npm - @socketsecurity/lib - Versions diffs - 5.11.1 → 5.11.3 - Mend

@socketsecurity/lib 5.11.1 → 5.11.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/CHANGELOG.md +20 -0
package/dist/abort.js +1 -3
package/dist/agent.js +12 -1
package/dist/ansi.js +1 -1
package/dist/archives.js +7 -6
package/dist/argv/flags.d.ts +0 -7
package/dist/argv/flags.js +12 -1
package/dist/argv/parse.js +5 -9
package/dist/bin.js +2 -1
package/dist/cache-with-ttl.js +10 -3
package/dist/constants/node.js +14 -3
package/dist/cover/code.js +13 -2
package/dist/cover/type.js +12 -1
package/dist/dlx/binary.js +16 -5
package/dist/dlx/manifest.js +22 -33
package/dist/env/package-manager.js +12 -1
package/dist/env/rewire.js +14 -3
package/dist/external/@npmcli/package-json.js +5 -3
package/dist/external/adm-zip.js +1 -0
package/dist/external/debug.js +18 -10
package/dist/external/external-pack.js +8 -2
package/dist/external/libnpmexec.js +2 -2
package/dist/external/npm-pack.js +380 -367
package/dist/external/p-map.js +240 -0
package/dist/external/pico-pack.js +245 -12
package/dist/external/zod.js +1 -0
package/dist/fs.d.ts +0 -4
package/dist/fs.js +13 -2
package/dist/git.js +12 -1
package/dist/github.js +15 -6
package/dist/http-request.d.ts +29 -0
package/dist/http-request.js +23 -2
package/dist/ipc.js +17 -5
package/dist/json/edit.js +14 -3
package/dist/logger.js +5 -4
package/dist/memoization.js +46 -13
package/dist/packages/isolation.js +9 -1
package/dist/performance.js +13 -2
package/dist/process-lock.js +16 -3
package/dist/promise-queue.d.ts +2 -0
package/dist/promise-queue.js +20 -9
package/dist/promises.js +1 -3
package/dist/releases/github.js +9 -4
package/dist/sea.js +12 -1
package/dist/shadow.js +14 -3
package/dist/spawn.js +5 -4
package/dist/spinner.d.ts +0 -4
package/dist/spinner.js +2 -1
package/dist/stdio/clear.d.ts +0 -21
package/dist/stdio/clear.js +20 -9
package/dist/stdio/mask.js +27 -16
package/dist/stdio/progress.js +3 -2
package/dist/stdio/stderr.d.ts +0 -13
package/dist/stdio/stderr.js +12 -1
package/dist/stdio/stdout.js +17 -6
package/dist/suppress-warnings.d.ts +0 -9
package/dist/suppress-warnings.js +17 -6
package/dist/temporary-executor.js +14 -3
package/dist/validation/json-parser.js +10 -12
package/package.json +8 -6

package/dist/suppress-warnings.js CHANGED Viewed

@@ -1,8 +1,10 @@
 "use strict";
 /* Socket Lib - Built with esbuild */
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -16,6 +18,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var suppress_warnings_exports = {};
 __export(suppress_warnings_exports, {
@@ -26,13 +36,14 @@ __export(suppress_warnings_exports, {
   withSuppressedWarnings: () => withSuppressedWarnings
 });
 module.exports = __toCommonJS(suppress_warnings_exports);
+var import_node_process = __toESM(require("node:process"));
 const { apply: ReflectApply } = Reflect;
 let originalEmitWarning;
 const suppressedWarnings = /* @__PURE__ */ new Set();
 function setupSuppression() {
   if (!originalEmitWarning) {
-    originalEmitWarning = process.emitWarning;
-    process.emitWarning = (warning, ...args) => {
+    originalEmitWarning = import_node_process.default.emitWarning;
+    import_node_process.default.emitWarning = (warning, ...args) => {
       if (typeof warning === "string") {
         for (const suppressedType of suppressedWarnings) {
           if (warning.includes(suppressedType)) {
@@ -47,7 +58,7 @@ function setupSuppression() {
       }
       return ReflectApply(
         originalEmitWarning,
-        process,
+        import_node_process.default,
         [warning, ...args]
       );
     };
@@ -76,14 +87,14 @@ function setMaxEventTargetListeners(target, maxListeners = 10) {
 }
 function restoreWarnings() {
   if (originalEmitWarning) {
-    process.emitWarning = originalEmitWarning;
+    import_node_process.default.emitWarning = originalEmitWarning;
     originalEmitWarning = void 0;
     suppressedWarnings.clear();
   }
 }
 async function withSuppressedWarnings(warningType, callback) {
   const wasAlreadySuppressed = suppressedWarnings.has(warningType);
-  const original = process.emitWarning;
+  const original = import_node_process.default.emitWarning;
   suppressWarningType(warningType);
   try {
     return await callback();
@@ -91,7 +102,7 @@ async function withSuppressedWarnings(warningType, callback) {
     if (!wasAlreadySuppressed) {
       suppressedWarnings.delete(warningType);
     }
-    process.emitWarning = original;
+    import_node_process.default.emitWarning = original;
   }
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/temporary-executor.js CHANGED Viewed

