)\n  let hostname = url?.hostname\n\n  // Handle GitHub workflow refs with @ syntax by trying the first part.\n  // Example: \"https://github.com/owner/repo/.github/workflows/ci.yml@refs/heads/main\"\n  if (!url && value.includes('@')) {\n    const firstPart = value.split('@')[0]\n    if (firstPart) {\n      url = parseUrl(firstPart)\n    }\n    if (url) {\n      hostname = url.hostname\n    }\n  }\n\n  // Try common URL prefixes if not already a complete URL.\n  if (!url) {\n    const httpsUrl = parseUrl(`https://${value}`)\n    if (httpsUrl) {\n      hostname = httpsUrl.hostname\n    }\n  }\n\n  if (hostname) {\n    return (\n      hostname === 'github.com' ||\n      hostname.endsWith('.github.com') ||\n      hostname === 'gitlab.com' ||\n      hostname.endsWith('.gitlab.com')\n    )\n  }\n\n  // Fallback: check for provider keywords in non-URL strings.\n  return value.includes('github') || value.includes('gitlab')\n}\n\n/**\n * Convert raw attestation data to user-friendly provenance details.\n */\nexport function getProvenanceDetails(attestationData: unknown): unknown {\n  const attestations = getAttestations(attestationData)\n  if (!attestations.length) {\n    return undefined\n  }\n  // Find the first attestation with valid provenance data.\n  const provenance = findProvenance(attestations)\n  if (!provenance) {\n    return { level: 'attested' }\n  }\n\n  const provenanceData = provenance as {\n    externalParameters?: {\n      context?: string\n      ref?: string\n      repository?: string\n      run_id?: string\n      sha?: string\n      workflow?: {\n        ref?: string\n        repository?: string\n      }\n      workflow_ref?: string\n    }\n    predicate?: {\n      buildDefinition?: { buildType?: string }\n    }\n  }\n  const { externalParameters, predicate } = provenanceData\n  const def = predicate?.buildDefinition\n\n  // Handle both SLSA v0.2 (direct properties) and v1 (nested workflow object)\n  const workflow = externalParameters?.workflow\n  const workflowRef = workflow?.ref || externalParameters?.workflow_ref\n  const workflowUrl = externalParameters?.context\n  const workflowPlatform = def?.buildType\n  const repository = workflow?.repository || externalParameters?.repository\n  const gitRef = externalParameters?.ref || workflow?.ref\n  const commitSha = externalParameters?.sha\n  const workflowRunId = externalParameters?.run_id\n\n  // Check for trusted publishers (GitHub Actions, GitLab CI/CD).\n  const trusted =\n    isTrustedPublisher(workflowRef) ||\n    isTrustedPublisher(workflowUrl) ||\n    isTrustedPublisher(workflowPlatform) ||\n    isTrustedPublisher(repository)\n\n  return {\n    commitSha,\n    gitRef,\n    level: trusted ? 'trusted' : 'attested',\n    repository,\n    workflowRef,\n    workflowUrl,\n    workflowPlatform,\n    workflowRunId,\n  }\n}\n\n/**\n * Fetch package provenance information from npm registry.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport async function fetchPackageProvenance(\n  pkgName: string,\n  pkgVersion: string,\n  options?: ProvenanceOptions,\n): Promise<unknown> {\n  const { signal, timeout = 10_000 } = {\n    __proto__: null,\n    ...options,\n  } as ProvenanceOptions\n\n  if (signal?.aborted) {\n    return undefined\n  }\n\n  // Create composite signal combining external signal with timeout\n  const timeoutSignal = createTimeoutSignal(timeout)\n  const compositeSignal = createCompositeAbortSignal(signal, timeoutSignal)\n  const fetcher = getFetcher()\n\n  try {\n    const response = await fetcher(\n      // The npm registry attestations API endpoint.\n      `${NPM_REGISTRY_URL}/-/npm/v1/attestations/${encodeURIComponent(pkgName)}@${encodeURIComponent(pkgVersion)}`,\n      {\n        method: 'GET',\n        signal: compositeSignal,\n        headers: {\n          'User-Agent': 'socket-registry',\n        },\n      } as {\n        method: string\n        signal: AbortSignal\n        headers: Record<string, string>\n      },\n    )\n    if (response.ok) {\n      return getProvenanceDetails(await response.json())\n    }\n  } catch {}\n  return undefined\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,oBAAiC;AAEjC,mBAAgE;AAEhE,iBAAyB;AAMzB,MAAM,eAAe,MAAM;AAE3B,MAAM,uBAAuB;AAC7B,MAAM,uBAAuB;AAE7B,IAAI;AAAA;AAEJ,SAAS,aAAa;AACpB,MAAI,aAAa,QAAW;AAC1B,UAAM,kBACU,QAAQ,+BAA+B;AAEvD,UAAM,EAAE,mBAAmB,IACX,QAAQ,uBAAuB;AAC/C,eAAW,gBAAgB,SAAS;AAAA,MAClC,WAAW,mBAAmB;AAAA;AAAA;AAAA;AAAA,MAI9B,OAAO;AAAA,IACT,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAKA,SAAS,gBAAgB,iBAAqC;AAC5D,QAAM,OAAO;AACb,MAAI,CAAC,KAAK,gBAAgB,CAAC,aAAa,KAAK,YAAY,GAAG;AAC1D,WAAO,CAAC;AAAA,EACV;AAEA,SAAO,KAAK,aAAa,OAAO,CAAC,gBAAyB;AACxD,UAAM,MAAM;AACZ,WACE,IAAI,kBAAkB,wBACtB,IAAI,kBAAkB;AAAA,EAE1B,CAAC;AACH;AAKA,SAAS,eAAe,cAAkC;AACxD,aAAW,eAAe,cAAc;AACtC,UAAM,MAAM;AAIZ,QAAI;AACF,UAAI,YAAY,IAAI;AAGpB,UAAI,CAAC,aAAa,IAAI,QAAQ,cAAc,SAAS;AACnD,YAAI;AACF,gBAAM,iBAAiB,OAAO;AAAA,YAC5B,IAAI,OAAO,aAAa;AAAA,YACxB;AAAA,UACF,EAAE,SAAS,MAAM;AACjB,gBAAM,YAAY,KAAK,MAAM,cAAc;AAC3C,sBAAY,UAAU;AAAA,QACxB,QAAQ;AAEN;AAAA,QACF;AAAA,MACF;AAEA,YAAM,gBAAgB;AAGtB,UAAI,eAAe,iBAAiB,oBAAoB;AACtD,eAAO;AAAA,UACL;AAAA,UACA,oBAAoB,cAAc,gBAAgB;AAAA,QACpD;AAAA,MACF;AAAA,IAEF,QAAQ;AAAA,IAER;AAAA,EAEF;AACA,SAAO;AACT;AAKA,SAAS,mBAAmB,OAAyB;AACnD,MAAI,OAAO,UAAU,YAAY,CAAC,OAAO;AACvC,WAAO;AAAA,EACT;AAEA,MAAI,UAAM,qBAAS,KAAK;AACxB,MAAI,WAAW,KAAK;AAIpB,MAAI,CAAC,OAAO,MAAM,SAAS,GAAG,GAAG;AAC/B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,QAAI,WAAW;AACb,gBAAM,qBAAS,SAAS;AAAA,IAC1B;AACA,QAAI,KAAK;AACP,iBAAW,IAAI;AAAA,IACjB;AAAA,EACF;AAGA,MAAI,CAAC,KAAK;AACR,UAAM,eAAW,qBAAS,WAAW,KAAK,EAAE;AAC5C,QAAI,UAAU;AACZ,iBAAW,SAAS;AAAA,IACtB;AAAA,EACF;AAEA,MAAI,UAAU;AACZ,WACE,aAAa,gBACb,SAAS,SAAS,aAAa,KAC/B,aAAa,gBACb,SAAS,SAAS,aAAa;AAAA,EAEnC;AAGA,SAAO,MAAM,SAAS,QAAQ,KAAK,MAAM,SAAS,QAAQ;AAC5D;AAKO,SAAS,qBAAqB,iBAAmC;AACtE,QAAM,eAAe,gBAAgB,eAAe;AACpD,MAAI,CAAC,aAAa,QAAQ;AACxB,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,eAAe,YAAY;AAC9C,MAAI,CAAC,YAAY;AACf,WAAO,EAAE,OAAO,WAAW;AAAA,EAC7B;AAEA,QAAM,iBAAiB;AAiBvB,QAAM,EAAE,oBAAoB,UAAU,IAAI;AAC1C,QAAM,MAAM,WAAW;AAGvB,QAAM,WAAW,oBAAoB;AACrC,QAAM,cAAc,UAAU,OAAO,oBAAoB;AACzD,QAAM,cAAc,oBAAoB;AACxC,QAAM,mBAAmB,KAAK;AAC9B,QAAM,aAAa,UAAU,cAAc,oBAAoB;AAC/D,QAAM,SAAS,oBAAoB,OAAO,UAAU;AACpD,QAAM,YAAY,oBAAoB;AACtC,QAAM,gBAAgB,oBAAoB;AAG1C,QAAM,UACJ,mBAAmB,WAAW,KAC9B,mBAAmB,WAAW,KAC9B,mBAAmB,gBAAgB,KACnC,mBAAmB,UAAU;AAE/B,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,OAAO,UAAU,YAAY;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAAA;AAMA,eAAsB,uBACpB,SACA,YACA,SACkB;AAClB,QAAM,EAAE,QAAQ,UAAU,IAAO,IAAI;AAAA,IACnC,WAAW;AAAA,IACX,GAAG;AAAA,EACL;AAEA,MAAI,QAAQ,SAAS;AACnB,WAAO;AAAA,EACT;AAGA,QAAM,oBAAgB,kCAAoB,OAAO;AACjD,QAAM,sBAAkB,yCAA2B,QAAQ,aAAa;AACxE,QAAM,UAAU,2BAAW;AAE3B,MAAI;AACF,UAAM,WAAW,MAAM;AAAA;AAAA,MAErB,GAAG,8BAAgB,0BAA0B,mBAAmB,OAAO,CAAC,IAAI,mBAAmB,UAAU,CAAC;AAAA,MAC1G;AAAA,QACE,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,cAAc;AAAA,QAChB;AAAA,MACF;AAAA,IAKF;AACA,QAAI,SAAS,IAAI;AACf,aAAO,qBAAqB,MAAM,SAAS,KAAK,CAAC;AAAA,IACnD;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;",
-  "names": []
+  "mappings": ";4ZAAA,IAAAA,EAAA,GAAAC,EAAAD,EAAA,4BAAAE,EAAA,yBAAAC,IAAA,eAAAC,EAAAJ,GAIA,IAAAK,EAAiC,6BAEjCC,EAAgE,oBAEhEC,EAAyB,kBAMzB,MAAMC,EAAe,MAAM,QAErBC,EAAuB,mCACvBC,EAAuB,iCAE7B,IAAIC,EAEJ,SAASC,GAAa,CACpB,GAAID,IAAa,OAAW,CAC1B,MAAME,EACU,QAAQ,+BAA+B,EAEjD,CAAE,mBAAAC,CAAmB,EACX,QAAQ,uBAAuB,EAC/CH,EAAWE,EAAgB,SAAS,CAClC,UAAWC,EAAmB,EAI9B,MAAO,aACT,CAAC,CACH,CACA,OAAOH,CACT,CAKA,SAASI,EAAgBC,EAAqC,CAC5D,MAAMC,EAAOD,EACb,MAAI,CAACC,EAAK,cAAgB,CAACT,EAAaS,EAAK,YAAY,EAChD,CAAC,EAGHA,EAAK,aAAa,OAAQC,GAAyB,CACxD,MAAMC,EAAMD,EACZ,OACEC,EAAI,gBAAkBV,GACtBU,EAAI,gBAAkBT,CAE1B,CAAC,CACH,CAKA,SAASU,EAAeC,EAAkC,CACxD,UAAWH,KAAeG,EAAc,CACtC,MAAMF,EAAMD,EAIZ,GAAI,CACF,IAAII,EAAYH,EAAI,UAGpB,GAAI,CAACG,GAAaH,EAAI,QAAQ,cAAc,QAC1C,GAAI,CACF,MAAMI,EAAiB,OAAO,KAC5BJ,EAAI,OAAO,aAAa,QACxB,QACF,EAAE,SAAS,MAAM,EAEjBG,EADkB,KAAK,MAAMC,CAAc,EACrB,SACxB,MAAQ,CAEN,QACF,CAGF,MAAMC,EAAgBF,EAGtB,GAAIE,GAAe,iBAAiB,mBAClC,MAAO,CACL,UAAAF,EACA,mBAAoBE,EAAc,gBAAgB,kBACpD,CAGJ,MAAQ,CAER,CAEF,CAEF,CAKA,SAASC,EAAmBC,EAAyB,CACnD,GAAI,OAAOA,GAAU,UAAY,CAACA,EAChC,MAAO,GAGT,IAAIC,KAAM,YAASD,CAAK,EACpBE,EAAWD,GAAK,SAIpB,GAAI,CAACA,GAAOD,EAAM,SAAS,GAAG,EAAG,CAC/B,MAAMG,EAAYH,EAAM,MAAM,GAAG,EAAE,CAAC,EAChCG,IACFF,KAAM,YAASE,CAAS,GAEtBF,IACFC,EAAWD,EAAI,SAEnB,CAGA,GAAI,CAACA,EAAK,CACR,MAAMG,KAAW,YAAS,WAAWJ,CAAK,EAAE,EACxCI,IACFF,EAAWE,EAAS,SAExB,CAEA,OAAIF,EAEAA,IAAa,cACbA,EAAS,SAAS,aAAa,GAC/BA,IAAa,cACbA,EAAS,SAAS,aAAa,EAK5BF,EAAM,SAAS,QAAQ,GAAKA,EAAM,SAAS,QAAQ,CAC5D,CAKO,SAASvB,EAAqBa,EAAmC,CACtE,MAAMK,EAAeN,EAAgBC,CAAe,EACpD,GAAI,CAACK,EAAa,OAChB,OAGF,MAAMU,EAAaX,EAAeC,CAAY,EAC9C,GAAI,CAACU,EACH,MAAO,CAAE,MAAO,UAAW,EAG7B,MAAMC,EAAiBD,EAiBjB,CAAE,mBAAAE,EAAoB,UAAAX,CAAU,EAAIU,EACpCE,EAAMZ,GAAW,gBAGjBa,EAAWF,GAAoB,SAC/BG,EAAcD,GAAU,KAAOF,GAAoB,aACnDI,EAAcJ,GAAoB,QAClCK,EAAmBJ,GAAK,UACxBK,EAAaJ,GAAU,YAAcF,GAAoB,WACzDO,EAASP,GAAoB,KAAOE,GAAU,IAC9CM,EAAYR,GAAoB,IAChCS,EAAgBT,GAAoB,OAGpCU,EACJlB,EAAmBW,CAAW,GAC9BX,EAAmBY,CAAW,GAC9BZ,EAAmBa,CAAgB,GACnCb,EAAmBc,CAAU,EAE/B,MAAO,CACL,UAAAE,EACA,OAAAD,EACA,MAAOG,EAAU,UAAY,WAC7B,WAAAJ,EACA,YAAAH,EACA,YAAAC,EACA,iBAAAC,EACA,cAAAI,CACF,CACF,CAMA,eAAsBxC,EACpB0C,EACAC,EACAC,EACkB,CAClB,KAAM,CAAE,OAAAC,EAAQ,QAAAC,EAAU,GAAO,EAAI,CACnC,UAAW,KACX,GAAGF,CACL,EAEA,GAAIC,GAAQ,QACV,OAIF,MAAME,KAAgB,uBAAoBD,CAAO,EAC3CE,KAAkB,8BAA2BH,EAAQE,CAAa,EAClEE,EAAUvC,EAAW,EAE3B,GAAI,CACF,MAAMwC,EAAW,MAAMD,EAErB,GAAG,kBAAgB,0BAA0B,mBAAmBP,CAAO,CAAC,IAAI,mBAAmBC,CAAU,CAAC,GAC1G,CACE,OAAQ,MACR,OAAQK,EACR,QAAS,CACP,aAAc,iBAChB,CACF,CAKF,EACA,GAAIE,EAAS,GACX,OAAOjD,EAAqB,MAAMiD,EAAS,KAAK,CAAC,CAErD,MAAQ,CAAC,CAEX",
+  "names": ["provenance_exports", "__export", "fetchPackageProvenance", "getProvenanceDetails", "__toCommonJS", "import_agents", "import_abort", "import_url", "ArrayIsArray", "SLSA_PROVENANCE_V0_2", "SLSA_PROVENANCE_V1_0", "_fetcher", "getFetcher", "makeFetchHappen", "getPacoteCachePath", "getAttestations", "attestationData", "data", "attestation", "att", "findProvenance", "attestations", "predicate", "decodedPayload", "predicateData", "isTrustedPublisher", "value", "url", "hostname", "firstPart", "httpsUrl", "provenance", "provenanceData", "externalParameters", "def", "workflow", "workflowRef", "workflowUrl", "workflowPlatform", "repository", "gitRef", "commitSha", "workflowRunId", "trusted", "pkgName", "pkgVersion", "options", "signal", "timeout", "timeoutSignal", "compositeSignal", "fetcher", "response"]
 }

