@socketsecurity/lib 5.19.0 → 5.20.1

package/CHANGELOG.md

@@ -5,6 +5,50 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.20.1](https://github.com/SocketDev/socket-lib/releases/tag/v5.20.1) - 2026-04-19
+
+### Fixed
+
+- `src/ipc.ts`: harden stub-file writes against local symlink/TOCTOU. Previously `writeIpcStub` used `mkdir {recursive, mode: 0o700}` + `writeFile`, which on multi-user Linux (`/tmp` sticky-bit but world-writable) let a pre-positioned attacker-owned `.socket-ipc/<app>/` survive the mode argument and redirect the subsequent `writeFile` through symlinks to victim files. Now validates directory ownership + mode on POSIX after `mkdir`, then opens the stub with `O_CREAT | O_WRONLY | O_EXCL | O_NOFOLLOW` so pre-existing inodes trigger EEXIST and final-component symlinks trigger ELOOP rather than silent file overwrite
+- `src/cache-with-ttl.ts` `getOrFetch()` — the inflight-map check ran _after_ `await get(key)`, so two concurrent cold-cache callers both suspended on the same disk read, both saw no cached value, both skipped the inflight check, and both fired `fetcher()`. Moves the inflight check before the persistent-cache lookup (with a re-check afterward) so the advertised dedupe guarantee actually holds
+- `src/cache-with-ttl.ts` — cap the in-memory `memoCache` with LRU eviction (`memoMaxSize`, default 1000). Previously a long-running process (devserver, editor extension) querying many distinct keys grew memory without bound — expired entries were only reclaimed when the same key was read again
+- `src/memoization.ts` `memoizeAsync()` — `entry.timestamp` was set when a cache miss STARTED its `fn(...)` call, so a fn taking longer than `ttl` produced a value classified as expired the moment it resolved; every subsequent caller past the first ttl window re-fetched instead of hitting the cache. Now refreshes the timestamp in the resolve handler. Also bumps `accessOrder` on the stale-dedup branch so an entry mid-refresh isn't evicted while a peer is computing on its behalf
+- `src/tables.ts` — `displayWidth` measured columns by `.length` of the ANSI-stripped string, i.e. UTF-16 code units rather than rendered terminal cells. CJK, emoji, and combined code points misaligned tables. Routes measurement through `stringWidth` (Intl.Segmenter + East Asian Width)
+- `src/paths/packages.ts` — `resolvePackageJsonDirname` / `resolvePackageJsonPath` gated on `filepath.endsWith('package.json')`, which misidentified any file whose name ended in that suffix (e.g. `/foo/my-package.json`) as a manifest. Now checks for the literal final segment
+- `src/json/edit.ts` — `@example` for `getEditableJsonClass` imported from `@socketsecurity/lib/json`, which is not a package export; fixed to `@socketsecurity/lib/json/edit`
+
+## [5.20.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.20.0) - 2026-04-19
+
+### Added — validation
+
+- `@socketsecurity/lib/validation/validate-schema` — universal validator that accepts any Zod-style schema (Zod v3/v4, or any `safeParse`-shaped duck type) and returns a tagged `{ ok: true, value } | { ok: false, errors }` result with normalized `{ path, message }` issues. Type inference flows through: callers get `z.infer<…>`, no casts. Zod is detected purely structurally via `.safeParse` — no runtime import of the `zod` package required
+- `parseSchema(schema, data)` — throwing twin of `validateSchema` for fail-fast trust-boundary validation
+- `Infer<S>`, `ValidateResult<T>`, `ValidationIssue`, `AnySchema` — supporting types exported alongside the helpers
+
+### Fixed
+
+- `src/promise-queue.ts`: wrap `task.fn()` invocation via `Promise.resolve().then()` so a **synchronous** throw inside a queued task converts to a proper rejection on `task.reject` instead of escaping as an uncaught exception
+- `src/stdio/progress.ts` `formatTime()`: clamp negative milliseconds so an over-ticking or clock-skewed progress bar no longer renders a negative ETA like `-1m59s`
+- `src/dlx/lockfile.ts`: wrap the scratch-directory cleanup in `finally` with its own `try/catch` so a cleanup failure cannot clobber the real exception from the main try-block
+- `src/dlx/package.ts` `parsePackageSpec`: normalize a bare trailing `@` (e.g. `"pkg@"`) to `version: undefined` so downstream "no version provided" checks behave consistently
+- `src/stdio/prompts.ts`: tighten the `selectModule` destructure type to the two properties actually used (`default`, `Separator`) instead of an `as any` cast
+- `src/http-request.ts`: hoist `CHECKSUM_BSD_RE` and `CHECKSUM_GNU_RE` regex literals to module scope so `parseChecksums()` no longer re-declares them once per line inside its loop
+- `src/dlx/manifest.ts`: correct the `@fileoverview` "Primary API" list to match the actual `DlxManifest` methods (`get/set/clear/clearAll/isFresh/getManifestEntry`) and flag `setPackageEntry` / `setBinaryEntry` as deprecated
+
+## [5.19.1](https://github.com/SocketDev/socket-lib/releases/tag/v5.19.1) - 2026-04-19
+
+### Fixed — stdio (restore accidentally-dropped modules)
+
+5.19.0 shipped a breaking change that was not called out in its changelog or version bump: a refactor commit removed `stdio/prompts`, `stdio/progress`, `stdio/clear`, and the vendored `external/@inquirer/*` shims. socket-cli and other consumers import `stdio/prompts` directly and broke on upgrade.
+
+Restored:
+
+- `@socketsecurity/lib/stdio/prompts` — inquirer wrappers (`password`, `confirm`, `input`, `select`, `checkbox`, `search`)
+- `@socketsecurity/lib/stdio/progress` — progress-bar utility (`ProgressBar` class)
+- `@socketsecurity/lib/stdio/clear` — terminal line/screen/cursor helpers
+- `src/external/@inquirer/{checkbox,confirm,input,password,search,select}.js` vendor shims
+- Corresponding test suites
+
 ## [5.19.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.19.0) - 2026-04-19
 
