@socketsecurity/lib 5.19.1 → 5.20.1

package/dist/http-request.d.ts

@@ -890,31 +890,6 @@ export declare function httpRequest(url: string, options?: HttpRequestOptions |
  * ```
  */
 export declare function httpText(url: string, options?: HttpRequestOptions | undefined): Promise<string>;
-/**
- * Parse a checksums file text into a filename-to-hash map.
- *
- * Supports standard checksums file formats:
- * - BSD style: "SHA256 (filename) = hash"
- * - GNU style: "hash  filename" (two spaces)
- * - Simple style: "hash filename" (single space)
- *
- * Lines starting with '#' are treated as comments and ignored.
- * Empty lines are ignored.
- *
- * @param text - Raw text content of a checksums file
- * @returns Map of filenames to lowercase SHA256 hashes
- *
- * @example
- * ```ts
- * const text = `
- * # SHA256 checksums
- * e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  file.zip
- * abc123def456...  other.tar.gz
- * `
- * const checksums = parseChecksums(text)
- * console.log(checksums['file.zip']) // 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
- * ```
- */
 export declare function parseChecksums(text: string): Checksums;
 /**
  * Parse a `Retry-After` HTTP header value into milliseconds.

package/dist/http-request.js

@@ -644,6 +644,9 @@ async function httpText(url, options) {
   }
   return response.text();
 }
+const CHECKSUM_BSD_RE = /^SHA256\s+\((.+)\)\s+=\s+([a-fA-F0-9]{64})$/;
+const CHECKSUM_GNU_RE = /^([a-fA-F0-9]{64})\s+(.+)$/;
+const RETRY_AFTER_INT_RE = /^\d+$/;
 function parseChecksums(text) {
   const checksums = { __proto__: null };
   for (const line of text.split("\n")) {
@@ -651,14 +654,12 @@ function parseChecksums(text) {
     if (!trimmed || trimmed.startsWith("#")) {
       continue;
     }
-    const bsdMatch = trimmed.match(
-      /^SHA256\s+\((.+)\)\s+=\s+([a-fA-F0-9]{64})$/
-    );
+    const bsdMatch = CHECKSUM_BSD_RE.exec(trimmed);
     if (bsdMatch) {
       checksums[bsdMatch[1]] = bsdMatch[2].toLowerCase();
       continue;
     }
-    const gnuMatch = trimmed.match(/^([a-fA-F0-9]{64})\s+(.+)$/);
+    const gnuMatch = CHECKSUM_GNU_RE.exec(trimmed);
     if (gnuMatch) {
       checksums[gnuMatch[2]] = gnuMatch[1].toLowerCase();
     }
@@ -674,7 +675,7 @@ function parseRetryAfterHeader(value) {
     return void 0;
   }
   const trimmed = raw.trim();
-  if (/^\d+$/.test(trimmed)) {
+  if (RETRY_AFTER_INT_RE.test(trimmed)) {
     const seconds = Number(trimmed);
     return seconds * 1e3;
   }

package/dist/ipc.js

@@ -35,15 +35,16 @@ __export(ipc_exports, {
 });
 module.exports = __toCommonJS(ipc_exports);
 var import_node_process = __toESM(require("node:process"));
+var import_typebox = require("./external/@sinclair/typebox");
 var import_socket = require("./paths/socket");
-var import_zod = require("./zod");
-const IpcStubSchema = import_zod.z.object({
+var import_validate_schema = require("./validation/validate-schema");
+const IpcStubSchema = import_typebox.Type.Object({
   /** Process ID that created the stub. */
-  pid: import_zod.z.number().int().positive(),
+  pid: import_typebox.Type.Integer({ minimum: 1 }),
   /** Creation timestamp for age validation. */
-  timestamp: import_zod.z.number().positive(),
+  timestamp: import_typebox.Type.Number({ exclusiveMinimum: 0 }),
   /** The actual data payload. */
-  data: import_zod.z.unknown()
+  data: import_typebox.Type.Unknown()
 });
 let _fs;
 let _path;
@@ -52,6 +53,24 @@ async function ensureIpcDirectory(filePath) {
   const path = /* @__PURE__ */ getPath();
   const dir = path.dirname(filePath);
   await fs.promises.mkdir(dir, { recursive: true, mode: 448 });
+  if (import_node_process.default.platform === "win32") {
+    return;
+  }
+  const stats = await fs.promises.lstat(dir);
+  if (!stats.isDirectory()) {
+    throw new Error(`IPC path is not a directory: ${dir}`);
+  }
+  const getuid = import_node_process.default.getuid;
+  const ownUid = typeof getuid === "function" ? getuid.call(import_node_process.default) : -1;
+  if (ownUid !== -1 && stats.uid !== ownUid) {
+    throw new Error(
+      `IPC directory ${dir} is owned by another user (uid ${stats.uid}); refusing to use it.`
+    );
+  }
+  const mode = stats.mode & 511;
+  if ((mode & 63) !== 0) {
+    await fs.promises.chmod(dir, 448);
+  }
 }
 // @__NO_SIDE_EFFECTS__
 function getFs() {
@@ -81,12 +100,26 @@ async function writeIpcStub(appName, data) {
     pid: import_node_process.default.pid,
     timestamp: Date.now()
   };
-  const validated = IpcStubSchema.parse(ipcData);
+  const validated = (0, import_validate_schema.parseSchema)(IpcStubSchema, ipcData);
   const fs = /* @__PURE__ */ getFs();
-  await fs.promises.writeFile(stubPath, JSON.stringify(validated, null, 2), {
-    encoding: "utf8",
-    mode: 384
-  });
+  const flags = fs.constants.O_CREAT | fs.constants.O_WRONLY | fs.constants.O_EXCL | fs.constants.O_NOFOLLOW;
+  let handle;
+  try {
+    handle = await fs.promises.open(stubPath, flags, 384);
+  } catch (e) {
+    const err = e;
+    if (err.code === "EEXIST") {
+      await fs.promises.unlink(stubPath);
+      handle = await fs.promises.open(stubPath, flags, 384);
+    } else {
+      throw err;
+    }
+  }
+  try {
+    await handle.writeFile(JSON.stringify(validated, null, 2), "utf8");
+  } finally {
+    await handle.close();
+  }
   return stubPath;
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/json/edit.d.ts

@@ -7,7 +7,7 @@ import type { EditableJsonConstructor } from './types';
  *
  * @example
  * ```ts
- * import { getEditableJsonClass } from '@socketsecurity/lib/json'
+ * import { getEditableJsonClass } from '@socketsecurity/lib/json/edit'
  *
  * const EditableJson = getEditableJsonClass<MyConfigType>()
  * const config = await EditableJson.load('./config.json')