package/dist/packages/registry.js

@@ -1,30 +1,3 @@
 /* Socket Lib - Built with esbuild */
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var registry_exports = {};
-__export(registry_exports, {
-  SocketRegistry: () => SocketRegistry
-});
-module.exports = __toCommonJS(registry_exports);
-class SocketRegistry {
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  SocketRegistry
-});
+var o=Object.defineProperty;var a=Object.getOwnPropertyDescriptor;var g=Object.getOwnPropertyNames;var i=Object.prototype.hasOwnProperty;var k=(s,e)=>{for(var c in e)o(s,c,{get:e[c],enumerable:!0})},l=(s,e,c,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let t of g(e))!i.call(s,t)&&t!==c&&o(s,t,{get:()=>e[t],enumerable:!(r=a(e,t))||r.enumerable});return s};var p=s=>l(o({},"__esModule",{value:!0}),s);var y={};k(y,{SocketRegistry:()=>x});module.exports=p(y);class x{}0&&(module.exports={SocketRegistry});
 //# sourceMappingURL=registry.js.map

package/dist/packages/registry.js.map

@@ -2,6 +2,6 @@
   "version": 3,
   "sources": ["../../src/packages/registry.ts"],
   "sourcesContent": ["/**\n * @fileoverview Socket Registry class implementation.\n */\n\n/**\n * Main Socket Registry class for managing packages.\n */\nexport class SocketRegistry {}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAOO,MAAM,eAAe;AAAC;",
-  "names": []
+  "mappings": ";4ZAAA,IAAAA,EAAA,GAAAC,EAAAD,EAAA,oBAAAE,IAAA,eAAAC,EAAAH,GAOO,MAAME,CAAe,CAAC",
+  "names": ["registry_exports", "__export", "SocketRegistry", "__toCommonJS"]
 }

package/dist/packages/specs.js

@@ -1,85 +1,3 @@
 /* Socket Lib - Built with esbuild */
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var specs_exports = {};
-__export(specs_exports, {
-  getRepoUrlDetails: () => getRepoUrlDetails,
-  gitHubTagRefUrl: () => gitHubTagRefUrl,
-  gitHubTgzUrl: () => gitHubTgzUrl,
-  isGitHubTgzSpec: () => isGitHubTgzSpec,
-  isGitHubUrlSpec: () => isGitHubUrlSpec
-});
-module.exports = __toCommonJS(specs_exports);
-var import_objects = require("../objects");
-var import_strings = require("../strings");
-let _npmPackageArg;
-// @__NO_SIDE_EFFECTS__
-function getNpmPackageArg() {
-  if (_npmPackageArg === void 0) {
-    _npmPackageArg = require("../external/npm-package-arg");
-  }
-  return _npmPackageArg;
-}
-// @__NO_SIDE_EFFECTS__
-function getRepoUrlDetails(repoUrl = "") {
-  const userAndRepo = repoUrl.replace(/^.+github.com\//, "").split("/");
-  const user = userAndRepo[0] || "";
-  const project = userAndRepo.length > 1 ? userAndRepo[1]?.slice(0, -".git".length) || "" : "";
-  return { user, project };
-}
-// @__NO_SIDE_EFFECTS__
-function gitHubTagRefUrl(user, project, tag) {
-  return `https://api.github.com/repos/${user}/${project}/git/ref/tags/${tag}`;
-}
-// @__NO_SIDE_EFFECTS__
-function gitHubTgzUrl(user, project, sha) {
-  return `https://github.com/${user}/${project}/archive/${sha}.tar.gz`;
-}
-// @__NO_SIDE_EFFECTS__
-function isGitHubTgzSpec(spec, where) {
-  let parsedSpec;
-  if ((0, import_objects.isObjectObject)(spec)) {
-    parsedSpec = spec;
-  } else {
-    const npmPackageArg = /* @__PURE__ */ getNpmPackageArg();
-    parsedSpec = npmPackageArg(spec, where);
-  }
-  const typedSpec = parsedSpec;
-  return typedSpec.type === "remote" && !!typedSpec.saveSpec?.endsWith(".tar.gz");
-}
-// @__NO_SIDE_EFFECTS__
-function isGitHubUrlSpec(spec, where) {
-  let parsedSpec;
-  if ((0, import_objects.isObjectObject)(spec)) {
-    parsedSpec = spec;
-  } else {
-    const npmPackageArg = /* @__PURE__ */ getNpmPackageArg();
-    parsedSpec = npmPackageArg(spec, where);
-  }
-  const typedSpec = parsedSpec;
-  return typedSpec.type === "git" && typedSpec.hosted?.domain === "github.com" && (0, import_strings.isNonEmptyString)(typedSpec.gitCommittish);
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  getRepoUrlDetails,
-  gitHubTagRefUrl,
-  gitHubTgzUrl,
-  isGitHubTgzSpec,
-  isGitHubUrlSpec
-});
+var g=Object.defineProperty;var c=Object.getOwnPropertyDescriptor;var u=Object.getOwnPropertyNames;var m=Object.prototype.hasOwnProperty;var f=(t,n)=>{for(var e in n)g(t,e,{get:n[e],enumerable:!0})},l=(t,n,e,r)=>{if(n&&typeof n=="object"||typeof n=="function")for(let i of u(n))!m.call(t,i)&&i!==e&&g(t,i,{get:()=>n[i],enumerable:!(r=c(n,i))||r.enumerable});return t};var d=t=>l(g({},"__esModule",{value:!0}),t);var A={};f(A,{getRepoUrlDetails:()=>h,gitHubTagRefUrl:()=>b,gitHubTgzUrl:()=>k,isGitHubTgzSpec:()=>y,isGitHubUrlSpec:()=>S});module.exports=d(A);var o=require("../objects"),p=require("../strings");let s;function a(){return s===void 0&&(s=require("../external/npm-package-arg")),s}function h(t=""){const n=t.replace(/^.+github.com\//,"").split("/"),e=n[0]||"",r=n.length>1&&n[1]?.slice(0,-4)||"";return{user:e,project:r}}function b(t,n,e){return`https://api.github.com/repos/${t}/${n}/git/ref/tags/${e}`}function k(t,n,e){return`https://github.com/${t}/${n}/archive/${e}.tar.gz`}function y(t,n){let e;(0,o.isObjectObject)(t)?e=t:e=a()(t,n);const r=e;return r.type==="remote"&&!!r.saveSpec?.endsWith(".tar.gz")}function S(t,n){let e;(0,o.isObjectObject)(t)?e=t:e=a()(t,n);const r=e;return r.type==="git"&&r.hosted?.domain==="github.com"&&(0,p.isNonEmptyString)(r.gitCommittish)}0&&(module.exports={getRepoUrlDetails,gitHubTagRefUrl,gitHubTgzUrl,isGitHubTgzSpec,isGitHubUrlSpec});
 //# sourceMappingURL=specs.js.map