 ### Added — dlx/integrity (new module)

package/dist/cache-with-ttl.d.ts

@@ -126,6 +126,13 @@ export interface TtlCacheOptions {
      * @default true
      */
     memoize?: boolean | undefined;
+    /**
+     * Maximum number of entries to keep in the in-memory memo cache. When
+     * exceeded, the least-recently-used entry is evicted. The persistent
+     * (cacache) layer is unaffected.
+     * @default 1000
+     */
+    memoMaxSize?: number | undefined;
     /**
      * Custom cache key prefix.
      * Must not contain wildcards (*).

package/dist/cache-with-ttl.js

@@ -36,10 +36,12 @@ module.exports = __toCommonJS(cache_with_ttl_exports);
 var cacache = __toESM(require("./cacache"));
 const DEFAULT_TTL_MS = 5 * 60 * 1e3;
 const DEFAULT_PREFIX = "ttl-cache";
+const DEFAULT_MEMO_MAX_SIZE = 1e3;
 function createTtlCache(options) {
   const opts = {
     __proto__: null,
     memoize: true,
+    memoMaxSize: DEFAULT_MEMO_MAX_SIZE,
     prefix: DEFAULT_PREFIX,
     ttl: DEFAULT_TTL_MS,
     ...options
@@ -50,6 +52,18 @@ function createTtlCache(options) {
     );
   }
   const memoCache = /* @__PURE__ */ new Map();
+  const memoMaxSize = Math.max(1, opts.memoMaxSize ?? DEFAULT_MEMO_MAX_SIZE);
+  function memoSet(fullKey, entry) {
+    if (memoCache.has(fullKey)) {
+      memoCache.delete(fullKey);
+    } else if (memoCache.size >= memoMaxSize) {
+      const oldest = memoCache.keys().next().value;
+      if (oldest !== void 0) {
+        memoCache.delete(oldest);
+      }
+    }
+    memoCache.set(fullKey, entry);
+  }
   const ttl = opts.ttl ?? DEFAULT_TTL_MS;
   function buildKey(key) {
     return `${opts.prefix}:${key}`;
@@ -83,6 +97,7 @@ function createTtlCache(options) {
     if (opts.memoize) {
       const memoEntry = memoCache.get(fullKey);
       if (memoEntry && !isExpired(memoEntry)) {
+        memoSet(fullKey, memoEntry);
         return memoEntry.data;
       }
       if (memoEntry) {
@@ -103,7 +118,7 @@ function createTtlCache(options) {
       }
       if (!isExpired(entry)) {
         if (opts.memoize) {
-          memoCache.set(fullKey, entry);
+          memoSet(fullKey, entry);
         }
         return entry.data;
       }
@@ -158,7 +173,7 @@ function createTtlCache(options) {
         }
         results.set(originalKey, parsed.data);
         if (opts.memoize) {
-          memoCache.set(cacheEntry.key, parsed);
+          memoSet(cacheEntry.key, parsed);
         }
       } catch {
       }
@@ -177,7 +192,7 @@ function createTtlCache(options) {
       expiresAt: Date.now() + ttl
     };
     if (opts.memoize) {
-      memoCache.set(fullKey, entry);
+      memoSet(fullKey, entry);
     }
     try {
       await cacache.put(fullKey, JSON.stringify(entry), {
@@ -188,14 +203,18 @@ function createTtlCache(options) {
   }
   const inflightRequests = /* @__PURE__ */ new Map();
   async function getOrFetch(key, fetcher) {
+    const fullKey = buildKey(key);
+    const preexisting = inflightRequests.get(fullKey);
+    if (preexisting) {
+      return await preexisting;
+    }
     const cached = await get(key);
     if (cached !== void 0) {
       return cached;
     }
-    const fullKey = buildKey(key);
-    const existing = inflightRequests.get(fullKey);
-    if (existing) {
-      return await existing;
+    const rechecked = inflightRequests.get(fullKey);
+    if (rechecked) {
+      return await rechecked;
     }
     const promise = (async () => {
       try {

