@socketsecurity/lib 5.11.3 → 5.11.4

package/dist/fs.js

@@ -63,7 +63,6 @@ module.exports = __toCommonJS(fs_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_process = require("./constants/process");
 var import_arrays = require("./arrays");
-var import_del = require("./external/del");
 var import_promises = require("./promises");
 var import_globs = require("./globs");
 var import_parse = require("./json/parse");
@@ -72,6 +71,14 @@ var import_normalize = require("./paths/normalize");
 var import_rewire = require("./paths/rewire");
 var import_socket = require("./paths/socket");
 var import_sorts = require("./sorts");
+let _del;
+// @__NO_SIDE_EFFECTS__
+function getDel() {
+  if (_del === void 0) {
+    _del = require("./external/del");
+  }
+  return _del;
+}
 const abortSignal = (0, import_process.getAbortSignal)();
 const defaultRemoveOptions = (0, import_objects.objectFreeze)({
   __proto__: null,
@@ -541,9 +548,10 @@ async function safeDelete(filepath, options) {
   }
   const maxRetries = opts.maxRetries ?? defaultRemoveOptions.maxRetries;
   const retryDelay = opts.retryDelay ?? defaultRemoveOptions.retryDelay;
+  const del = /* @__PURE__ */ getDel();
   await (0, import_promises.pRetry)(
     async () => {
-      await (0, import_del.deleteAsync)(patterns, {
+      await del.deleteAsync(patterns, {
         dryRun: false,
         force: shouldForce,
         onlyFiles: false
@@ -582,11 +590,12 @@ function safeDeleteSync(filepath, options) {
   }
   const maxRetries = opts.maxRetries ?? defaultRemoveOptions.maxRetries;
   const retryDelay = opts.retryDelay ?? defaultRemoveOptions.retryDelay;
+  const del = /* @__PURE__ */ getDel();
   let lastError;
   let delay = retryDelay;
   for (let attempt = 0; attempt <= maxRetries; attempt++) {
     try {
-      (0, import_del.deleteSync)(patterns, {
+      del.deleteSync(patterns, {
         dryRun: false,
         force: shouldForce,
         onlyFiles: false

package/dist/globs.js

@@ -1,10 +1,8 @@
 "use strict";
 /* Socket Lib - Built with esbuild */
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -18,14 +16,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var globs_exports = {};
 __export(globs_exports, {
@@ -36,10 +26,24 @@ __export(globs_exports, {
   globSync: () => globSync
 });
 module.exports = __toCommonJS(globs_exports);
-var fastGlob = __toESM(require("./external/fast-glob.js"));
-var import_picomatch = __toESM(require("./external/picomatch.js"));
 var import_objects = require("./objects");
 var import_globs = require("./paths/globs");
+let _fastGlob;
+// @__NO_SIDE_EFFECTS__
+function getFastGlob() {
+  if (_fastGlob === void 0) {
+    _fastGlob = require("./external/fast-glob.js");
+  }
+  return _fastGlob;
+}
+let _picomatch;
+// @__NO_SIDE_EFFECTS__
+function getPicomatch() {
+  if (_picomatch === void 0) {
+    _picomatch = require("./external/picomatch.js");
+  }
+  return _picomatch;
+}
 const defaultIgnore = (0, import_objects.objectFreeze)([
   // Most of these ignored files can be included specifically if included in the
   // files globs. Exceptions to this are:
@@ -95,6 +99,7 @@ function globStreamLicenses(dirname, options) {
   if (ignoreOriginals) {
     ignore.push(import_globs.LICENSE_ORIGINAL_GLOB_RECURSIVE);
   }
+  const fastGlob = /* @__PURE__ */ getFastGlob();
   return fastGlob.globStream(
     [recursive ? import_globs.LICENSE_GLOB_RECURSIVE : import_globs.LICENSE_GLOB],
     {
@@ -142,7 +147,8 @@ function getGlobMatcher(glob2, options) {
     ...options,
     ...negativePatterns.length > 0 ? { ignore: negativePatterns } : {}
   };
-  matcher = (0, import_picomatch.default)(
+  const picomatch = /* @__PURE__ */ getPicomatch();
+  matcher = picomatch(
     positivePatterns.length > 0 ? positivePatterns : patterns,
     matchOptions
   );
@@ -152,10 +158,12 @@ function getGlobMatcher(glob2, options) {
 }
 // @__NO_SIDE_EFFECTS__
 function glob(patterns, options) {
+  const fastGlob = /* @__PURE__ */ getFastGlob();
   return fastGlob.glob(patterns, options);
 }
 // @__NO_SIDE_EFFECTS__
 function globSync(patterns, options) {
+  const fastGlob = /* @__PURE__ */ getFastGlob();
   return fastGlob.globSync(patterns, options);
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/http-request.js