package/dist/packages/specs.js.map

@@ -2,6 +2,6 @@
   "version": 3,
   "sources": ["../../src/packages/specs.ts"],
   "sourcesContent": ["/**\n * @fileoverview Package spec parsing and GitHub URL utilities.\n */\n\nimport { isObjectObject } from '../objects'\nimport { isNonEmptyString } from '../strings'\n\nlet _npmPackageArg: typeof import('npm-package-arg') | undefined\n/**\n * Get the npm-package-arg module.\n */\n/*@__NO_SIDE_EFFECTS__*/\nfunction getNpmPackageArg() {\n  if (_npmPackageArg === undefined) {\n    _npmPackageArg = /*@__PURE__*/ require('../external/npm-package-arg')\n  }\n  return _npmPackageArg as typeof import('npm-package-arg')\n}\n\n/**\n * Extract user and project from GitHub repository URL.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function getRepoUrlDetails(repoUrl: string = ''): {\n  user: string\n  project: string\n} {\n  const userAndRepo = repoUrl.replace(/^.+github.com\\//, '').split('/')\n  const user = userAndRepo[0] || ''\n  const project =\n    userAndRepo.length > 1 ? userAndRepo[1]?.slice(0, -'.git'.length) || '' : ''\n  return { user, project }\n}\n\n/**\n * Generate GitHub API URL for a tag reference.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function gitHubTagRefUrl(\n  user: string,\n  project: string,\n  tag: string,\n): string {\n  return `https://api.github.com/repos/${user}/${project}/git/ref/tags/${tag}`\n}\n\n/**\n * Generate GitHub tarball download URL for a commit SHA.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function gitHubTgzUrl(\n  user: string,\n  project: string,\n  sha: string,\n): string {\n  return `https://github.com/${user}/${project}/archive/${sha}.tar.gz`\n}\n\n/**\n * Check if a package specifier is a GitHub tarball URL.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function isGitHubTgzSpec(spec: unknown, where?: string): boolean {\n  let parsedSpec: unknown\n  if (isObjectObject(spec)) {\n    parsedSpec = spec\n  } else {\n    const npmPackageArg = getNpmPackageArg()\n    parsedSpec = npmPackageArg(spec as string, where)\n  }\n  const typedSpec = parsedSpec as { type?: string; saveSpec?: string }\n  return (\n    typedSpec.type === 'remote' && !!typedSpec.saveSpec?.endsWith('.tar.gz')\n  )\n}\n\n/**\n * Check if a package specifier is a GitHub URL with committish.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function isGitHubUrlSpec(spec: unknown, where?: string): boolean {\n  let parsedSpec: unknown\n  if (isObjectObject(spec)) {\n    parsedSpec = spec\n  } else {\n    const npmPackageArg = getNpmPackageArg()\n    parsedSpec = npmPackageArg(spec as string, where)\n  }\n  const typedSpec = parsedSpec as {\n    gitCommittish?: string\n    hosted?: { domain?: string }\n    type?: string\n  }\n  return (\n    typedSpec.type === 'git' &&\n    typedSpec.hosted?.domain === 'github.com' &&\n    isNonEmptyString(typedSpec.gitCommittish)\n  )\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,qBAA+B;AAC/B,qBAAiC;AAEjC,IAAI;AAAA;AAKJ,SAAS,mBAAmB;AAC1B,MAAI,mBAAmB,QAAW;AAChC,qBAA+B,QAAQ,6BAA6B;AAAA,EACtE;AACA,SAAO;AACT;AAAA;AAMO,SAAS,kBAAkB,UAAkB,IAGlD;AACA,QAAM,cAAc,QAAQ,QAAQ,mBAAmB,EAAE,EAAE,MAAM,GAAG;AACpE,QAAM,OAAO,YAAY,CAAC,KAAK;AAC/B,QAAM,UACJ,YAAY,SAAS,IAAI,YAAY,CAAC,GAAG,MAAM,GAAG,CAAC,OAAO,MAAM,KAAK,KAAK;AAC5E,SAAO,EAAE,MAAM,QAAQ;AACzB;AAAA;AAMO,SAAS,gBACd,MACA,SACA,KACQ;AACR,SAAO,gCAAgC,IAAI,IAAI,OAAO,iBAAiB,GAAG;AAC5E;AAAA;AAMO,SAAS,aACd,MACA,SACA,KACQ;AACR,SAAO,sBAAsB,IAAI,IAAI,OAAO,YAAY,GAAG;AAC7D;AAAA;AAMO,SAAS,gBAAgB,MAAe,OAAyB;AACtE,MAAI;AACJ,UAAI,+BAAe,IAAI,GAAG;AACxB,iBAAa;AAAA,EACf,OAAO;AACL,UAAM,gBAAgB,iCAAiB;AACvC,iBAAa,cAAc,MAAgB,KAAK;AAAA,EAClD;AACA,QAAM,YAAY;AAClB,SACE,UAAU,SAAS,YAAY,CAAC,CAAC,UAAU,UAAU,SAAS,SAAS;AAE3E;AAAA;AAMO,SAAS,gBAAgB,MAAe,OAAyB;AACtE,MAAI;AACJ,UAAI,+BAAe,IAAI,GAAG;AACxB,iBAAa;AAAA,EACf,OAAO;AACL,UAAM,gBAAgB,iCAAiB;AACvC,iBAAa,cAAc,MAAgB,KAAK;AAAA,EAClD;AACA,QAAM,YAAY;AAKlB,SACE,UAAU,SAAS,SACnB,UAAU,QAAQ,WAAW,oBAC7B,iCAAiB,UAAU,aAAa;AAE5C;",
-  "names": []
+  "mappings": ";4ZAAA,IAAAA,EAAA,GAAAC,EAAAD,EAAA,uBAAAE,EAAA,oBAAAC,EAAA,iBAAAC,EAAA,oBAAAC,EAAA,oBAAAC,IAAA,eAAAC,EAAAP,GAIA,IAAAQ,EAA+B,sBAC/BC,EAAiC,sBAEjC,IAAIC,EAKJ,SAASC,GAAmB,CAC1B,OAAID,IAAmB,SACrBA,EAA+B,QAAQ,6BAA6B,GAE/DA,CACT,CAMO,SAASR,EAAkBU,EAAkB,GAGlD,CACA,MAAMC,EAAcD,EAAQ,QAAQ,kBAAmB,EAAE,EAAE,MAAM,GAAG,EAC9DE,EAAOD,EAAY,CAAC,GAAK,GACzBE,EACJF,EAAY,OAAS,GAAIA,EAAY,CAAC,GAAG,MAAM,EAAG,EAAc,GAAK,GACvE,MAAO,CAAE,KAAAC,EAAM,QAAAC,CAAQ,CACzB,CAMO,SAASZ,EACdW,EACAC,EACAC,EACQ,CACR,MAAO,gCAAgCF,CAAI,IAAIC,CAAO,iBAAiBC,CAAG,EAC5E,CAMO,SAASZ,EACdU,EACAC,EACAE,EACQ,CACR,MAAO,sBAAsBH,CAAI,IAAIC,CAAO,YAAYE,CAAG,SAC7D,CAMO,SAASZ,EAAgBa,EAAeC,EAAyB,CACtE,IAAIC,KACA,kBAAeF,CAAI,EACrBE,EAAaF,EAGbE,EADsBT,EAAiB,EACZO,EAAgBC,CAAK,EAElD,MAAME,EAAYD,EAClB,OACEC,EAAU,OAAS,UAAY,CAAC,CAACA,EAAU,UAAU,SAAS,SAAS,CAE3E,CAMO,SAASf,EAAgBY,EAAeC,EAAyB,CACtE,IAAIC,KACA,kBAAeF,CAAI,EACrBE,EAAaF,EAGbE,EADsBT,EAAiB,EACZO,EAAgBC,CAAK,EAElD,MAAME,EAAYD,EAKlB,OACEC,EAAU,OAAS,OACnBA,EAAU,QAAQ,SAAW,iBAC7B,oBAAiBA,EAAU,aAAa,CAE5C",
+  "names": ["specs_exports", "__export", "getRepoUrlDetails", "gitHubTagRefUrl", "gitHubTgzUrl", "isGitHubTgzSpec", "isGitHubUrlSpec", "__toCommonJS", "import_objects", "import_strings", "_npmPackageArg", "getNpmPackageArg", "repoUrl", "userAndRepo", "user", "project", "tag", "sha", "spec", "where", "parsedSpec", "typedSpec"]
 }

