@socketsecurity/lib 5.11.2 → 5.11.4

package/CHANGELOG.md

@@ -5,6 +5,30 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.11.4](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.4) - 2026-03-28
+
+### Changed
+
+- **perf**: Lazy-load heavy external sub-bundles across 7 modules (#119)
+  - `sorts.ts`: Defer semver (2.5 MB via npm-pack) and fastSort until first use
+  - `versions.ts`: Defer semver until first use
+  - `archives.ts`: Defer adm-zip (102 KB) and tar-fs (105 KB) until extraction
+  - `globs.ts`: Defer fast-glob and picomatch (260 KB via pico-pack) until glob execution
+  - `fs.ts`: Defer del (260 KB via pico-pack) until safeDelete call
+  - `spawn.ts`: Defer @npmcli/promise-spawn (17 KB) until async spawn
+  - `strings.ts`: Defer get-east-asian-width (10 KB) until stringWidth call
+- Importing lightweight exports (isObject, httpJson, localeCompare, readJsonSync, stripAnsi) no longer loads heavy externals at module init time
+
+## [5.11.3](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.3) - 2026-03-26
+
+### Fixed
+
+- **build**: Deduplicate shared deps across external bundles (#110)
+- **quality**: Comprehensive quality scan fixes across codebase (#111)
+- **releases**: Add in-memory TTL cache for GitHub API responses
+- **releases**: Guard against missing assets in GitHub release response (#112)
+- **process-lock**: Fix Windows path separator handling for lock directory creation (#112)
+
 ## [5.11.2](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.2) - 2026-03-24
 
 ### Added

package/dist/abort.js

@@ -51,9 +51,7 @@ function createTimeoutSignal(ms) {
   if (ms <= 0) {
     throw new TypeError("timeout must be a positive number");
   }
-  const controller = new AbortController();
-  setTimeout(() => controller.abort(), ms);
-  return controller.signal;
+  return AbortSignal.timeout(Math.ceil(ms));
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/ansi.js

@@ -39,7 +39,7 @@ const ANSI_REGEX = /\x1b\[[0-9;]*m/g;
 // @__NO_SIDE_EFFECTS__
 function ansiRegex(options) {
   const { onlyFirst } = options ?? {};
-  const ST = "(?:\\u0007\\u001B\\u005C|\\u009C)";
+  const ST = "(?:\\u0007|\\u001B\\u005C|\\u009C)";
   const osc = `(?:\\u001B\\][\\s\\S]*?${ST})`;
   const csi = "[\\u001B\\u009B][[\\]()#;?]*(?:\\d{1,4}(?:[;:]\\d{0,4})*)?[\\dA-PR-TZcf-nq-uy=><~]";
   const pattern = `${osc}|${csi}`;

package/dist/archives.d.ts

@@ -10,6 +10,8 @@ export interface ExtractOptions {
     quiet?: boolean;
     /** Strip leading path components (like tar --strip-components) */
     strip?: number;
+    /** Maximum number of entries to extract (default: 100,000) */
+    maxEntries?: number;
     /** Maximum size of a single extracted file in bytes (default: 100MB) */
     maxFileSize?: number;
     /** Maximum total extracted size in bytes (default: 1GB) */