package/dist/constants/socket.js

@@ -77,7 +77,7 @@ const SOCKET_FIREWALL_APP_NAME = "sfw";
 const SOCKET_REGISTRY_APP_NAME = "registry";
 const SOCKET_APP_PREFIX = "_";
 const SOCKET_LIB_NAME = "@socketsecurity/lib";
-const SOCKET_LIB_VERSION = "5.19.0";
+const SOCKET_LIB_VERSION = "5.20.1";
 const SOCKET_LIB_URL = "https://github.com/SocketDev/socket-lib";
 const SOCKET_LIB_USER_AGENT = `socketsecurity-lib/${SOCKET_LIB_VERSION} (${SOCKET_LIB_URL})`;
 const SOCKET_IPC_HANDSHAKE = "SOCKET_IPC_HANDSHAKE";

package/dist/dlx/lockfile.js

@@ -128,7 +128,10 @@ async function generatePackagePin(options) {
       lockfile: ideal.lockfile
     };
   } finally {
-    await (0, import_fs.safeDelete)(scratch, { force: true });
+    try {
+      await (0, import_fs.safeDelete)(scratch, { force: true });
+    } catch {
+    }
   }
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/dlx/manifest.d.ts

@@ -3,10 +3,16 @@
  * Manages persistent caching of DLX package and binary metadata with TTL support
  * and atomic file operations.
  *
- * Key Functions:
- * - getManifestEntry: Retrieve manifest entry by spec
- * - setPackageEntry: Store npm package metadata
- * - setBinaryEntry: Store binary download metadata
+ * Primary API (on {@link DlxManifest}):
+ * - `getManifestEntry(spec)` — retrieve a manifest entry by spec
+ * - `setPackageEntry(spec, key, details)` — store npm package metadata
+ * - `setBinaryEntry(spec, key, details)` — store binary download metadata
+ * - `getAllPackages()` — enumerate cached package names
+ * - `clear(name)` / `clearAll()` — eviction
+ * - `isFresh(record, ttlMs)` — TTL check
+ *
+ * The bare `get(name)` / `set(name, record)` methods are deprecated
+ * legacy shims kept for backward compatibility with pre-5.x callers.
  *
  * Features:
  * - TTL-based cache expiration