@@ -147,6 +147,15 @@ async function httpDownloadAttempt(url, destPath, options) {
             return;
           }
           const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new URL(res.headers.location, url).toString();
+          const redirectParsed = new URL(redirectUrl);
+          if (isHttps && redirectParsed.protocol !== "https:") {
+            reject(
+              new Error(
+                `Redirect from HTTPS to HTTP is not allowed: ${redirectUrl}`
+              )
+            );
+            return;
+          }
           resolve(
             httpDownloadAttempt(redirectUrl, destPath, {
               ca,
@@ -270,6 +279,15 @@ async function httpRequestAttempt(url, options) {
             return;
           }
           const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new URL(res.headers.location, url).toString();
+          const redirectParsed = new URL(redirectUrl);
+          if (isHttps && redirectParsed.protocol !== "https:") {
+            reject(
+              new Error(
+                `Redirect from HTTPS to HTTP is not allowed: ${redirectUrl}`
+              )
+            );
+            return;
+          }
           resolve(
             httpRequestAttempt(redirectUrl, {
               body,
@@ -372,8 +390,10 @@ async function httpDownload(url, destPath, options) {
       }
     };
   }
+  const crypto = /* @__PURE__ */ getCrypto();
   const fs = /* @__PURE__ */ getFs();
-  const tempPath = `${destPath}.download`;
+  const tempSuffix = crypto.randomBytes(6).toString("hex");
+  const tempPath = `${destPath}.${tempSuffix}.download`;
   if (fs.existsSync(tempPath)) {
     await (0, import_fs.safeDelete)(tempPath);
   }
@@ -389,14 +409,17 @@ async function httpDownload(url, destPath, options) {
         timeout
       });
       if (sha256) {
-        const crypto = /* @__PURE__ */ getCrypto();
         const fileContent = await fs.promises.readFile(tempPath);
         const computedHash = crypto.createHash("sha256").update(fileContent).digest("hex");
-        if (computedHash !== sha256.toLowerCase()) {
+        const expectedHash = sha256.toLowerCase();
+        if (computedHash.length !== expectedHash.length || !crypto.timingSafeEqual(
+          Buffer.from(computedHash),
+          Buffer.from(expectedHash)
+        )) {
           await (0, import_fs.safeDelete)(tempPath);
           throw new Error(
             `Checksum verification failed for ${url}
-Expected: ${sha256.toLowerCase()}
+Expected: ${expectedHash}
 Computed: ${computedHash}`
           );
         }

package/dist/ipc.js

@@ -116,7 +116,7 @@ async function ensureIpcDirectory(filePath) {
   const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
   const dir = path.dirname(filePath);
-  await fs.promises.mkdir(dir, { recursive: true });
+  await fs.promises.mkdir(dir, { recursive: true, mode: 448 });
 }
 async function writeIpcStub(appName, data) {
   const stubPath = getIpcStubPath(appName);
@@ -128,11 +128,10 @@ async function writeIpcStub(appName, data) {
   };
   const validated = IpcStubSchema.parse(ipcData);
   const fs = /* @__PURE__ */ getFs();
-  await fs.promises.writeFile(
-    stubPath,
-    JSON.stringify(validated, null, 2),
-    "utf8"
-  );
+  await fs.promises.writeFile(stubPath, JSON.stringify(validated, null, 2), {
+    encoding: "utf8",
+    mode: 384
+  });
   return stubPath;
 }
 async function readIpcStub(stubPath) {
@@ -179,6 +178,7 @@ async function cleanupIpcStubs(appName) {
               const contentAge = now - validated.timestamp;
               isStale = isStale || contentAge > maxAgeMs;
             } catch {
+              isStale = true;
             }
             if (isStale) {
               (0, import_fs.safeDeleteSync)(filePath, { force: true });

