@socketsecurity/lib 5.11.2 → 5.11.4

package/dist/globs.js

@@ -1,10 +1,8 @@
 "use strict";
 /* Socket Lib - Built with esbuild */
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -18,14 +16,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var globs_exports = {};
 __export(globs_exports, {
@@ -36,10 +26,24 @@ __export(globs_exports, {
   globSync: () => globSync
 });
 module.exports = __toCommonJS(globs_exports);
-var fastGlob = __toESM(require("./external/fast-glob.js"));
-var import_picomatch = __toESM(require("./external/picomatch.js"));
 var import_objects = require("./objects");
 var import_globs = require("./paths/globs");
+let _fastGlob;
+// @__NO_SIDE_EFFECTS__
+function getFastGlob() {
+  if (_fastGlob === void 0) {
+    _fastGlob = require("./external/fast-glob.js");
+  }
+  return _fastGlob;
+}
+let _picomatch;
+// @__NO_SIDE_EFFECTS__
+function getPicomatch() {
+  if (_picomatch === void 0) {
+    _picomatch = require("./external/picomatch.js");
+  }
+  return _picomatch;
+}
 const defaultIgnore = (0, import_objects.objectFreeze)([
   // Most of these ignored files can be included specifically if included in the
   // files globs. Exceptions to this are:
@@ -95,6 +99,7 @@ function globStreamLicenses(dirname, options) {
   if (ignoreOriginals) {
     ignore.push(import_globs.LICENSE_ORIGINAL_GLOB_RECURSIVE);
   }
+  const fastGlob = /* @__PURE__ */ getFastGlob();
   return fastGlob.globStream(
     [recursive ? import_globs.LICENSE_GLOB_RECURSIVE : import_globs.LICENSE_GLOB],
     {
@@ -142,7 +147,8 @@ function getGlobMatcher(glob2, options) {
     ...options,
     ...negativePatterns.length > 0 ? { ignore: negativePatterns } : {}
   };
-  matcher = (0, import_picomatch.default)(
+  const picomatch = /* @__PURE__ */ getPicomatch();
+  matcher = picomatch(
     positivePatterns.length > 0 ? positivePatterns : patterns,
     matchOptions
   );
@@ -152,10 +158,12 @@ function getGlobMatcher(glob2, options) {
 }
 // @__NO_SIDE_EFFECTS__
 function glob(patterns, options) {
+  const fastGlob = /* @__PURE__ */ getFastGlob();
   return fastGlob.glob(patterns, options);
 }
 // @__NO_SIDE_EFFECTS__
 function globSync(patterns, options) {
+  const fastGlob = /* @__PURE__ */ getFastGlob();
   return fastGlob.globSync(patterns, options);
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/http-request.js

@@ -147,6 +147,15 @@ async function httpDownloadAttempt(url, destPath, options) {
             return;
           }
           const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new URL(res.headers.location, url).toString();
+          const redirectParsed = new URL(redirectUrl);
+          if (isHttps && redirectParsed.protocol !== "https:") {
+            reject(
+              new Error(
+                `Redirect from HTTPS to HTTP is not allowed: ${redirectUrl}`
+              )
+            );
+            return;
+          }
           resolve(
             httpDownloadAttempt(redirectUrl, destPath, {
               ca,
@@ -270,6 +279,15 @@ async function httpRequestAttempt(url, options) {
             return;
           }
           const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new URL(res.headers.location, url).toString();
+          const redirectParsed = new URL(redirectUrl);
+          if (isHttps && redirectParsed.protocol !== "https:") {
+            reject(
+              new Error(
+                `Redirect from HTTPS to HTTP is not allowed: ${redirectUrl}`
+              )
+            );
+            return;
+          }
           resolve(
             httpRequestAttempt(redirectUrl, {
               body,
@@ -311,6 +329,9 @@ async function httpRequestAttempt(url, options) {
           };
           resolve(response);
         });
+        res.on("error", (error) => {
+          reject(error);
+        });
       }
     );
     request.on("error", (error) => {
@@ -369,8 +390,10 @@ async function httpDownload(url, destPath, options) {
       }
     };
   }
+  const crypto = /* @__PURE__ */ getCrypto();
   const fs = /* @__PURE__ */ getFs();
-  const tempPath = `${destPath}.download`;
+  const tempSuffix = crypto.randomBytes(6).toString("hex");
+  const tempPath = `${destPath}.${tempSuffix}.download`;
   if (fs.existsSync(tempPath)) {
     await (0, import_fs.safeDelete)(tempPath);
   }
@@ -386,14 +409,17 @@ async function httpDownload(url, destPath, options) {
         timeout
       });
       if (sha256) {
-        const crypto = /* @__PURE__ */ getCrypto();
         const fileContent = await fs.promises.readFile(tempPath);
         const computedHash = crypto.createHash("sha256").update(fileContent).digest("hex");
-        if (computedHash !== sha256.toLowerCase()) {
+        const expectedHash = sha256.toLowerCase();
+        if (computedHash.length !== expectedHash.length || !crypto.timingSafeEqual(
+          Buffer.from(computedHash),
+          Buffer.from(expectedHash)
+        )) {
           await (0, import_fs.safeDelete)(tempPath);
           throw new Error(
             `Checksum verification failed for ${url}
-Expected: ${sha256.toLowerCase()}
+Expected: ${expectedHash}
 Computed: ${computedHash}`
           );
         }