package/dist/memoization.js

@@ -183,6 +183,11 @@ function memoizeAsync(fn, options = {}) {
       const inflight = refreshing.get(key);
       if (inflight) {
         (0, import_debug.debugLog)(`[memoizeAsync:${name}] stale-dedup`, { key });
+        const inflightIndex = accessOrder.indexOf(key);
+        if (inflightIndex !== -1) {
+          accessOrder.splice(inflightIndex, 1);
+        }
+        accessOrder.push(key);
         return await inflight;
       }
       cache.delete(key);
@@ -198,6 +203,7 @@ function memoizeAsync(fn, options = {}) {
         const entry = cache.get(key);
         if (entry) {
           entry.value = Promise.resolve(result);
+          entry.timestamp = Date.now();
         }
         return result;
       },

package/dist/paths/packages.js

@@ -34,8 +34,12 @@ function getPath() {
   return _path;
 }
 // @__NO_SIDE_EFFECTS__
+function isPackageJsonFile(filepath) {
+  return filepath === "package.json" || filepath.endsWith("/package.json") || filepath.endsWith("\\package.json");
+}
+// @__NO_SIDE_EFFECTS__
 function resolvePackageJsonDirname(filepath) {
-  if (filepath.endsWith("package.json")) {
+  if (/* @__PURE__ */ isPackageJsonFile(filepath)) {
     const path = /* @__PURE__ */ getPath();
     return (0, import_normalize.normalizePath)(path.dirname(filepath));
   }
@@ -43,7 +47,7 @@ function resolvePackageJsonDirname(filepath) {
 }
 // @__NO_SIDE_EFFECTS__
 function resolvePackageJsonPath(filepath) {
-  if (filepath.endsWith("package.json")) {
+  if (/* @__PURE__ */ isPackageJsonFile(filepath)) {
     return (0, import_normalize.normalizePath)(filepath);
   }
   const path = /* @__PURE__ */ getPath();

package/dist/promise-queue.js

@@ -69,7 +69,7 @@ class PromiseQueue {
       return;
     }
     this.running++;
-    task.fn().then(task.resolve).catch(task.reject).finally(() => {
+    Promise.resolve().then(() => task.fn()).then(task.resolve).catch(task.reject).finally(() => {
       this.running--;
       this.runNext();
     });