package/dist/sorts.js

@@ -1,10 +1,8 @@
 "use strict";
 /* Socket Lib - Built with esbuild */
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -18,14 +16,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var sorts_exports = {};
 __export(sorts_exports, {
@@ -36,10 +26,23 @@ __export(sorts_exports, {
   naturalSorter: () => naturalSorter
 });
 module.exports = __toCommonJS(sorts_exports);
-var fastSort = __toESM(require("./external/fast-sort.js"));
-var semver = __toESM(require("./external/semver.js"));
+let _semver;
+function getSemver() {
+  if (_semver === void 0) {
+    _semver = require("./external/semver.js");
+  }
+  return _semver;
+}
+let _fastSort;
+function getFastSort() {
+  if (_fastSort === void 0) {
+    _fastSort = require("./external/fast-sort.js");
+  }
+  return _fastSort;
+}
 // @__NO_SIDE_EFFECTS__
 function compareSemver(a, b) {
+  const semver = getSemver();
   const validA = semver.valid(a);
   const validB = semver.valid(b);
   if (!validA && !validB) {
@@ -90,6 +93,7 @@ let _naturalSorter;
 // @__NO_SIDE_EFFECTS__
 function naturalSorter(arrayToSort) {
   if (_naturalSorter === void 0) {
+    const fastSort = getFastSort();
     _naturalSorter = fastSort.createNewSortInstance({
       comparer: naturalCompare
     });

package/dist/spawn.js

@@ -39,13 +39,20 @@ module.exports = __toCommonJS(spawn_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_process = require("./constants/process");
 var import_errors = require("./errors");
-var import_promise_spawn = __toESM(require("./external/@npmcli/promise-spawn"));
 var import_arrays = require("./arrays");
 var import_bin = require("./bin");
 var import_normalize = require("./paths/normalize");
 var import_objects = require("./objects");
 var import_spinner = require("./spinner");
 var import_strings = require("./strings");
+let _npmCliPromiseSpawn;
+// @__NO_SIDE_EFFECTS__
+function getNpmCliPromiseSpawn() {
+  if (_npmCliPromiseSpawn === void 0) {
+    _npmCliPromiseSpawn = require("./external/@npmcli/promise-spawn");
+  }
+  return _npmCliPromiseSpawn;
+}
 let _path;
 // @__NO_SIDE_EFFECTS__
 function getPath() {
@@ -235,7 +242,8 @@ function spawn(cmd, args, options, extra) {
     uid: spawnOptions.uid,
     gid: spawnOptions.gid
   };
-  const spawnPromise = (0, import_promise_spawn.default)(
+  const npmCliPromiseSpawn = /* @__PURE__ */ getNpmCliPromiseSpawn();
+  const spawnPromise = npmCliPromiseSpawn(
     actualCmd,
     args ? [...args] : [],
     promiseSpawnOpts,

package/dist/strings.js

@@ -37,7 +37,14 @@ __export(strings_exports, {
 });
 module.exports = __toCommonJS(strings_exports);
 var import_ansi = require("./ansi");
-var import_get_east_asian_width = require("./external/get-east-asian-width");
+let _eastAsianWidth;
+// @__NO_SIDE_EFFECTS__
+function getEastAsianWidth() {
+  if (_eastAsianWidth === void 0) {
+    _eastAsianWidth = require("./external/get-east-asian-width").eastAsianWidth;
+  }
+  return _eastAsianWidth;
+}
 const fromCharCode = String.fromCharCode;
 // @__NO_SIDE_EFFECTS__
 function applyLinePrefix(str, options) {
@@ -164,6 +171,7 @@ function stringWidth(text) {
   }
   let width = 0;
   const eastAsianWidthOptions = { ambiguousAsWide: false };
+  const eastAsianWidth = /* @__PURE__ */ getEastAsianWidth();
   for (const { segment } of segmenter.segment(plainText)) {
     if (zeroWidthClusterRegex.test(segment)) {
       continue;
@@ -177,14 +185,14 @@ function stringWidth(text) {
     if (codePoint === void 0) {
       continue;
     }
-    width += (0, import_get_east_asian_width.eastAsianWidth)(codePoint, eastAsianWidthOptions);
+    width += eastAsianWidth(codePoint, eastAsianWidthOptions);
     if (segment.length > 1) {
       for (const char of segment.slice(1)) {
         const charCode = char.charCodeAt(0);
         if (charCode >= 65280 && charCode <= 65519) {
           const trailingCodePoint = char.codePointAt(0);
           if (trailingCodePoint !== void 0) {
-            width += (0, import_get_east_asian_width.eastAsianWidth)(trailingCodePoint, eastAsianWidthOptions);
+            width += eastAsianWidth(trailingCodePoint, eastAsianWidthOptions);
           }
         }
       }