package/dist/dlx/package.d.ts

@@ -136,7 +136,7 @@ export interface DlxPackageResult {
  * await result.spawnPromise
  * ```
  */
-export declare function dlxPackage(args: readonly string[] | string[], options?: DlxPackageOptions | undefined, spawnExtra?: SpawnExtra | undefined): Promise<DlxPackageResult>;
+export declare function dlxPackage(args: readonly string[] | string[], options: DlxPackageOptions, spawnExtra?: SpawnExtra | undefined): Promise<DlxPackageResult>;
 /**
  * Download and install a package without executing it.
  * This is useful for self-update or when you need the package files

package/dist/dlx/package.js

@@ -141,7 +141,7 @@ async function dlxPackage(args, options, spawnExtra) {
   const spawnPromise = executePackage(
     downloadResult.binaryPath,
     args,
-    options?.spawnOptions,
+    options.spawnOptions,
     spawnExtra
   );
   return {
@@ -414,9 +414,12 @@ function parsePackageSpec(spec) {
     if (atIndex === -1 || atIndex === 0) {
       return { name: spec, version: void 0 };
     }
+    const sliced = spec.slice(atIndex + 1);
     return {
       name: spec.slice(0, atIndex),
-      version: spec.slice(atIndex + 1)
+      // A trailing `@` (e.g. `'pkg@'`) yields an empty slice — normalize
+      // to undefined so downstream "no version" checks behave.
+      version: sliced || void 0
     };
   }
 }

package/dist/external/@inquirer/checkbox.js

@@ -0,0 +1,5 @@
+'use strict'
+
+// Re-export from external-pack bundle for better deduplication.
+const { checkbox } = require('../external-pack')
+module.exports = checkbox

package/dist/external/@inquirer/confirm.js

@@ -0,0 +1,5 @@
+'use strict'
+
+// Re-export from external-pack bundle for better deduplication.
+const { confirm } = require('../external-pack')
+module.exports = confirm

package/dist/external/@inquirer/input.js

@@ -0,0 +1,5 @@
+'use strict'
+
+// Re-export from external-pack bundle for better deduplication.
+const { input } = require('../external-pack')
+module.exports = input

package/dist/external/@inquirer/password.js

@@ -0,0 +1,5 @@
+'use strict'
+
+// Re-export from external-pack bundle for better deduplication.
+const { password } = require('../external-pack')
+module.exports = password

package/dist/external/@inquirer/search.js

@@ -0,0 +1,5 @@
+'use strict'
+
+// Re-export from external-pack bundle for better deduplication.
+const { search } = require('../external-pack')
+module.exports = search

package/dist/external/@inquirer/select.js

@@ -0,0 +1,5 @@
+'use strict'
+
+// Re-export from external-pack bundle for better deduplication.
+const { select } = require('../external-pack')
+module.exports = select

package/dist/external/@npmcli/package-json/lib/read-package.js

@@ -3,6 +3,7 @@
  * Bundled from @npmcli/package-json/lib/read-package.js
  * This is a zero-dependency bundle created by esbuild.
  */
+"use strict";
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
@@ -119,36 +120,43 @@ var require_lib = __commonJS({
 });
 
 // node_modules/.pnpm/@npmcli+package-json@7.0.0/node_modules/@npmcli/package-json/lib/read-package.js
-var { readFile } = require("fs/promises");
-var parseJSON = require_lib();
-async function read(filename) {
-  try {
-    const data = await readFile(filename, "utf8");
-    return data;
-  } catch (err) {
-    err.message = `Could not read package.json: ${err}`;
-    throw err;
-  }
-}
-__name(read, "read");
-function parse(data) {
-  try {
-    const content = parseJSON(data);
-    return content;
-  } catch (err) {
-    err.message = `Invalid package.json: ${err}`;
-    throw err;
+var require_read_package = __commonJS({
+  "node_modules/.pnpm/@npmcli+package-json@7.0.0/node_modules/@npmcli/package-json/lib/read-package.js"(exports2, module2) {
+    var { readFile } = require("fs/promises");
+    var parseJSON = require_lib();
+    async function read(filename) {
+      try {
+        const data = await readFile(filename, "utf8");
+        return data;
+      } catch (err) {
+        err.message = `Could not read package.json: ${err}`;
+        throw err;
+      }
+    }
+    __name(read, "read");
+    function parse(data) {
+      try {
+        const content = parseJSON(data);
+        return content;
+      } catch (err) {