package/dist/ipc.js

@@ -116,7 +116,7 @@ async function ensureIpcDirectory(filePath) {
   const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
   const dir = path.dirname(filePath);
-  await fs.promises.mkdir(dir, { recursive: true });
+  await fs.promises.mkdir(dir, { recursive: true, mode: 448 });
 }
 async function writeIpcStub(appName, data) {
   const stubPath = getIpcStubPath(appName);
@@ -128,11 +128,10 @@ async function writeIpcStub(appName, data) {
   };
   const validated = IpcStubSchema.parse(ipcData);
   const fs = /* @__PURE__ */ getFs();
-  await fs.promises.writeFile(
-    stubPath,
-    JSON.stringify(validated, null, 2),
-    "utf8"
-  );
+  await fs.promises.writeFile(stubPath, JSON.stringify(validated, null, 2), {
+    encoding: "utf8",
+    mode: 384
+  });
   return stubPath;
 }
 async function readIpcStub(stubPath) {
@@ -179,6 +178,7 @@ async function cleanupIpcStubs(appName) {
               const contentAge = now - validated.timestamp;
               isStale = isStale || contentAge > maxAgeMs;
             } catch {
+              isStale = true;
             }
             if (isStale) {
               (0, import_fs.safeDeleteSync)(filePath, { force: true });
@@ -239,6 +239,7 @@ function waitForIpc(messageType, options = {}) {
     cleanup = onIpc(handleMessage);
     if (timeout > 0) {
       timeoutId = setTimeout(handleTimeout, timeout);
+      timeoutId.unref();
     }
   });
 }