package/dist/versions.js

@@ -1,10 +1,8 @@
 "use strict";
 /* Socket Lib - Built with esbuild */
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -18,14 +16,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var versions_exports = {};
 __export(versions_exports, {
@@ -51,61 +41,83 @@ __export(versions_exports, {
   versionDiff: () => versionDiff
 });
 module.exports = __toCommonJS(versions_exports);
-var semver = __toESM(require("./external/semver.js"));
+let _semver;
+function getSemver() {
+  if (_semver === void 0) {
+    _semver = require("./external/semver.js");
+  }
+  return _semver;
+}
 function coerceVersion(version) {
+  const semver = getSemver();
   const coerced = semver.coerce(version);
   return coerced?.version;
 }
 function compareVersions(v1, v2) {
   try {
+    const semver = getSemver();
     return semver.compare(v1, v2);
   } catch {
     return void 0;
   }
 }
 function filterVersions(versions, range) {
+  const semver = getSemver();
   return versions.filter((v) => semver.satisfies(v, range));
 }
 function getMajorVersion(version) {
+  const semver = getSemver();
   const parsed = semver.parse(version);
   return parsed?.major;
 }
 function getMinorVersion(version) {
+  const semver = getSemver();
   const parsed = semver.parse(version);
   return parsed?.minor;
 }
 function getPatchVersion(version) {
+  const semver = getSemver();
   const parsed = semver.parse(version);
   return parsed?.patch;
 }
 function incrementVersion(version, release, identifier) {
+  const semver = getSemver();
   return semver.inc(version, release, identifier) || void 0;
 }
 function isEqual(version1, version2) {
+  const semver = getSemver();
   return semver.eq(version1, version2);
 }
 function isGreaterThan(version1, version2) {
+  const semver = getSemver();
   return semver.gt(version1, version2);
 }
 function isGreaterThanOrEqual(version1, version2) {
+  const semver = getSemver();
   return semver.gte(version1, version2);
 }
 function isLessThan(version1, version2) {
+  const semver = getSemver();
   return semver.lt(version1, version2);
 }
 function isLessThanOrEqual(version1, version2) {
+  const semver = getSemver();
   return semver.lte(version1, version2);
 }
 function isValidVersion(version) {
+  const semver = getSemver();
   return semver.valid(version) !== null;
 }
 function maxVersion(versions) {
+  const semver = getSemver();
   return semver.maxSatisfying(versions, "*") || void 0;
 }
 function minVersion(versions) {
+  const semver = getSemver();
   return semver.minSatisfying(versions, "*") || void 0;
 }
 function parseVersion(version) {
+  const semver = getSemver();
   const parsed = semver.parse(version);
   if (!parsed) {
     return void 0;
@@ -119,16 +131,20 @@ function parseVersion(version) {
   };
 }
 function satisfiesVersion(version, range) {
+  const semver = getSemver();
   return semver.satisfies(version, range);
 }
 function sortVersions(versions) {
+  const semver = getSemver();
   return semver.sort([...versions]);
 }
 function sortVersionsDesc(versions) {
+  const semver = getSemver();
   return semver.rsort([...versions]);
 }
 function versionDiff(version1, version2) {
   try {
+    const semver = getSemver();
     return semver.diff(version1, version2) || void 0;
   } catch {
     return void 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.11.3",
+  "version": "5.11.4",
   "packageManager": "pnpm@10.33.0",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
@@ -734,7 +734,7 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.3.5",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.11.2",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.11.3",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20250920.1",
     "@vitest/coverage-v8": "4.0.3",
@@ -807,6 +807,7 @@
       "@sigstore/core": "3.1.0",
       "@sigstore/sign": "4.1.0",
       "ansi-regex": "6.2.2",
+      "brace-expansion": "5.0.5",
       "chownr": "3.0.0",
       "debug": "4.4.3",
       "execa": "5.1.1",
@@ -814,7 +815,7 @@
       "hosted-git-info": "8.1.0",
       "isexe": "3.1.1",
       "lru-cache": "11.2.2",
-      "minimatch": "9.0.5",
+      "minimatch": "9.0.6",
       "minipass": "7.1.3",
       "minipass-fetch": "4.0.1",
       "minipass-sized": "1.0.3",