+        err.message = `Invalid package.json: ${err}`;
+        throw err;
+      }
+    }
+    __name(parse, "parse");
+    async function readPackage(filename) {
+      const data = await read(filename);
+      const content = parse(data);
+      return content;
+    }
+    __name(readPackage, "readPackage");
+    module2.exports = {
+      read,
+      parse,
+      readPackage
+    };
   }
-}
-__name(parse, "parse");
-async function readPackage(filename) {
-  const data = await read(filename);
-  const content = parse(data);
-  return content;
-}
-__name(readPackage, "readPackage");
-module.exports = {
-  read,
-  parse,
-  readPackage
-};
+});
+
+// src/external/@npmcli/package-json/lib/read-package.js
+module.exports = require_read_package();

package/dist/external/@npmcli/package-json/lib/sort.js

@@ -3,99 +3,111 @@
  * Bundled from @npmcli/package-json/lib/sort.js
  * This is a zero-dependency bundle created by esbuild.
  */
+"use strict";
 var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
 
 // node_modules/.pnpm/@npmcli+package-json@7.0.0/node_modules/@npmcli/package-json/lib/sort.js
-function packageSort(json) {
-  const {
-    name,
-    version,
-    private: isPrivate,
-    description,
-    keywords,
-    homepage,
-    bugs,
-    repository,
-    funding,
-    license,
-    author,
-    maintainers,
-    contributors,
-    type,
-    imports,
-    exports: exports2,
-    main,
-    browser,
-    types,
-    bin,
-    man,
-    directories,
-    files,
-    workspaces,
-    scripts,
-    config,
-    dependencies,
-    devDependencies,
-    peerDependencies,
-    peerDependenciesMeta,
-    optionalDependencies,
-    bundledDependencies,
-    bundleDependencies,
-    engines,
-    os,
-    cpu,
-    publishConfig,
-    devEngines,
-    licenses,
-    overrides,
-    ...rest
-  } = json;
-  return {
-    ...typeof name !== "undefined" ? { name } : {},
-    ...typeof version !== "undefined" ? { version } : {},
-    ...typeof isPrivate !== "undefined" ? { private: isPrivate } : {},
-    ...typeof description !== "undefined" ? { description } : {},
-    ...typeof keywords !== "undefined" ? { keywords } : {},
-    ...typeof homepage !== "undefined" ? { homepage } : {},
-    ...typeof bugs !== "undefined" ? { bugs } : {},
-    ...typeof repository !== "undefined" ? { repository } : {},
-    ...typeof funding !== "undefined" ? { funding } : {},
-    ...typeof license !== "undefined" ? { license } : {},
-    ...typeof author !== "undefined" ? { author } : {},
-    ...typeof maintainers !== "undefined" ? { maintainers } : {},
-    ...typeof contributors !== "undefined" ? { contributors } : {},
-    ...typeof type !== "undefined" ? { type } : {},
-    ...typeof imports !== "undefined" ? { imports } : {},
-    ...typeof exports2 !== "undefined" ? { exports: exports2 } : {},
-    ...typeof main !== "undefined" ? { main } : {},
-    ...typeof browser !== "undefined" ? { browser } : {},
-    ...typeof types !== "undefined" ? { types } : {},
-    ...typeof bin !== "undefined" ? { bin } : {},
-    ...typeof man !== "undefined" ? { man } : {},
-    ...typeof directories !== "undefined" ? { directories } : {},
-    ...typeof files !== "undefined" ? { files } : {},
-    ...typeof workspaces !== "undefined" ? { workspaces } : {},
-    ...typeof scripts !== "undefined" ? { scripts } : {},
-    ...typeof config !== "undefined" ? { config } : {},
-    ...typeof dependencies !== "undefined" ? { dependencies } : {},
-    ...typeof devDependencies !== "undefined" ? { devDependencies } : {},
-    ...typeof peerDependencies !== "undefined" ? { peerDependencies } : {},
-    ...typeof peerDependenciesMeta !== "undefined" ? { peerDependenciesMeta } : {},
-    ...typeof optionalDependencies !== "undefined" ? { optionalDependencies } : {},
-    ...typeof bundledDependencies !== "undefined" ? { bundledDependencies } : {},
-    ...typeof bundleDependencies !== "undefined" ? { bundleDependencies } : {},
-    ...typeof engines !== "undefined" ? { engines } : {},
-    ...typeof os !== "undefined" ? { os } : {},
-    ...typeof cpu !== "undefined" ? { cpu } : {},
-    ...typeof publishConfig !== "undefined" ? { publishConfig } : {},