package/dist/packages/validation.js

@@ -1,53 +1,3 @@
 /* Socket Lib - Built with esbuild */
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var validation_exports = {};
-__export(validation_exports, {
-  isBlessedPackageName: () => isBlessedPackageName,
-  isRegistryFetcherType: () => isRegistryFetcherType,
-  isValidPackageName: () => isValidPackageName
-});
-module.exports = __toCommonJS(validation_exports);
-let _validateNpmPackageName;
-// @__NO_SIDE_EFFECTS__
-function getValidateNpmPackageName() {
-  if (_validateNpmPackageName === void 0) {
-    _validateNpmPackageName = require("../external/validate-npm-package-name");
-  }
-  return _validateNpmPackageName;
-}
-// @__NO_SIDE_EFFECTS__
-function isBlessedPackageName(name) {
-  return typeof name === "string" && (name === "sfw" || name === "socket" || name.startsWith("@socketoverride/") || name.startsWith("@socketregistry/") || name.startsWith("@socketsecurity/"));
-}
-// @__NO_SIDE_EFFECTS__
-function isRegistryFetcherType(type) {
-  return type === "alias" || type === "range" || type === "tag" || type === "version";
-}
-// @__NO_SIDE_EFFECTS__
-function isValidPackageName(name) {
-  const validateNpmPackageName = /* @__PURE__ */ getValidateNpmPackageName();
-  return validateNpmPackageName(name).validForOldPackages;
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  isBlessedPackageName,
-  isRegistryFetcherType,
-  isValidPackageName
-});
+var r=Object.defineProperty;var s=Object.getOwnPropertyDescriptor;var c=Object.getOwnPropertyNames;var g=Object.prototype.hasOwnProperty;var d=(e,a)=>{for(var i in a)r(e,i,{get:a[i],enumerable:!0})},l=(e,a,i,o)=>{if(a&&typeof a=="object"||typeof a=="function")for(let t of c(a))!g.call(e,t)&&t!==i&&r(e,t,{get:()=>a[t],enumerable:!(o=s(a,t))||o.enumerable});return e};var k=e=>l(r({},"__esModule",{value:!0}),e);var N={};d(N,{isBlessedPackageName:()=>u,isRegistryFetcherType:()=>f,isValidPackageName:()=>m});module.exports=k(N);let n;function p(){return n===void 0&&(n=require("../external/validate-npm-package-name")),n}function u(e){return typeof e=="string"&&(e==="sfw"||e==="socket"||e.startsWith("@socketoverride/")||e.startsWith("@socketregistry/")||e.startsWith("@socketsecurity/"))}function f(e){return e==="alias"||e==="range"||e==="tag"||e==="version"}function m(e){return p()(e).validForOldPackages}0&&(module.exports={isBlessedPackageName,isRegistryFetcherType,isValidPackageName});
 //# sourceMappingURL=validation.js.map