package/dist/archives.js

@@ -40,10 +40,24 @@ var import_node_fs = require("node:fs");
 var import_promises = require("node:stream/promises");
 var import_node_zlib = require("node:zlib");
 var import_node_process = __toESM(require("node:process"));
-var import_adm_zip = __toESM(require("./external/adm-zip.js"));
-var import_tar_fs = __toESM(require("./external/tar-fs.js"));
 var import_fs = require("./fs.js");
 var import_normalize = require("./paths/normalize.js");
+let _AdmZip;
+// @__NO_SIDE_EFFECTS__
+function getAdmZip() {
+  if (_AdmZip === void 0) {
+    _AdmZip = require("./external/adm-zip.js");
+  }
+  return _AdmZip;
+}
+let _tarFs;
+// @__NO_SIDE_EFFECTS__
+function getTarFs() {
+  if (_tarFs === void 0) {
+    _tarFs = require("./external/tar-fs.js");
+  }
+  return _tarFs;
+}
 let _path;
 // @__NO_SIDE_EFFECTS__
 function getPath() {
@@ -54,6 +68,7 @@ function getPath() {
 }
 const DEFAULT_MAX_FILE_SIZE = 100 * 1024 * 1024;
 const DEFAULT_MAX_TOTAL_SIZE = 1024 * 1024 * 1024;
+const DEFAULT_MAX_ENTRIES = 1e5;
 function validatePathWithinBase(targetPath, baseDir, entryName) {
   const path = /* @__PURE__ */ getPath();
   const resolvedTarget = path.resolve(targetPath);
@@ -82,6 +97,7 @@ function detectArchiveFormat(filePath) {
 }
 async function extractTar(archivePath, outputDir, options = {}) {
   const {
+    maxEntries = DEFAULT_MAX_ENTRIES,
     maxFileSize = DEFAULT_MAX_FILE_SIZE,
     maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
     strip = 0
@@ -89,12 +105,37 @@ async function extractTar(archivePath, outputDir, options = {}) {
   const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
   await (0, import_fs.safeMkdir)(normalizedOutputDir);
   let totalExtractedSize = 0;
+  let entryCount = 0;
   let destroyScheduled = false;
-  const extractStream = import_tar_fs.default.extract(normalizedOutputDir, {
+  const tarFs = /* @__PURE__ */ getTarFs();
+  const extractStream = tarFs.extract(normalizedOutputDir, {
     map: (header) => {
       if (destroyScheduled) {
         return header;
       }
+      entryCount += 1;
+      if (entryCount > maxEntries) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Archive has too many entries: exceeded limit of ${maxEntries}`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.name.includes("\0")) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Invalid null byte in archive entry name: ${header.name}`
+            )
+          );
+        });
+        return header;
+      }
       if (header.type === "symlink" || header.type === "link") {
         destroyScheduled = true;
         import_node_process.default.nextTick(() => {
@@ -147,6 +188,7 @@ async function extractTar(archivePath, outputDir, options = {}) {
 }
 async function extractTarGz(archivePath, outputDir, options = {}) {
   const {
+    maxEntries = DEFAULT_MAX_ENTRIES,
     maxFileSize = DEFAULT_MAX_FILE_SIZE,
     maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
     strip = 0
@@ -154,12 +196,37 @@ async function extractTarGz(archivePath, outputDir, options = {}) {
   const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
   await (0, import_fs.safeMkdir)(normalizedOutputDir);
   let totalExtractedSize = 0;
+  let entryCount = 0;
   let destroyScheduled = false;
-  const extractStream = import_tar_fs.default.extract(normalizedOutputDir, {
+  const tarFs = /* @__PURE__ */ getTarFs();
+  const extractStream = tarFs.extract(normalizedOutputDir, {
     map: (header) => {
       if (destroyScheduled) {
         return header;
       }
+      entryCount += 1;
+      if (entryCount > maxEntries) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Archive has too many entries: exceeded limit of ${maxEntries}`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.name.includes("\0")) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Invalid null byte in archive entry name: ${header.name}`
+            )
+          );
+        });
+        return header;
+      }
       if (header.type === "symlink" || header.type === "link") {
         destroyScheduled = true;
         import_node_process.default.nextTick(() => {
@@ -212,20 +279,32 @@ async function extractTarGz(archivePath, outputDir, options = {}) {
 }
 async function extractZip(archivePath, outputDir, options = {}) {
   const {
+    maxEntries = DEFAULT_MAX_ENTRIES,
     maxFileSize = DEFAULT_MAX_FILE_SIZE,
     maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
     strip = 0
   } = options;
   const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
   await (0, import_fs.safeMkdir)(normalizedOutputDir);
-  const zip = new import_adm_zip.default(archivePath);
+  const AdmZip = /* @__PURE__ */ getAdmZip();
+  const zip = new AdmZip(archivePath);
   const path = /* @__PURE__ */ getPath();
   const entries = zip.getEntries();
+  if (entries.length > maxEntries) {
+    throw new Error(
+      `Archive has too many entries: ${entries.length} (limit: ${maxEntries})`
+    );
+  }
   let totalExtractedSize = 0;
   for (const entry of entries) {
     if (entry.isDirectory) {
       continue;
     }
+    if (entry.entryName.includes("\0")) {
+      throw new Error(
+        `Invalid null byte in archive entry name: ${entry.entryName}`
+      );
+    }
     const uncompressedSize = entry.header.size;
     if (uncompressedSize > maxFileSize) {
       throw new Error(

package/dist/argv/parse.js

@@ -157,12 +157,7 @@ function getPositionalArgs(startIndex = 2) {
   return positionals;
 }
 function hasFlag(flag, argv = import_node_process.default.argv) {
-  const flagVariants = [
-    `--${flag}`,
-    // Short flag.
-    `-${flag.charAt(0)}`
-  ];
-  return flagVariants.some((variant) => argv.includes(variant));
+  return argv.includes(`--${flag}`);
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/cache-with-ttl.js