-    ...typeof devEngines !== "undefined" ? { devEngines } : {},
-    ...typeof licenses !== "undefined" ? { licenses } : {},
-    ...typeof overrides !== "undefined" ? { overrides } : {},
-    ...rest
-  };
-}
-__name(packageSort, "packageSort");
-module.exports = {
-  packageSort
-};
+var require_sort = __commonJS({
+  "node_modules/.pnpm/@npmcli+package-json@7.0.0/node_modules/@npmcli/package-json/lib/sort.js"(exports2, module2) {
+    function packageSort(json) {
+      const {
+        name,
+        version,
+        private: isPrivate,
+        description,
+        keywords,
+        homepage,
+        bugs,
+        repository,
+        funding,
+        license,
+        author,
+        maintainers,
+        contributors,
+        type,
+        imports,
+        exports: exports3,
+        main,
+        browser,
+        types,
+        bin,
+        man,
+        directories,
+        files,
+        workspaces,
+        scripts,
+        config,
+        dependencies,
+        devDependencies,
+        peerDependencies,
+        peerDependenciesMeta,
+        optionalDependencies,
+        bundledDependencies,
+        bundleDependencies,
+        engines,
+        os,
+        cpu,
+        publishConfig,
+        devEngines,
+        licenses,
+        overrides,
+        ...rest
+      } = json;
+      return {
+        ...typeof name !== "undefined" ? { name } : {},
+        ...typeof version !== "undefined" ? { version } : {},
+        ...typeof isPrivate !== "undefined" ? { private: isPrivate } : {},
+        ...typeof description !== "undefined" ? { description } : {},
+        ...typeof keywords !== "undefined" ? { keywords } : {},
+        ...typeof homepage !== "undefined" ? { homepage } : {},
+        ...typeof bugs !== "undefined" ? { bugs } : {},
+        ...typeof repository !== "undefined" ? { repository } : {},
+        ...typeof funding !== "undefined" ? { funding } : {},
+        ...typeof license !== "undefined" ? { license } : {},
+        ...typeof author !== "undefined" ? { author } : {},
+        ...typeof maintainers !== "undefined" ? { maintainers } : {},
+        ...typeof contributors !== "undefined" ? { contributors } : {},
+        ...typeof type !== "undefined" ? { type } : {},
+        ...typeof imports !== "undefined" ? { imports } : {},
+        ...typeof exports3 !== "undefined" ? { exports: exports3 } : {},
+        ...typeof main !== "undefined" ? { main } : {},
+        ...typeof browser !== "undefined" ? { browser } : {},
+        ...typeof types !== "undefined" ? { types } : {},
+        ...typeof bin !== "undefined" ? { bin } : {},
+        ...typeof man !== "undefined" ? { man } : {},
+        ...typeof directories !== "undefined" ? { directories } : {},
+        ...typeof files !== "undefined" ? { files } : {},
+        ...typeof workspaces !== "undefined" ? { workspaces } : {},
+        ...typeof scripts !== "undefined" ? { scripts } : {},
+        ...typeof config !== "undefined" ? { config } : {},
+        ...typeof dependencies !== "undefined" ? { dependencies } : {},
+        ...typeof devDependencies !== "undefined" ? { devDependencies } : {},
+        ...typeof peerDependencies !== "undefined" ? { peerDependencies } : {},
+        ...typeof peerDependenciesMeta !== "undefined" ? { peerDependenciesMeta } : {},
+        ...typeof optionalDependencies !== "undefined" ? { optionalDependencies } : {},
+        ...typeof bundledDependencies !== "undefined" ? { bundledDependencies } : {},
+        ...typeof bundleDependencies !== "undefined" ? { bundleDependencies } : {},
+        ...typeof engines !== "undefined" ? { engines } : {},
+        ...typeof os !== "undefined" ? { os } : {},
+        ...typeof cpu !== "undefined" ? { cpu } : {},
+        ...typeof publishConfig !== "undefined" ? { publishConfig } : {},
+        ...typeof devEngines !== "undefined" ? { devEngines } : {},
+        ...typeof licenses !== "undefined" ? { licenses } : {},
+        ...typeof overrides !== "undefined" ? { overrides } : {},
+        ...rest
+      };
+    }
+    __name(packageSort, "packageSort");
+    module2.exports = {
+      packageSort
+    };
+  }
+});
+
+// src/external/@npmcli/package-json/lib/sort.js
+module.exports = require_sort();