package/dist/packages/validation.js.map

@@ -2,6 +2,6 @@
   "version": 3,
   "sources": ["../../src/packages/validation.ts"],
   "sourcesContent": ["/**\n * @fileoverview Package name validation utilities.\n */\n\nlet _validateNpmPackageName:\n  | typeof import('validate-npm-package-name')\n  | undefined\n/**\n * Get the validate-npm-package-name module.\n */\n/*@__NO_SIDE_EFFECTS__*/\nfunction getValidateNpmPackageName() {\n  if (_validateNpmPackageName === undefined) {\n    _validateNpmPackageName =\n      /*@__PURE__*/ require('../external/validate-npm-package-name')\n  }\n  return _validateNpmPackageName as typeof import('validate-npm-package-name')\n}\n\n/**\n * Check if package name is a blessed Socket.dev package.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function isBlessedPackageName(name: unknown): boolean {\n  return (\n    typeof name === 'string' &&\n    (name === 'sfw' ||\n      name === 'socket' ||\n      name.startsWith('@socketoverride/') ||\n      name.startsWith('@socketregistry/') ||\n      name.startsWith('@socketsecurity/'))\n  )\n}\n\n/**\n * Check if a type string represents a registry fetcher type.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function isRegistryFetcherType(type: string): boolean {\n  // RegistryFetcher spec.type check based on:\n  // https://github.com/npm/pacote/blob/v19.0.0/lib/fetcher.js#L467-L488\n  return (\n    type === 'alias' || type === 'range' || type === 'tag' || type === 'version'\n  )\n}\n\n/**\n * Check if a package name is valid according to npm naming rules.\n */\n/*@__NO_SIDE_EFFECTS__*/\nexport function isValidPackageName(name: string): boolean {\n  const validateNpmPackageName = getValidateNpmPackageName()\n  return validateNpmPackageName(name).validForOldPackages\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,IAAI;AAAA;AAOJ,SAAS,4BAA4B;AACnC,MAAI,4BAA4B,QAAW;AACzC,8BACgB,QAAQ,uCAAuC;AAAA,EACjE;AACA,SAAO;AACT;AAAA;AAMO,SAAS,qBAAqB,MAAwB;AAC3D,SACE,OAAO,SAAS,aACf,SAAS,SACR,SAAS,YACT,KAAK,WAAW,kBAAkB,KAClC,KAAK,WAAW,kBAAkB,KAClC,KAAK,WAAW,kBAAkB;AAExC;AAAA;AAMO,SAAS,sBAAsB,MAAuB;AAG3D,SACE,SAAS,WAAW,SAAS,WAAW,SAAS,SAAS,SAAS;AAEvE;AAAA;AAMO,SAAS,mBAAmB,MAAuB;AACxD,QAAM,yBAAyB,0CAA0B;AACzD,SAAO,uBAAuB,IAAI,EAAE;AACtC;",
-  "names": []
+  "mappings": ";4ZAAA,IAAAA,EAAA,GAAAC,EAAAD,EAAA,0BAAAE,EAAA,0BAAAC,EAAA,uBAAAC,IAAA,eAAAC,EAAAL,GAIA,IAAIM,EAOJ,SAASC,GAA4B,CACnC,OAAID,IAA4B,SAC9BA,EACgB,QAAQ,uCAAuC,GAE1DA,CACT,CAMO,SAASJ,EAAqBM,EAAwB,CAC3D,OACE,OAAOA,GAAS,WACfA,IAAS,OACRA,IAAS,UACTA,EAAK,WAAW,kBAAkB,GAClCA,EAAK,WAAW,kBAAkB,GAClCA,EAAK,WAAW,kBAAkB,EAExC,CAMO,SAASL,EAAsBM,EAAuB,CAG3D,OACEA,IAAS,SAAWA,IAAS,SAAWA,IAAS,OAASA,IAAS,SAEvE,CAMO,SAASL,EAAmBI,EAAuB,CAExD,OAD+BD,EAA0B,EAC3BC,CAAI,EAAE,mBACtC",
+  "names": ["validation_exports", "__export", "isBlessedPackageName", "isRegistryFetcherType", "isValidPackageName", "__toCommonJS", "_validateNpmPackageName", "getValidateNpmPackageName", "name", "type"]
 }