package/dist/memoization.js

@@ -29,6 +29,7 @@ __export(memoization_exports, {
 });
 module.exports = __toCommonJS(memoization_exports);
 var import_debug = require("./debug");
+const cacheRegistry = [];
 function memoize(fn, options = {}) {
   const {
     keyGen = (...args) => JSON.stringify(args),
@@ -41,6 +42,10 @@ function memoize(fn, options = {}) {
   }
   const cache = /* @__PURE__ */ new Map();
   const accessOrder = [];
+  cacheRegistry.push(() => {
+    cache.clear();
+    accessOrder.length = 0;
+  });
   function evictLRU() {
     if (cache.size >= maxSize && accessOrder.length > 0) {
       const oldest = accessOrder.shift();
@@ -62,15 +67,22 @@ function memoize(fn, options = {}) {
   return function memoized(...args) {
     const key = keyGen(...args);
     const cached = cache.get(key);
-    if (cached && !isExpired(cached)) {
-      cached.hits++;
+    if (cached) {
+      if (!isExpired(cached)) {
+        cached.hits++;
+        const index2 = accessOrder.indexOf(key);
+        if (index2 !== -1) {
+          accessOrder.splice(index2, 1);
+        }
+        accessOrder.push(key);
+        (0, import_debug.debugLog)(`[memoize:${name}] hit`, { key, hits: cached.hits });
+        return cached.value;
+      }
+      cache.delete(key);
       const index = accessOrder.indexOf(key);
       if (index !== -1) {
         accessOrder.splice(index, 1);
       }
-      accessOrder.push(key);
-      (0, import_debug.debugLog)(`[memoize:${name}] hit`, { key, hits: cached.hits });
-      return cached.value;
     }
     (0, import_debug.debugLog)(`[memoize:${name}] miss`, { key });
     const value = fn(...args);
@@ -94,6 +106,10 @@ function memoizeAsync(fn, options = {}) {
   } = options;
   const cache = /* @__PURE__ */ new Map();
   const accessOrder = [];
+  cacheRegistry.push(() => {
+    cache.clear();
+    accessOrder.length = 0;
+  });
   function evictLRU() {
     if (cache.size >= maxSize && accessOrder.length > 0) {
       const oldest = accessOrder.shift();
@@ -112,22 +128,36 @@ function memoizeAsync(fn, options = {}) {
     }
     return Date.now() - entry.timestamp > ttl;
   }
+  const refreshing = /* @__PURE__ */ new Set();
   return async function memoized(...args) {
     const key = keyGen(...args);
     const cached = cache.get(key);
-    if (cached && !isExpired(cached)) {
-      cached.hits++;
+    if (cached) {
+      if (!isExpired(cached)) {
+        cached.hits++;
+        const index2 = accessOrder.indexOf(key);
+        if (index2 !== -1) {
+          accessOrder.splice(index2, 1);
+        }
+        accessOrder.push(key);
+        (0, import_debug.debugLog)(`[memoizeAsync:${name}] hit`, { key, hits: cached.hits });
+        return await cached.value;
+      }
+      if (refreshing.has(key)) {
+        (0, import_debug.debugLog)(`[memoizeAsync:${name}] stale-dedup`, { key });
+        return await cached.value;
+      }
+      cache.delete(key);
       const index = accessOrder.indexOf(key);
       if (index !== -1) {
         accessOrder.splice(index, 1);
       }
-      accessOrder.push(key);
-      (0, import_debug.debugLog)(`[memoizeAsync:${name}] hit`, { key, hits: cached.hits });
-      return await cached.value;
     }
     (0, import_debug.debugLog)(`[memoizeAsync:${name}] miss`, { key });
+    refreshing.add(key);
     const promise = fn(...args).then(
       (result) => {
+        refreshing.delete(key);
         const entry = cache.get(key);
         if (entry) {
           entry.value = Promise.resolve(result);
@@ -135,6 +165,7 @@ function memoizeAsync(fn, options = {}) {
         return result;
       },
       (error) => {
+        refreshing.delete(key);
         cache.delete(key);
         const index = accessOrder.indexOf(key);
         if (index !== -1) {
@@ -167,14 +198,16 @@ function Memoize(options = {}) {
 }
 function clearAllMemoizationCaches() {
   (0, import_debug.debugLog)("[memoize:all] clear", { action: "clear-all-caches" });
+  for (const clear of cacheRegistry) {
+    clear();
+  }
 }
 function memoizeWeak(fn) {
   const cache = /* @__PURE__ */ new WeakMap();
   return function memoized(key) {
-    const cached = cache.get(key);
-    if (cached !== void 0) {
+    if (cache.has(key)) {
       (0, import_debug.debugLog)(`[memoizeWeak:${fn.name}] hit`);
-      return cached;
+      return cache.get(key);
     }
     (0, import_debug.debugLog)(`[memoizeWeak:${fn.name}] miss`);
     const result = fn(key);

package/dist/packages/isolation.js

@@ -69,7 +69,15 @@ async function resolveRealPath(pathStr) {
 }
 async function mergePackageJson(pkgJsonPath, originalPkgJson) {
   const fs = /* @__PURE__ */ getFs();
-  const pkgJson = JSON.parse(await fs.promises.readFile(pkgJsonPath, "utf8"));
+  let pkgJson;
+  try {
+    pkgJson = JSON.parse(await fs.promises.readFile(pkgJsonPath, "utf8"));
+  } catch (error) {
+    throw new Error(
+      `Failed to parse ${pkgJsonPath}: ${error instanceof Error ? error.message : String(error)}`,
+      { cause: error }
+    );
+  }
   const mergedPkgJson = originalPkgJson ? { ...originalPkgJson, ...pkgJson } : pkgJson;
   return mergedPkgJson;
 }

