@socketsecurity/lib 5.1.1 → 5.1.3

package/CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.1.3](https://github.com/SocketDev/socket-lib/releases/tag/v5.1.3) - 2025-12-29
+
+### Fixed
+
+- **http-request**: Fixed `httpDownload()` to properly handle HTTP redirects (3xx status codes)
+  - Added `followRedirects` option (default: `true`) to enable automatic redirect following
+  - Added `maxRedirects` option (default: `5`) to limit redirect chain length
+  - Now supports downloading from services that use CDN redirects, such as GitHub release assets
+  - Prevents GitHub API quota exhaustion by following `browser_download_url` redirects instead of using API endpoints
+  - Resolves "Request quota exhausted" errors when downloading GitHub release assets
+
+## [5.1.2](https://github.com/SocketDev/socket-lib/releases/tag/v5.1.2) - 2025-12-28
+
+### Fixed
+
+- **paths**: Fixed missing `getPathValue()` caching in `getSocketDlxDir()`
+  - Now uses `getPathValue()` for performance, consistent with `getSocketUserDir()` and `getSocketCacacheDir()`
+  - Adds test override support via `setPath('socket-dlx-dir', ...)`
+  - Test helper `mockHomeDir()` now properly invalidates path cache with `resetPaths()` calls
+  - Resolves cache persistence issues in test environments
+
 ## [5.1.1](https://github.com/SocketDev/socket-lib/releases/tag/v5.1.1) - 2025-12-28
 
 ### Added

package/dist/http-request.d.ts

@@ -257,6 +257,28 @@ export interface HttpResponse {
  * Configuration options for file downloads.
  */
 export interface HttpDownloadOptions {
+    /**
+     * Whether to automatically follow HTTP redirects (3xx status codes).
+     * This is essential for downloading from services that use CDN redirects,
+     * such as GitHub release assets which return HTTP 302 to their CDN.
+     *
+     * @default true
+     *
+     * @example
+     * ```ts
+     * // Follow redirects (default) - works with GitHub releases
+     * await httpDownload(
+     *   'https://github.com/org/repo/releases/download/v1.0.0/file.zip',
+     *   '/tmp/file.zip'
+     * )
+     *
+     * // Don't follow redirects
+     * await httpDownload('https://example.com/file.zip', '/tmp/file.zip', {
+     *   followRedirects: false
+     * })
+     * ```
+     */
+    followRedirects?: boolean | undefined;
     /**
      * HTTP headers to send with the download request.
      * A `User-Agent` header is automatically added if not provided.
@@ -292,6 +314,21 @@ export interface HttpDownloadOptions {
      * ```
      */
     logger?: Logger | undefined;
+    /**
+     * Maximum number of redirects to follow before throwing an error.
+     * Only relevant when `followRedirects` is `true`.
+     *
+     * @default 5
+     *
+     * @example
+     * ```ts
+     * // Allow up to 10 redirects
+     * await httpDownload('https://example.com/many-redirects/file.zip', '/tmp/file.zip', {
+     *   maxRedirects: 10
+     * })
+     * ```
+     */
+    maxRedirects?: number | undefined;
     /**
      * Callback for tracking download progress.
      * Called periodically as data is received.
@@ -439,12 +476,15 @@ export interface HttpDownloadResult {
  */
 export declare function httpRequest(url: string, options?: HttpRequestOptions | undefined): Promise<HttpResponse>;
 /**
- * Download a file from a URL to a local path with retry logic and progress callbacks.
+ * Download a file from a URL to a local path with redirect support, retry logic, and progress callbacks.
  * Uses streaming to avoid loading entire file in memory.
  *
  * The download is streamed directly to disk, making it memory-efficient even for
  * large files. Progress callbacks allow for real-time download status updates.
  *
+ * Automatically follows HTTP redirects (3xx status codes) by default, making it suitable
+ * for downloading from services like GitHub releases that redirect to CDN URLs.
+ *
  * @param url - The URL to download from (must start with http:// or https://)
  * @param destPath - Absolute path where the file should be saved
  * @param options - Download configuration options
@@ -460,6 +500,12 @@ export declare function httpRequest(url: string, options?: HttpRequestOptions |
  * )
  * console.log(`Downloaded ${result.size} bytes to ${result.path}`)
  *
+ * // Download from GitHub releases (handles 302 redirect automatically)
+ * await httpDownload(
+ *   'https://github.com/org/repo/releases/download/v1.0.0/binary.tar.gz',
+ *   '/tmp/binary.tar.gz'
+ * )
+ *
  * // With progress tracking
  * await httpDownload(
  *   'https://example.com/large-file.zip',

