@socketsecurity/lib 5.11.3 → 5.12.0

package/CHANGELOG.md

@@ -5,6 +5,37 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.12.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.12.0) - 2026-04-04
+
+### Added — http-request
+
+- Lifecycle hooks (`onRequest`/`onResponse`) on `HttpRequestOptions` (#133)
+  - Fire per-attempt — retries and redirects each trigger separate hook calls
+  - `HttpHooks`, `HttpHookRequestInfo`, `HttpHookResponseInfo` types exported
+- `maxResponseSize` option to reject responses exceeding a byte limit
+  - Works through redirects, `httpJson`, and `httpText`
+- `rawResponse` property on `HttpResponse` exposing the underlying `IncomingMessage`
+- `enrichErrorMessage()` exported for reusable error enrichment
+
+### Changed — http-request
+
+- Error messages now include HTTP method and URL for easier debugging
+- `HttpResponse.headers` type changed from `Record<string, string | string[] | undefined>` to `IncomingHttpHeaders`
+
+## [5.11.4](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.4) - 2026-03-28
+
+### Changed
+
+- **perf**: Lazy-load heavy external sub-bundles across 7 modules (#119)
+  - `sorts.ts`: Defer semver (2.5 MB via npm-pack) and fastSort until first use
+  - `versions.ts`: Defer semver until first use
+  - `archives.ts`: Defer adm-zip (102 KB) and tar-fs (105 KB) until extraction
+  - `globs.ts`: Defer fast-glob and picomatch (260 KB via pico-pack) until glob execution
+  - `fs.ts`: Defer del (260 KB via pico-pack) until safeDelete call
+  - `spawn.ts`: Defer @npmcli/promise-spawn (17 KB) until async spawn
+  - `strings.ts`: Defer get-east-asian-width (10 KB) until stringWidth call
+- Importing lightweight exports (isObject, httpJson, localeCompare, readJsonSync, stripAnsi) no longer loads heavy externals at module init time
+
 ## [5.11.3](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.3) - 2026-03-26
 
 ### Fixed

package/dist/archives.d.ts

@@ -10,6 +10,8 @@ export interface ExtractOptions {
     quiet?: boolean;
     /** Strip leading path components (like tar --strip-components) */
     strip?: number;
+    /** Maximum number of entries to extract (default: 100,000) */
+    maxEntries?: number;
     /** Maximum size of a single extracted file in bytes (default: 100MB) */
     maxFileSize?: number;
     /** Maximum total extracted size in bytes (default: 1GB) */