package/dist/process-lock.js

@@ -179,7 +179,14 @@ class ProcessLockManager {
           if (existsSync(lockPath)) {
             throw new Error(`Lock already exists: ${lockPath}`);
           }
-          mkdirSync(lockPath, { recursive: true });
+          const lastSlash = Math.max(
+            lockPath.lastIndexOf("/"),
+            lockPath.lastIndexOf("\\")
+          );
+          if (lastSlash > 0) {
+            mkdirSync(lockPath.slice(0, lastSlash), { recursive: true });
+          }
+          mkdirSync(lockPath);
           this.activeLocks.add(lockPath);
           this.startTouchTimer(lockPath, touchIntervalMs);
           return () => this.release(lockPath);
@@ -204,7 +211,10 @@ class ProcessLockManager {
             );
           }
           if (code === "ENOTDIR") {
-            const lastSlashIndex = lockPath.lastIndexOf("/");
+            const lastSlashIndex = Math.max(
+              lockPath.lastIndexOf("/"),
+              lockPath.lastIndexOf("\\")
+            );
             const parentDir = lastSlashIndex === -1 ? "." : lockPath.slice(0, lastSlashIndex);
             throw new Error(
               `Cannot create lock directory: ${lockPath}
@@ -218,7 +228,10 @@ To resolve:
             );
           }
           if (code === "ENOENT") {
-            const lastSlashIndex = lockPath.lastIndexOf("/");
+            const lastSlashIndex = Math.max(
+              lockPath.lastIndexOf("/"),
+              lockPath.lastIndexOf("\\")
+            );
             const parentDir = lastSlashIndex === -1 ? "." : lockPath.slice(0, lastSlashIndex);
             throw new Error(
               `Cannot create lock directory: ${lockPath}

package/dist/promise-queue.d.ts

@@ -1,6 +1,7 @@
 export declare class PromiseQueue {
     private queue;
     private running;
+    private idleResolvers;
     private readonly maxConcurrency;
     private readonly maxQueueLength;
     /**
@@ -16,6 +17,7 @@ export declare class PromiseQueue {
      */
     add<T>(fn: () => Promise<T>): Promise<T>;
     private runNext;
+    private notifyIdleIfNeeded;
     /**
      * Wait for all queued and running tasks to complete
      */

package/dist/promise-queue.js

@@ -25,6 +25,7 @@ module.exports = __toCommonJS(promise_queue_exports);
 class PromiseQueue {
   queue = [];
   running = 0;
+  idleResolvers = [];
   maxConcurrency;
   maxQueueLength;
   /**
@@ -47,7 +48,7 @@ class PromiseQueue {
   async add(fn) {
     return await new Promise((resolve, reject) => {
       const task = { fn, resolve, reject };
-      if (this.maxQueueLength && this.queue.length >= this.maxQueueLength) {
+      if (this.maxQueueLength !== void 0 && this.queue.length >= this.maxQueueLength) {
         const droppedTask = this.queue.shift();
         if (droppedTask) {
           droppedTask.reject(new Error("Task dropped: queue length exceeded"));
@@ -59,6 +60,7 @@ class PromiseQueue {
   }
   runNext() {
     if (this.running >= this.maxConcurrency || this.queue.length === 0) {
+      this.notifyIdleIfNeeded();
       return;
     }
     const task = this.queue.shift();
@@ -71,19 +73,23 @@ class PromiseQueue {
       this.runNext();
     });
   }
+  notifyIdleIfNeeded() {
+    if (this.running === 0 && this.queue.length === 0) {
+      for (const resolve of this.idleResolvers) {
+        resolve();
+      }
+      this.idleResolvers = [];
+    }
+  }
   /**
    * Wait for all queued and running tasks to complete
    */
   async onIdle() {
+    if (this.running === 0 && this.queue.length === 0) {
+      return;
+    }
     return await new Promise((resolve) => {
-      const check = () => {
-        if (this.running === 0 && this.queue.length === 0) {
-          resolve();
-        } else {
-          setImmediate(check);
-        }
-      };
-      check();
+      this.idleResolvers.push(resolve);
     });
   }
   /**
@@ -102,7 +108,12 @@ class PromiseQueue {
    * Clear all pending tasks from the queue (does not affect running tasks)
    */
   clear() {
+    const pending = this.queue;
     this.queue = [];
+    for (const task of pending) {
+      task.reject(new Error("Task cancelled: queue cleared"));
+    }
+    this.notifyIdleIfNeeded();
   }
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/promises.js