@@ -90,9 +90,16 @@ function createTtlCache(options) {
     }
     const cacheEntry = await cacache.safeGet(fullKey);
     if (cacheEntry) {
-      const entry = JSON.parse(
-        cacheEntry.data.toString("utf8")
-      );
+      let entry;
+      try {
+        entry = JSON.parse(cacheEntry.data.toString("utf8"));
+      } catch {
+        try {
+          await cacache.remove(fullKey);
+        } catch {
+        }
+        return void 0;
+      }
       if (!isExpired(entry)) {
         if (opts.memoize) {
           memoCache.set(fullKey, entry);

package/dist/dlx/binary.js

@@ -306,11 +306,17 @@ Check your internet connection or verify the URL is accessible.`,
       const fileBuffer = await fs.promises.readFile(destPath);
       const hash = crypto.createHash("sha512").update(fileBuffer).digest("base64");
       const actualIntegrity = `sha512-${hash}`;
-      if (integrity && actualIntegrity !== integrity) {
-        await (0, import_fs.safeDelete)(destPath);
-        throw new Error(
-          `Integrity mismatch: expected ${integrity}, got ${actualIntegrity}`
+      if (integrity) {
+        const integrityMatch = actualIntegrity.length === integrity.length && crypto.timingSafeEqual(
+          Buffer.from(actualIntegrity),
+          Buffer.from(integrity)
         );
+        if (!integrityMatch) {
+          await (0, import_fs.safeDelete)(destPath);
+          throw new Error(
+            `Integrity mismatch: expected ${integrity}, got ${actualIntegrity}`
+          );
+        }
       }
       if (!import_platform.WIN32) {
         await fs.promises.chmod(destPath, 493);