package/dist/packages.js

@@ -1,131 +1,3 @@
 /* Socket Lib - Built with esbuild */
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var packages_exports = {};
-__export(packages_exports, {
-  collectIncompatibleLicenses: () => import_licenses.collectIncompatibleLicenses,
-  collectLicenseWarnings: () => import_licenses.collectLicenseWarnings,
-  createAstNode: () => import_licenses.createAstNode,
-  createBinaryOperationNode: () => import_licenses.createBinaryOperationNode,
-  createLicenseNode: () => import_licenses.createLicenseNode,
-  createPackageJson: () => import_manifest.createPackageJson,
-  extractPackage: () => import_operations.extractPackage,
-  fetchPackageManifest: () => import_manifest.fetchPackageManifest,
-  fetchPackagePackument: () => import_manifest.fetchPackagePackument,
-  fetchPackageProvenance: () => import_provenance.fetchPackageProvenance,
-  findPackageExtensions: () => import_operations.findPackageExtensions,
-  findTypesForSubpath: () => import_exports.findTypesForSubpath,
-  getEditablePackageJsonClass: () => import_editable.getEditablePackageJsonClass,
-  getExportFilePaths: () => import_exports.getExportFilePaths,
-  getProvenanceDetails: () => import_provenance.getProvenanceDetails,
-  getReleaseTag: () => import_operations.getReleaseTag,
-  getRepoUrlDetails: () => import_specs.getRepoUrlDetails,
-  getSubpaths: () => import_exports.getSubpaths,
-  gitHubTagRefUrl: () => import_specs.gitHubTagRefUrl,
-  gitHubTgzUrl: () => import_specs.gitHubTgzUrl,
-  isBlessedPackageName: () => import_validation.isBlessedPackageName,
-  isConditionalExports: () => import_exports.isConditionalExports,
-  isGitHubTgzSpec: () => import_specs.isGitHubTgzSpec,
-  isGitHubUrlSpec: () => import_specs.isGitHubUrlSpec,
-  isRegistryFetcherType: () => import_validation.isRegistryFetcherType,
-  isSubpathExports: () => import_exports.isSubpathExports,
-  isValidPackageName: () => import_validation.isValidPackageName,
-  isolatePackage: () => import_isolation.isolatePackage,
-  normalizePackageJson: () => import_normalize.normalizePackageJson,
-  packPackage: () => import_operations.packPackage,
-  parseSpdxExp: () => import_licenses.parseSpdxExp,
-  pkgJsonToEditable: () => import_editable.pkgJsonToEditable,
-  readPackageJson: () => import_operations.readPackageJson,
-  readPackageJsonSync: () => import_operations.readPackageJsonSync,
-  resolveEscapedScope: () => import_normalize.resolveEscapedScope,
-  resolveGitHubTgzUrl: () => import_operations.resolveGitHubTgzUrl,
-  resolveOriginalPackageName: () => import_normalize.resolveOriginalPackageName,
-  resolvePackageJsonDirname: () => import_paths.resolvePackageJsonDirname,
-  resolvePackageJsonEntryExports: () => import_exports.resolvePackageJsonEntryExports,
-  resolvePackageJsonPath: () => import_paths.resolvePackageJsonPath,
-  resolvePackageLicenses: () => import_licenses.resolvePackageLicenses,
-  resolvePackageName: () => import_operations.resolvePackageName,
-  resolveRegistryPackageName: () => import_operations.resolveRegistryPackageName,
-  toEditablePackageJson: () => import_editable.toEditablePackageJson,
-  toEditablePackageJsonSync: () => import_editable.toEditablePackageJsonSync,
-  unescapeScope: () => import_normalize.unescapeScope,
-  visitLicenses: () => import_licenses.visitLicenses
-});
-module.exports = __toCommonJS(packages_exports);
-var import_editable = require("./packages/editable");
-var import_exports = require("./packages/exports");
-var import_isolation = require("./packages/isolation");
-var import_licenses = require("./packages/licenses");
-var import_manifest = require("./packages/manifest");
-var import_normalize = require("./packages/normalize");
-var import_operations = require("./packages/operations");
-var import_paths = require("./packages/paths");
-var import_provenance = require("./packages/provenance");
-var import_specs = require("./packages/specs");
-var import_validation = require("./packages/validation");
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  collectIncompatibleLicenses,
-  collectLicenseWarnings,
-  createAstNode,
-  createBinaryOperationNode,
-  createLicenseNode,
-  createPackageJson,
-  extractPackage,
-  fetchPackageManifest,
-  fetchPackagePackument,
-  fetchPackageProvenance,
-  findPackageExtensions,
-  findTypesForSubpath,
-  getEditablePackageJsonClass,
-  getExportFilePaths,
-  getProvenanceDetails,
-  getReleaseTag,
-  getRepoUrlDetails,
-  getSubpaths,
-  gitHubTagRefUrl,
-  gitHubTgzUrl,
-  isBlessedPackageName,
-  isConditionalExports,
-  isGitHubTgzSpec,
-  isGitHubUrlSpec,
-  isRegistryFetcherType,
-  isSubpathExports,
-  isValidPackageName,
-  isolatePackage,
-  normalizePackageJson,
-  packPackage,
-  parseSpdxExp,
-  pkgJsonToEditable,
-  readPackageJson,
-  readPackageJsonSync,
-  resolveEscapedScope,
-  resolveGitHubTgzUrl,
-  resolveOriginalPackageName,
-  resolvePackageJsonDirname,
-  resolvePackageJsonEntryExports,
-  resolvePackageJsonPath,
-  resolvePackageLicenses,
-  resolvePackageName,
-  resolveRegistryPackageName,
-  toEditablePackageJson,
-  toEditablePackageJsonSync,
-  unescapeScope,
-  visitLicenses
-});
+var f=Object.defineProperty;var y=Object.getOwnPropertyDescriptor;var P=Object.getOwnPropertyNames;var b=Object.prototype.hasOwnProperty;var x=(o,r)=>{for(var c in r)f(o,c,{get:r[c],enumerable:!0})},v=(o,r,c,m)=>{if(r&&typeof r=="object"||typeof r=="function")for(let p of P(r))!b.call(o,p)&&p!==c&&f(o,p,{get:()=>r[p],enumerable:!(m=y(r,p))||m.enumerable});return o};var S=o=>v(f({},"__esModule",{value:!0}),o);var R={};x(R,{collectIncompatibleLicenses:()=>n.collectIncompatibleLicenses,collectLicenseWarnings:()=>n.collectLicenseWarnings,createAstNode:()=>n.createAstNode,createBinaryOperationNode:()=>n.createBinaryOperationNode,createLicenseNode:()=>n.createLicenseNode,createPackageJson:()=>d.createPackageJson,extractPackage:()=>e.extractPackage,fetchPackageManifest:()=>d.fetchPackageManifest,fetchPackagePackument:()=>d.fetchPackagePackument,fetchPackageProvenance:()=>l.fetchPackageProvenance,findPackageExtensions:()=>e.findPackageExtensions,findTypesForSubpath:()=>i.findTypesForSubpath,getEditablePackageJsonClass:()=>s.getEditablePackageJsonClass,getExportFilePaths:()=>i.getExportFilePaths,getProvenanceDetails:()=>l.getProvenanceDetails,getReleaseTag:()=>e.getReleaseTag,getRepoUrlDetails:()=>t.getRepoUrlDetails,getSubpaths:()=>i.getSubpaths,gitHubTagRefUrl:()=>t.gitHubTagRefUrl,gitHubTgzUrl:()=>t.gitHubTgzUrl,isBlessedPackageName:()=>g.isBlessedPackageName,isConditionalExports:()=>i.isConditionalExports,isGitHubTgzSpec:()=>t.isGitHubTgzSpec,isGitHubUrlSpec:()=>t.isGitHubUrlSpec,isRegistryFetcherType:()=>g.isRegistryFetcherType,isSubpathExports:()=>i.isSubpathExports,isValidPackageName:()=>g.isValidPackageName,isolatePackage:()=>k.isolatePackage,normalizePackageJson:()=>a.normalizePackageJson,packPackage:()=>e.packPackage,parseSpdxExp:()=>n.parseSpdxExp,pkgJsonToEditable:()=>s.pkgJsonToEditable,readPackageJson:()=>e.readPackageJson,readPackageJsonSync:()=>e.readPackageJsonSync,resolveEscapedScope:()=>a.resolveEscapedScope,resolveGitHubTgzUrl:()=>e.resolveGitHubTgzUrl,resolveOriginalPackageName:()=>a.resolveOriginalPackageName,resolvePackageJsonDirname:()=>u.resolvePackageJsonDirname,resolvePackageJsonEntryExports:()=>i.resolvePackageJsonEntryExports,resolvePackageJsonPath:()=>u.resolvePackageJsonPath,resolvePackageLicenses:()=>n.resolvePackageLicenses,resolvePackageName:()=>e.resolvePackageName,resolveRegistryPackageName:()=>e.resolveRegistryPackageName,toEditablePackageJson:()=>s.toEditablePackageJson,toEditablePackageJsonSync:()=>s.toEditablePackageJsonSync,unescapeScope:()=>a.unescapeScope,visitLicenses:()=>n.visitLicenses});module.exports=S(R);var s=require("./packages/editable"),i=require("./packages/exports"),k=require("./packages/isolation"),n=require("./packages/licenses"),d=require("./packages/manifest"),a=require("./packages/normalize"),e=require("./packages/operations"),u=require("./packages/paths"),l=require("./packages/provenance"),t=require("./packages/specs"),g=require("./packages/validation");0&&(module.exports={collectIncompatibleLicenses,collectLicenseWarnings,createAstNode,createBinaryOperationNode,createLicenseNode,createPackageJson,extractPackage,fetchPackageManifest,fetchPackagePackument,fetchPackageProvenance,findPackageExtensions,findTypesForSubpath,getEditablePackageJsonClass,getExportFilePaths,getProvenanceDetails,getReleaseTag,getRepoUrlDetails,getSubpaths,gitHubTagRefUrl,gitHubTgzUrl,isBlessedPackageName,isConditionalExports,isGitHubTgzSpec,isGitHubUrlSpec,isRegistryFetcherType,isSubpathExports,isValidPackageName,isolatePackage,normalizePackageJson,packPackage,parseSpdxExp,pkgJsonToEditable,readPackageJson,readPackageJsonSync,resolveEscapedScope,resolveGitHubTgzUrl,resolveOriginalPackageName,resolvePackageJsonDirname,resolvePackageJsonEntryExports,resolvePackageJsonPath,resolvePackageLicenses,resolvePackageName,resolveRegistryPackageName,toEditablePackageJson,toEditablePackageJsonSync,unescapeScope,visitLicenses});
 //# sourceMappingURL=packages.js.map