@@ -203,9 +203,7 @@ async function pRetry(callbackFn, options) {
     try {
       return await callbackFn(...args || [], { signal });
     } catch (e) {
-      if (error === import_core.UNDEFINED_TOKEN) {
-        error = e;
-      }
+      error = e;
       if (attempts < 0) {
         break;
       }

package/dist/releases/github.js

@@ -294,7 +294,11 @@ async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
           { cause }
         );
       }
-      const asset = release.assets.find((a) => isMatch(a.name));
+      const assets = release.assets;
+      if (!Array.isArray(assets)) {
+        throw new Error(`Release ${tag} has no assets`);
+      }
+      const asset = assets.find((a) => isMatch(a.name));
       if (!asset) {
         const patternDesc = typeof assetPattern === "string" ? assetPattern : "matching pattern";
         throw new Error(`Asset ${patternDesc} not found in release ${tag}`);

package/dist/sorts.js

@@ -1,10 +1,8 @@
 "use strict";
 /* Socket Lib - Built with esbuild */
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -18,14 +16,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var sorts_exports = {};
 __export(sorts_exports, {
@@ -36,10 +26,23 @@ __export(sorts_exports, {
   naturalSorter: () => naturalSorter
 });
 module.exports = __toCommonJS(sorts_exports);
-var fastSort = __toESM(require("./external/fast-sort.js"));
-var semver = __toESM(require("./external/semver.js"));
+let _semver;
+function getSemver() {
+  if (_semver === void 0) {
+    _semver = require("./external/semver.js");
+  }
+  return _semver;
+}
+let _fastSort;
+function getFastSort() {
+  if (_fastSort === void 0) {
+    _fastSort = require("./external/fast-sort.js");
+  }
+  return _fastSort;
+}
 // @__NO_SIDE_EFFECTS__
 function compareSemver(a, b) {
+  const semver = getSemver();
   const validA = semver.valid(a);
   const validB = semver.valid(b);
   if (!validA && !validB) {
@@ -90,6 +93,7 @@ let _naturalSorter;
 // @__NO_SIDE_EFFECTS__
 function naturalSorter(arrayToSort) {
   if (_naturalSorter === void 0) {
+    const fastSort = getFastSort();
     _naturalSorter = fastSort.createNewSortInstance({
       comparer: naturalCompare
     });

package/dist/spawn.js

@@ -39,13 +39,20 @@ module.exports = __toCommonJS(spawn_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_process = require("./constants/process");
 var import_errors = require("./errors");
-var import_promise_spawn = __toESM(require("./external/@npmcli/promise-spawn"));
 var import_arrays = require("./arrays");
 var import_bin = require("./bin");
 var import_normalize = require("./paths/normalize");
 var import_objects = require("./objects");
 var import_spinner = require("./spinner");
 var import_strings = require("./strings");
+let _npmCliPromiseSpawn;
+// @__NO_SIDE_EFFECTS__
+function getNpmCliPromiseSpawn() {
+  if (_npmCliPromiseSpawn === void 0) {
+    _npmCliPromiseSpawn = require("./external/@npmcli/promise-spawn");
+  }
+  return _npmCliPromiseSpawn;
+}
 let _path;
 // @__NO_SIDE_EFFECTS__
 function getPath() {
@@ -235,7 +242,8 @@ function spawn(cmd, args, options, extra) {
     uid: spawnOptions.uid,
     gid: spawnOptions.gid
   };
-  const spawnPromise = (0, import_promise_spawn.default)(
+  const npmCliPromiseSpawn = /* @__PURE__ */ getNpmCliPromiseSpawn();
+  const spawnPromise = npmCliPromiseSpawn(
     actualCmd,
     args ? [...args] : [],
     promiseSpawnOpts,