package/dist/archives.js

@@ -40,10 +40,24 @@ var import_node_fs = require("node:fs");
 var import_promises = require("node:stream/promises");
 var import_node_zlib = require("node:zlib");
 var import_node_process = __toESM(require("node:process"));
-var import_adm_zip = __toESM(require("./external/adm-zip.js"));
-var import_tar_fs = __toESM(require("./external/tar-fs.js"));
 var import_fs = require("./fs.js");
 var import_normalize = require("./paths/normalize.js");
+let _AdmZip;
+// @__NO_SIDE_EFFECTS__
+function getAdmZip() {
+  if (_AdmZip === void 0) {
+    _AdmZip = require("./external/adm-zip.js");
+  }
+  return _AdmZip;
+}
+let _tarFs;
+// @__NO_SIDE_EFFECTS__
+function getTarFs() {
+  if (_tarFs === void 0) {
+    _tarFs = require("./external/tar-fs.js");
+  }
+  return _tarFs;
+}
 let _path;
 // @__NO_SIDE_EFFECTS__
 function getPath() {
@@ -54,6 +68,7 @@ function getPath() {
 }
 const DEFAULT_MAX_FILE_SIZE = 100 * 1024 * 1024;
 const DEFAULT_MAX_TOTAL_SIZE = 1024 * 1024 * 1024;
+const DEFAULT_MAX_ENTRIES = 1e5;
 function validatePathWithinBase(targetPath, baseDir, entryName) {
   const path = /* @__PURE__ */ getPath();
   const resolvedTarget = path.resolve(targetPath);
@@ -82,6 +97,7 @@ function detectArchiveFormat(filePath) {
 }
 async function extractTar(archivePath, outputDir, options = {}) {
   const {
+    maxEntries = DEFAULT_MAX_ENTRIES,
     maxFileSize = DEFAULT_MAX_FILE_SIZE,
     maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
     strip = 0
@@ -89,12 +105,37 @@ async function extractTar(archivePath, outputDir, options = {}) {
   const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
   await (0, import_fs.safeMkdir)(normalizedOutputDir);
   let totalExtractedSize = 0;
+  let entryCount = 0;
   let destroyScheduled = false;
-  const extractStream = import_tar_fs.default.extract(normalizedOutputDir, {
+  const tarFs = /* @__PURE__ */ getTarFs();
+  const extractStream = tarFs.extract(normalizedOutputDir, {
     map: (header) => {
       if (destroyScheduled) {
         return header;
       }
+      entryCount += 1;
+      if (entryCount > maxEntries) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Archive has too many entries: exceeded limit of ${maxEntries}`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.name.includes("\0")) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Invalid null byte in archive entry name: ${header.name}`
+            )
+          );
+        });
+        return header;
+      }
       if (header.type === "symlink" || header.type === "link") {
         destroyScheduled = true;
         import_node_process.default.nextTick(() => {
@@ -147,6 +188,7 @@ async function extractTar(archivePath, outputDir, options = {}) {
 }
 async function extractTarGz(archivePath, outputDir, options = {}) {
   const {
+    maxEntries = DEFAULT_MAX_ENTRIES,
     maxFileSize = DEFAULT_MAX_FILE_SIZE,
     maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
     strip = 0
@@ -154,12 +196,37 @@ async function extractTarGz(archivePath, outputDir, options = {}) {
   const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
   await (0, import_fs.safeMkdir)(normalizedOutputDir);
   let totalExtractedSize = 0;
+  let entryCount = 0;
   let destroyScheduled = false;
-  const extractStream = import_tar_fs.default.extract(normalizedOutputDir, {
+  const tarFs = /* @__PURE__ */ getTarFs();
+  const extractStream = tarFs.extract(normalizedOutputDir, {
     map: (header) => {
       if (destroyScheduled) {
         return header;
       }
+      entryCount += 1;
+      if (entryCount > maxEntries) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Archive has too many entries: exceeded limit of ${maxEntries}`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.name.includes("\0")) {
+        destroyScheduled = true;
+        import_node_process.default.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Invalid null byte in archive entry name: ${header.name}`
+            )
+          );
+        });
+        return header;
+      }
       if (header.type === "symlink" || header.type === "link") {
         destroyScheduled = true;
         import_node_process.default.nextTick(() => {
@@ -212,20 +279,32 @@ async function extractTarGz(archivePath, outputDir, options = {}) {
 }
 async function extractZip(archivePath, outputDir, options = {}) {
   const {
+    maxEntries = DEFAULT_MAX_ENTRIES,
     maxFileSize = DEFAULT_MAX_FILE_SIZE,
     maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
     strip = 0
   } = options;
   const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
   await (0, import_fs.safeMkdir)(normalizedOutputDir);
-  const zip = new import_adm_zip.default(archivePath);
+  const AdmZip = /* @__PURE__ */ getAdmZip();
+  const zip = new AdmZip(archivePath);
   const path = /* @__PURE__ */ getPath();
   const entries = zip.getEntries();
+  if (entries.length > maxEntries) {
+    throw new Error(
+      `Archive has too many entries: ${entries.length} (limit: ${maxEntries})`
+    );
+  }
   let totalExtractedSize = 0;
   for (const entry of entries) {
     if (entry.isDirectory) {
       continue;
     }
+    if (entry.entryName.includes("\0")) {
+      throw new Error(
+        `Invalid null byte in archive entry name: ${entry.entryName}`
+      );
+    }
     const uncompressedSize = entry.header.size;
     if (uncompressedSize > maxFileSize) {
       throw new Error(

package/dist/dlx/binary.js

@@ -306,11 +306,17 @@ Check your internet connection or verify the URL is accessible.`,
       const fileBuffer = await fs.promises.readFile(destPath);
       const hash = crypto.createHash("sha512").update(fileBuffer).digest("base64");
       const actualIntegrity = `sha512-${hash}`;
-      if (integrity && actualIntegrity !== integrity) {
-        await (0, import_fs.safeDelete)(destPath);
-        throw new Error(
-          `Integrity mismatch: expected ${integrity}, got ${actualIntegrity}`
+      if (integrity) {
+        const integrityMatch = actualIntegrity.length === integrity.length && crypto.timingSafeEqual(
+          Buffer.from(actualIntegrity),
+          Buffer.from(integrity)
         );
+        if (!integrityMatch) {
+          await (0, import_fs.safeDelete)(destPath);
+          throw new Error(
+            `Integrity mismatch: expected ${integrity}, got ${actualIntegrity}`
+          );
+        }
       }
       if (!import_platform.WIN32) {
         await fs.promises.chmod(destPath, 493);