package/dist/packages.js.map

@@ -2,6 +2,6 @@
   "version": 3,
   "sources": ["../src/packages.ts"],
   "sourcesContent": ["/**\n * @fileoverview Package registry management with Socket.dev specific utilities.\n * Provides npm package analysis, dependency resolution, and registry operations.\n */\n\nimport type { CategoryString } from '#types'\n\nimport {\n  getEditablePackageJsonClass,\n  pkgJsonToEditable,\n  toEditablePackageJson,\n  toEditablePackageJsonSync,\n} from './packages/editable'\nimport {\n  findTypesForSubpath,\n  getExportFilePaths,\n  getSubpaths,\n  isConditionalExports,\n  isSubpathExports,\n  resolvePackageJsonEntryExports,\n} from './packages/exports'\nimport { isolatePackage } from './packages/isolation'\nimport {\n  collectIncompatibleLicenses,\n  collectLicenseWarnings,\n  createAstNode,\n  createBinaryOperationNode,\n  createLicenseNode,\n  parseSpdxExp,\n  resolvePackageLicenses,\n  visitLicenses,\n} from './packages/licenses'\nimport {\n  createPackageJson,\n  fetchPackageManifest,\n  fetchPackagePackument,\n} from './packages/manifest'\nimport {\n  normalizePackageJson,\n  resolveEscapedScope,\n  resolveOriginalPackageName,\n  unescapeScope,\n} from './packages/normalize'\nimport {\n  extractPackage,\n  findPackageExtensions,\n  getReleaseTag,\n  packPackage,\n  readPackageJson,\n  readPackageJsonSync,\n  resolveGitHubTgzUrl,\n  resolvePackageName,\n  resolveRegistryPackageName,\n} from './packages/operations'\nimport {\n  resolvePackageJsonDirname,\n  resolvePackageJsonPath,\n} from './packages/paths'\nimport {\n  fetchPackageProvenance,\n  getProvenanceDetails,\n} from './packages/provenance'\nimport {\n  getRepoUrlDetails,\n  gitHubTagRefUrl,\n  gitHubTgzUrl,\n  isGitHubTgzSpec,\n  isGitHubUrlSpec,\n} from './packages/specs'\nimport {\n  isBlessedPackageName,\n  isRegistryFetcherType,\n  isValidPackageName,\n} from './packages/validation'\n\n// Type for package.json exports field.\ntype PackageExports = {\n  [path: string]: unknown\n}\n\n// Re-export the EditablePackageJson instance type for convenient access\nexport type EditablePackageJson =\n  import('./packages/editable').EditablePackageJsonInstance\n\n/**\n * Extended PackageJson type based on NPMCliPackageJson.Content with Socket-specific additions.\n * @extends NPMCliPackageJson.Content (from @npmcli/package-json)\n * @property socket - Optional Socket.dev specific configuration\n */\nexport type PackageJson = {\n  // Core npm fields\n  [key: string]: unknown\n  name?: string | undefined\n  version?: string | undefined\n  description?: string | undefined\n  main?: string | undefined\n  module?: string | undefined\n  types?: string | undefined\n  typings?: string | undefined\n  bin?: string | Record<string, string> | undefined\n\n  // Author and contributors\n  author?: string | { name?: string; email?: string; url?: string } | undefined\n  contributors?:\n    | Array<string | { name?: string; email?: string; url?: string }>\n    | undefined\n  maintainers?:\n    | Array<string | { name?: string; email?: string; url?: string }>\n    | undefined\n\n  // Repository and URLs\n  repository?:\n    | string\n    | { type?: string; url?: string; directory?: string }\n    | undefined\n  homepage?: string | undefined\n  bugs?: string | { url?: string; email?: string } | undefined\n\n  // License\n  license?: string | undefined\n  licenses?: Array<{ type?: string; url?: string }> | undefined\n\n  // Scripts\n  scripts?: Record<string, string> | undefined\n\n  // Dependencies\n  dependencies?: Record<string, string> | undefined\n  devDependencies?: Record<string, string> | undefined\n  peerDependencies?: Record<string, string> | undefined\n  optionalDependencies?: Record<string, string> | undefined\n  bundledDependencies?: string[] | undefined\n  bundleDependencies?: string[] | undefined\n\n  // Package managers specific\n  overrides?: Record<string, string> | undefined\n  resolutions?: Record<string, string> | undefined\n  pnpm?: Record<string, unknown> | undefined\n\n  // Module system\n  exports?: PackageExports | string | string[] | undefined\n  imports?: Record<string, unknown> | undefined\n  type?: 'module' | 'commonjs' | undefined\n\n  // Publishing\n  private?: boolean | undefined\n  publishConfig?: Record<string, unknown> | undefined\n  files?: string[] | undefined\n\n  // Engines and OS\n  engines?: Record<string, string> | undefined\n  os?: string[] | undefined\n  cpu?: string[] | undefined\n\n  // Package manager\n  packageManager?: string | undefined\n\n  // Workspaces\n  workspaces?: string[] | { packages?: string[] } | undefined\n\n  // Socket.dev specific\n  socket?:\n    | {\n        categories?: CategoryString | CategoryString[]\n        interop?: string | string[]\n        [key: string]: unknown\n      }\n    | undefined\n}\n\nexport type SaveOptions = {\n  ignoreWhitespace?: boolean | undefined\n  sort?: boolean | undefined\n}\n\nexport type EditablePackageJsonOptions = {\n  normalize?: boolean | undefined\n  path?: string | undefined\n  preserve?: string[] | readonly string[] | undefined\n  create?: boolean | undefined\n  data?: PackageJson | undefined\n}\n\nexport type ExtractOptions = {\n  dest?: string | undefined\n  tmpPrefix?: string | undefined\n  signal?: AbortSignal | undefined\n  packumentCache?: Map<string, unknown> | undefined\n  preferOffline?: boolean | undefined\n}\n\nexport type NormalizeOptions = {\n  preserve?: string[] | readonly string[] | undefined\n}\n\nexport type ReadPackageJsonOptions = NormalizeOptions & {\n  editable?: boolean | undefined\n  normalize?: boolean | undefined\n  throws?: boolean | undefined\n}\n\nexport type ProvenanceOptions = {\n  signal?: AbortSignal | undefined\n  timeout?: number | undefined\n}\n\nexport type LicenseNode = {\n  license: string\n  exception?: string | undefined\n  inFile?: string | undefined\n  plus?: boolean | undefined\n}\n\nexport type PacoteOptions = {\n  signal?: AbortSignal | undefined\n  packumentCache?: Map<string, unknown> | undefined\n  preferOffline?: boolean | undefined\n  fullMetadata?: boolean | undefined\n}\n\nexport type {\n  IsolatePackageOptions,\n  IsolatePackageResult,\n} from './packages/isolation'\n\nexport type {\n  InternalAstNode,\n  InternalBinaryOperationNode,\n  InternalLicenseNode,\n  LicenseVisitor,\n  SpdxAstNode,\n  SpdxBinaryOperationNode,\n  SpdxLicenseNode,\n} from './packages/licenses'\n\nexport {\n  collectIncompatibleLicenses,\n  collectLicenseWarnings,\n  createAstNode,\n  createBinaryOperationNode,\n  createLicenseNode,\n  createPackageJson,\n  extractPackage,\n  fetchPackageManifest,\n  fetchPackagePackument,\n  fetchPackageProvenance,\n  findPackageExtensions,\n  findTypesForSubpath,\n  getEditablePackageJsonClass,\n  getExportFilePaths,\n  getProvenanceDetails,\n  getReleaseTag,\n  getRepoUrlDetails,\n  getSubpaths,\n  gitHubTagRefUrl,\n  gitHubTgzUrl,\n  isBlessedPackageName,\n  isConditionalExports,\n  isGitHubTgzSpec,\n  isGitHubUrlSpec,\n  isolatePackage,\n  isRegistryFetcherType,\n  isSubpathExports,\n  isValidPackageName,\n  normalizePackageJson,\n  packPackage,\n  parseSpdxExp,\n  pkgJsonToEditable,\n  readPackageJson,\n  readPackageJsonSync,\n  resolveEscapedScope,\n  resolveGitHubTgzUrl,\n  resolveOriginalPackageName,\n  resolvePackageName,\n  resolvePackageJsonDirname,\n  resolvePackageJsonPath,\n  resolvePackageJsonEntryExports,\n  resolvePackageLicenses,\n  resolveRegistryPackageName,\n  toEditablePackageJson,\n  toEditablePackageJsonSync,\n  unescapeScope,\n  visitLicenses,\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,sBAKO;AACP,qBAOO;AACP,uBAA+B;AAC/B,sBASO;AACP,sBAIO;AACP,uBAKO;AACP,wBAUO;AACP,mBAGO;AACP,wBAGO;AACP,mBAMO;AACP,wBAIO;",
-  "names": []
+  "mappings": ";4ZAAA,IAAAA,EAAA,GAAAC,EAAAD,EAAA,gnEAAAE,EAAAF,GAOA,IAAAG,EAKO,+BACPC,EAOO,8BACPC,EAA+B,gCAC/BC,EASO,+BACPC,EAIO,+BACPC,EAKO,gCACPC,EAUO,iCACPC,EAGO,4BACPC,EAGO,iCACPC,EAMO,4BACPC,EAIO",
+  "names": ["packages_exports", "__export", "__toCommonJS", "import_editable", "import_exports", "import_isolation", "import_licenses", "import_manifest", "import_normalize", "import_operations", "import_paths", "import_provenance", "import_specs", "import_validation"]
 }