package/dist/stdio/progress.js

@@ -196,7 +196,7 @@ class ProgressBar {
   }
 }
 function createProgressIndicator(current, total, label) {
-  const percent = Math.floor(current / total * 100);
+  const percent = total === 0 ? 0 : Math.floor(current / total * 100);
   const progress = `${current}/${total}`;
   let output = "";
   if (label) {

package/dist/strings.js

@@ -37,7 +37,14 @@ __export(strings_exports, {
 });
 module.exports = __toCommonJS(strings_exports);
 var import_ansi = require("./ansi");
-var import_get_east_asian_width = require("./external/get-east-asian-width");
+let _eastAsianWidth;
+// @__NO_SIDE_EFFECTS__
+function getEastAsianWidth() {
+  if (_eastAsianWidth === void 0) {
+    _eastAsianWidth = require("./external/get-east-asian-width").eastAsianWidth;
+  }
+  return _eastAsianWidth;
+}
 const fromCharCode = String.fromCharCode;
 // @__NO_SIDE_EFFECTS__
 function applyLinePrefix(str, options) {
@@ -164,6 +171,7 @@ function stringWidth(text) {
   }
   let width = 0;
   const eastAsianWidthOptions = { ambiguousAsWide: false };
+  const eastAsianWidth = /* @__PURE__ */ getEastAsianWidth();
   for (const { segment } of segmenter.segment(plainText)) {
     if (zeroWidthClusterRegex.test(segment)) {
       continue;
@@ -177,14 +185,14 @@ function stringWidth(text) {
     if (codePoint === void 0) {
       continue;
     }
-    width += (0, import_get_east_asian_width.eastAsianWidth)(codePoint, eastAsianWidthOptions);
+    width += eastAsianWidth(codePoint, eastAsianWidthOptions);
     if (segment.length > 1) {
       for (const char of segment.slice(1)) {
         const charCode = char.charCodeAt(0);
         if (charCode >= 65280 && charCode <= 65519) {
           const trailingCodePoint = char.codePointAt(0);
           if (trailingCodePoint !== void 0) {
-            width += (0, import_get_east_asian_width.eastAsianWidth)(trailingCodePoint, eastAsianWidthOptions);
+            width += eastAsianWidth(trailingCodePoint, eastAsianWidthOptions);
           }
         }
       }

package/dist/validation/json-parser.js

@@ -27,7 +27,15 @@ __export(json_parser_exports, {
   tryJsonParse: () => tryJsonParse
 });
 module.exports = __toCommonJS(json_parser_exports);
-const { hasOwn: ObjectHasOwn } = Object;
+const DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function prototypePollutionReviver(key, value) {
+  if (DANGEROUS_KEYS.has(key)) {
+    throw new Error(
+      "JSON contains potentially malicious prototype pollution keys"
+    );
+  }
+  return value;
+}
 function safeJsonParse(jsonString, schema, options = {}) {
   const { allowPrototype = false, maxSize = 10 * 1024 * 1024 } = options;
   const byteLength = Buffer.byteLength(jsonString, "utf8");
@@ -38,20 +46,10 @@ function safeJsonParse(jsonString, schema, options = {}) {
   }
   let parsed;
   try {
-    parsed = JSON.parse(jsonString);
+    parsed = allowPrototype ? JSON.parse(jsonString) : JSON.parse(jsonString, prototypePollutionReviver);
   } catch (error) {
     throw new Error(`Failed to parse JSON: ${error}`);
   }
-  if (!allowPrototype && typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
-    const dangerous = ["__proto__", "constructor", "prototype"];
-    for (const key of dangerous) {
-      if (ObjectHasOwn(parsed, key)) {
-        throw new Error(
-          "JSON contains potentially malicious prototype pollution keys"
-        );
-      }
-    }
-  }
   if (schema) {
     const result = schema.safeParse(parsed);
     if (!result.success) {