package/dist/dlx/manifest.js

@@ -45,6 +45,8 @@ function getPath() {
   }
   return _path;
 }
+const fs = /* @__PURE__ */ getFs();
+const path = /* @__PURE__ */ getPath();
 const logger = (0, import_logger.getDefaultLogger)();
 const MANIFEST_FILE_NAME = ".dlx-manifest.json";
 function isBinaryEntry(entry) {
@@ -57,7 +59,7 @@ class DlxManifest {
   manifestPath;
   lockPath;
   constructor(options = {}) {
-    this.manifestPath = options.manifestPath ?? (/* @__PURE__ */ getPath()).join((0, import_socket.getSocketDlxDir)(), MANIFEST_FILE_NAME);
+    this.manifestPath = options.manifestPath ?? path.join((0, import_socket.getSocketDlxDir)(), MANIFEST_FILE_NAME);
     this.lockPath = `${this.manifestPath}.lock`;
   }
   /**
@@ -66,7 +68,7 @@ class DlxManifest {
    */
   readManifest() {
     try {
-      if (!(/* @__PURE__ */ getFs()).existsSync(this.manifestPath)) {
+      if (!fs.existsSync(this.manifestPath)) {
         return /* @__PURE__ */ Object.create(null);
       }
       const rawContent = (0, import_fs.readFileUtf8Sync)(this.manifestPath);
@@ -87,7 +89,7 @@ class DlxManifest {
    * @private
    */
   async writeManifest(data) {
-    const manifestDir = (/* @__PURE__ */ getPath()).dirname(this.manifestPath);
+    const manifestDir = path.dirname(this.manifestPath);
     try {
       (0, import_fs.safeMkdirSync)(manifestDir, { recursive: true });
     } catch (error) {
@@ -98,18 +100,12 @@ class DlxManifest {
     const content = JSON.stringify(data, null, 2);
     const tempPath = `${this.manifestPath}.tmp`;
     try {
-      (/* @__PURE__ */ getFs()).writeFileSync(tempPath, content, "utf8");
-      (/* @__PURE__ */ getFs()).writeFileSync(this.manifestPath, content, "utf8");
-      try {
-        if ((/* @__PURE__ */ getFs()).existsSync(tempPath)) {
-          (/* @__PURE__ */ getFs()).unlinkSync(tempPath);
-        }
-      } catch {
-      }
+      fs.writeFileSync(tempPath, content, "utf8");
+      fs.renameSync(tempPath, this.manifestPath);
     } catch (error) {
       try {
-        if ((/* @__PURE__ */ getFs()).existsSync(tempPath)) {
-          (/* @__PURE__ */ getFs()).unlinkSync(tempPath);
+        if (fs.existsSync(tempPath)) {
+          fs.unlinkSync(tempPath);
         }
       } catch {
       }
@@ -122,17 +118,16 @@ class DlxManifest {
   async clear(name) {
     await import_process_lock.processLock.withLock(this.lockPath, async () => {
       try {
-        if (!(/* @__PURE__ */ getFs()).existsSync(this.manifestPath)) {
+        if (!fs.existsSync(this.manifestPath)) {
           return;
         }
-        const content = (/* @__PURE__ */ getFs()).readFileSync(this.manifestPath, "utf8");
+        const content = fs.readFileSync(this.manifestPath, "utf8");
         if (!content.trim()) {
           return;
         }
         const data = JSON.parse(content);
         delete data[name];
-        const updatedContent = JSON.stringify(data, null, 2);
-        (/* @__PURE__ */ getFs()).writeFileSync(this.manifestPath, updatedContent, "utf8");
+        await this.writeManifest(data);
       } catch (error) {
         logger.warn(
           `Failed to clear cache for ${name}: ${error instanceof Error ? error.message : String(error)}`
@@ -146,8 +141,8 @@ class DlxManifest {
   async clearAll() {
     await import_process_lock.processLock.withLock(this.lockPath, async () => {
       try {
-        if ((/* @__PURE__ */ getFs()).existsSync(this.manifestPath)) {
-          (/* @__PURE__ */ getFs()).unlinkSync(this.manifestPath);
+        if (fs.existsSync(this.manifestPath)) {
+          fs.unlinkSync(this.manifestPath);
         }
       } catch (error) {
         logger.warn(
@@ -173,7 +168,7 @@ class DlxManifest {
    */
   getAllPackages() {
     try {
-      if (!(/* @__PURE__ */ getFs()).existsSync(this.manifestPath)) {
+      if (!fs.existsSync(this.manifestPath)) {
         return [];
       }
       const rawContent = (0, import_fs.readFileUtf8Sync)(this.manifestPath);
@@ -219,8 +214,8 @@ class DlxManifest {
     await import_process_lock.processLock.withLock(this.lockPath, async () => {
       let data = /* @__PURE__ */ Object.create(null);
       try {
-        if ((/* @__PURE__ */ getFs()).existsSync(this.manifestPath)) {
-          const content2 = (/* @__PURE__ */ getFs()).readFileSync(this.manifestPath, "utf8");
+        if (fs.existsSync(this.manifestPath)) {
+          const content2 = fs.readFileSync(this.manifestPath, "utf8");
           if (content2.trim()) {
             data = JSON.parse(content2);
           }
@@ -231,7 +226,7 @@ class DlxManifest {
         );
       }
       data[name] = record;
-      const manifestDir = (/* @__PURE__ */ getPath()).dirname(this.manifestPath);
+      const manifestDir = path.dirname(this.manifestPath);
       try {
         (0, import_fs.safeMkdirSync)(manifestDir, { recursive: true });
       } catch (error) {
@@ -242,18 +237,12 @@ class DlxManifest {
       const content = JSON.stringify(data, null, 2);
       const tempPath = `${this.manifestPath}.tmp`;
       try {
-        (/* @__PURE__ */ getFs()).writeFileSync(tempPath, content, "utf8");
-        (/* @__PURE__ */ getFs()).writeFileSync(this.manifestPath, content, "utf8");
-        try {
-          if ((/* @__PURE__ */ getFs()).existsSync(tempPath)) {
-            (/* @__PURE__ */ getFs()).unlinkSync(tempPath);
-          }
-        } catch {
-        }
+        fs.writeFileSync(tempPath, content, "utf8");
+        fs.renameSync(tempPath, this.manifestPath);
       } catch (error) {
         try {
-          if ((/* @__PURE__ */ getFs()).existsSync(tempPath)) {
-            (/* @__PURE__ */ getFs()).unlinkSync(tempPath);
+          if (fs.existsSync(tempPath)) {
+            fs.unlinkSync(tempPath);
           }
         } catch {
         }