package/dist/http-request.js

@@ -183,8 +183,10 @@ async function httpRequestAttempt(url, options) {
 }
 async function httpDownload(url, destPath, options) {
   const {
+    followRedirects = true,
     headers = {},
     logger,
+    maxRedirects = 5,
     onProgress,
     progressInterval = 10,
     retries = 0,
@@ -210,7 +212,9 @@ async function httpDownload(url, destPath, options) {
   for (let attempt = 0; attempt <= retries; attempt++) {
     try {
       return await httpDownloadAttempt(url, destPath, {
+        followRedirects,
         headers,
+        maxRedirects,
         onProgress: progressCallback,
         timeout
       });
@@ -227,7 +231,9 @@ async function httpDownload(url, destPath, options) {
 }
 async function httpDownloadAttempt(url, destPath, options) {
   const {
+    followRedirects = true,
     headers = {},
+    maxRedirects = 5,
     onProgress,
     timeout = 12e4
   } = { __proto__: null, ...options };
@@ -257,6 +263,27 @@ async function httpDownloadAttempt(url, destPath, options) {
     const request = httpModule.request(
       requestOptions,
       (res) => {
+        if (followRedirects && res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          if (maxRedirects <= 0) {
+            reject(
+              new Error(
+                `Too many redirects (exceeded maximum: ${maxRedirects})`
+              )
+            );
+            return;
+          }
+          const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new URL(res.headers.location, url).toString();
+          resolve(
+            httpDownloadAttempt(redirectUrl, destPath, {
+              followRedirects,
+              headers,
+              maxRedirects: maxRedirects - 1,
+              onProgress,
+              timeout
+            })
+          );
+          return;
+        }
         if (!res.statusCode || res.statusCode < 200 || res.statusCode >= 300) {
           closeStream();
           reject(

package/dist/paths/socket.d.ts

@@ -42,13 +42,15 @@ export declare function getSocketAppDir(appName: string): string;
 export declare function getSocketCacacheDir(): string;
 /**
  * Get the Socket DLX directory (~/.socket/_dlx).
- * Can be overridden with environment variables.
+ * Can be overridden with SOCKET_DLX_DIR environment variable or via setPath() for testing.
+ * Result is cached via getPathValue for performance.
  *
  * Priority order:
- *   1. SOCKET_DLX_DIR - Full override of DLX cache directory
- *   2. SOCKET_HOME/_dlx - Base directory override (inherits from getSocketUserDir)
- *   3. Default: $HOME/.socket/_dlx
- *   4. Fallback: /tmp/.socket/_dlx (Unix) or %TEMP%\.socket\_dlx (Windows)
+ *   1. Test override via setPath('socket-dlx-dir', ...)
+ *   2. SOCKET_DLX_DIR - Full override of DLX cache directory
+ *   3. SOCKET_HOME/_dlx - Base directory override (inherits from getSocketUserDir)
+ *   4. Default: $HOME/.socket/_dlx
+ *   5. Fallback: /tmp/.socket/_dlx (Unix) or %TEMP%\.socket\_dlx (Windows)
  */
 export declare function getSocketDlxDir(): string;
 /**

package/dist/paths/socket.js

@@ -88,12 +88,17 @@ function getSocketCacacheDir() {
   });
 }
 function getSocketDlxDir() {
-  if ((0, import_socket2.getSocketDlxDirEnv)()) {
-    return (0, import_normalize.normalizePath)((0, import_socket2.getSocketDlxDirEnv)());
-  }
-  return (0, import_normalize.normalizePath)(
-    path.join(getSocketUserDir(), `${import_socket.SOCKET_APP_PREFIX}${import_socket.SOCKET_DLX_APP_NAME}`)
-  );
+  return (0, import_rewire.getPathValue)("socket-dlx-dir", () => {
+    if ((0, import_socket2.getSocketDlxDirEnv)()) {
+      return (0, import_normalize.normalizePath)((0, import_socket2.getSocketDlxDirEnv)());
+    }
+    return (0, import_normalize.normalizePath)(
+      path.join(
+        getSocketUserDir(),
+        `${import_socket.SOCKET_APP_PREFIX}${import_socket.SOCKET_DLX_APP_NAME}`
+      )
+    );
+  });
 }
 function getSocketAppCacheDir(appName) {
   return (0, import_normalize.normalizePath)(path.join(getSocketAppDir(appName), import_dirnames.CACHE_DIR));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.1.1",
+  "version": "5.1.3",
   "packageManager": "pnpm@10.26.2",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
@@ -714,7 +714,7 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.3.5",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.1.0",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.1.2",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20250920.1",
     "@vitest/coverage-v8": "4.0.3",