@@ -1,8 +1,10 @@
 "use strict";
 /* Socket Lib - Built with esbuild */
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -16,21 +18,30 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var temporary_executor_exports = {};
 __export(temporary_executor_exports, {
   isRunningInTemporaryExecutor: () => isRunningInTemporaryExecutor
 });
 module.exports = __toCommonJS(temporary_executor_exports);
+var import_node_process = __toESM(require("node:process"));
 var import_platform = require("./constants/platform");
 var import_normalize = require("./paths/normalize");
-function isRunningInTemporaryExecutor(cwd = process.cwd()) {
-  const userAgent = process.env["npm_config_user_agent"];
+function isRunningInTemporaryExecutor(cwd = import_node_process.default.cwd()) {
+  const userAgent = import_node_process.default.env["npm_config_user_agent"];
   if (userAgent?.includes("exec") || userAgent?.includes("npx") || userAgent?.includes("dlx")) {
     return true;
   }
   const normalizedCwd = (0, import_normalize.normalizePath)(cwd);
-  const npmCache = process.env["npm_config_cache"];
+  const npmCache = import_node_process.default.env["npm_config_cache"];
   if (npmCache && normalizedCwd.includes((0, import_normalize.normalizePath)(npmCache))) {
     return true;
   }

package/dist/validation/json-parser.js CHANGED Viewed

@@ -27,7 +27,15 @@ __export(json_parser_exports, {
   tryJsonParse: () => tryJsonParse
 });
 module.exports = __toCommonJS(json_parser_exports);
-const { hasOwn: ObjectHasOwn } = Object;
+const DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function prototypePollutionReviver(key, value) {
+  if (DANGEROUS_KEYS.has(key)) {
+    throw new Error(
+      "JSON contains potentially malicious prototype pollution keys"
+    );
+  }
+  return value;
+}
 function safeJsonParse(jsonString, schema, options = {}) {
   const { allowPrototype = false, maxSize = 10 * 1024 * 1024 } = options;
   const byteLength = Buffer.byteLength(jsonString, "utf8");
@@ -38,20 +46,10 @@ function safeJsonParse(jsonString, schema, options = {}) {
   }
   let parsed;
   try {
-    parsed = JSON.parse(jsonString);
+    parsed = allowPrototype ? JSON.parse(jsonString) : JSON.parse(jsonString, prototypePollutionReviver);
   } catch (error) {
     throw new Error(`Failed to parse JSON: ${error}`);
   }
-  if (!allowPrototype && typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
-    const dangerous = ["__proto__", "constructor", "prototype"];
-    for (const key of dangerous) {
-      if (ObjectHasOwn(parsed, key)) {
-        throw new Error(
-          "JSON contains potentially malicious prototype pollution keys"
-        );
-      }
-    }
-  }
   if (schema) {
     const result = schema.safeParse(parsed);
     if (!result.success) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.11.1",
+  "version": "5.11.3",
   "packageManager": "pnpm@10.33.0",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
@@ -734,7 +734,7 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.3.5",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.11.0",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.11.2",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20250920.1",
     "@vitest/coverage-v8": "4.0.3",
@@ -764,15 +764,16 @@
     "npm-package-arg": "13.0.0",
     "oxfmt": "^0.37.0",
     "oxlint": "1.53.0",
+    "p-map": "7.0.4",
     "pacote": "21.0.1",
-    "picomatch": "2.3.1",
+    "picomatch": "4.0.4",
     "pony-cause": "2.1.11",
     "semver": "7.7.2",
     "signal-exit": "4.1.0",
     "spdx-correct": "3.2.0",
     "spdx-expression-parse": "4.0.0",
     "streaming-iterables": "8.0.1",
-    "supports-color": "10.0.0",
+    "supports-color": "10.2.2",
     "tar-fs": "3.1.2",
     "tar-stream": "3.1.8",
     "taze": "19.9.2",
@@ -821,7 +822,8 @@
       "minizlib": "3.1.0",
       "npm-package-arg": "12.0.2",
       "npm-pick-manifest": "10.0.0",
-      "picomatch": "4.0.3",
+      "p-map": "7.0.4",
+      "picomatch": "4.0.4",
       "proc-log": "6.1.0",
       "semver": "7.7.2",
       "signal-exit": "4.1.0",
@@ -829,7 +831,7 @@
       "ssri": "12.0.0",
       "string-width": "8.1.0",
       "strip-ansi": "7.1.2",
-      "supports-color": "10.0.0",
+      "supports-color": "10.2.2",
       "tar": "7.5.11",
       "which": "5.0.0",
       "wrap-ansi": "9.0.2",