package/dist/stdio/progress.js

@@ -174,7 +174,7 @@ class ProgressBar {
    * Format time in seconds to human readable.
    */
   formatTime(ms) {
-    const seconds = Math.round(ms / 1e3);
+    const seconds = Math.max(0, Math.round(ms / 1e3));
     if (seconds < 60) {
       return `${seconds}s`;
     }

package/dist/tables.js

@@ -37,11 +37,10 @@ module.exports = __toCommonJS(tables_exports);
 var import_yoctocolors_cjs = __toESM(require("./external/yoctocolors-cjs"));
 var import_strings = require("./strings");
 function displayWidth(text) {
-  return (0, import_strings.stripAnsi)(text).length;
+  return (0, import_strings.stringWidth)(text);
 }
 function padText(text, width, align = "left") {
-  const stripped = (0, import_strings.stripAnsi)(text);
-  const textWidth = stripped.length;
+  const textWidth = displayWidth(text);
   const padding = Math.max(0, width - textWidth);
   switch (align) {
     case "right":

package/dist/validation/validate-schema.d.ts

@@ -0,0 +1,124 @@
+/**
+ * @fileoverview Universal schema validation for Zod-style schemas (Zod v3,
+ * v4, and any `safeParse`-shaped duck type).
+ *
+ * Accepts a schema and returns a tagged result.
+ *   - `{ ok: true, value }`  — validation passed, `value` is typed as the
+ *     schema's inferred output (`z.infer<typeof S>`).
+ *   - `{ ok: false, errors }` — validation failed, `errors` is a normalized
+ *     list of `{ path, message }`.
+ *
+ * Zod is detected purely structurally via `.safeParse` — no runtime import of
+ * the `zod` package is required by socket-lib.
+ *
+ * @internal
+ * Socket-lib additionally recognizes TypeBox schemas for its own internal
+ * use (e.g. `src/ipc.ts`'s stub-file validation). That path is not a
+ * supported consumer API — callers should use Zod.
+ */
+import type { Schema } from './types';
+/**
+ * TypeBox's `Kind` symbol. We reference it structurally for schema detection
+ * rather than importing it from `@sinclair/typebox` — detection scans the
+ * schema's own-symbol keys for one whose description is `'TypeBox.Kind'`.
+ * The `Value` runtime is only loaded lazily when a TypeBox schema is seen.
+ */
+type TypeBoxKindSymbol = symbol & {
+    __typeBoxKindBrand?: never;
+};
+/**
+ * Structural minimum of a TypeBox `TSchema`. The phantom `static` field is
+ * the type TypeBox uses for inference (`Static<T> = T['static']`).
+ */
+interface TypeBoxLikeSchema {
+    [k: TypeBoxKindSymbol]: string;
+    static: unknown;
+}
+/**
+ * Structural shape of a Zod v4 schema — carries output type on `_zod.output`.
+ */
+interface ZodV4LikeSchema<O = unknown> {
+    _zod: {
+        output: O;
+    };
+    safeParse(data: unknown): unknown;
+}
+/**
+ * Structural shape of a Zod v3 schema — carries output type on `_output`.
+ */
+interface ZodV3LikeSchema<O = unknown> {
+    _output: O;
+    safeParse(data: unknown): unknown;
+}
+/**
+ * Any schema kind this helper accepts.
+ */
+export type AnySchema = TypeBoxLikeSchema | ZodV4LikeSchema<unknown> | ZodV3LikeSchema<unknown> | Schema<unknown>;
+/**
+ * Infer the validated output type from any supported schema kind.
+ *
+ * Order matters: TypeBox schemas also carry a phantom `static` field, so we
+ * check for TypeBox before falling through to Zod and the duck-type.
+ */
+export type Infer<S> = S extends {
+    static: infer Static;
+} ? Static : S extends {
+    _zod: {
+        output: infer O;
+    };
+} ? O : S extends {
+    _output: infer O;
+} ? O : S extends Schema<infer T> ? T : unknown;
+/**
+ * A single normalized validation error.
+ * - `path` is a dotted or slash-separated identifier locating the bad value.
+ * - `message` is human-readable.
+ */
+export interface ValidationIssue {
+    /** Array path into the value (e.g. `['user', 'age']`). */
+    path: Array<string | number>;
+    /** Human-readable description of the failure. */
+    message: string;
+}
+/**
+ * Tagged-union result of {@link validateSchema}. Callers narrow on `ok`.
+ */
+export type ValidateResult<T> = {
+    ok: true;
+    value: T;
+} | {
+    ok: false;
+    errors: ValidationIssue[];
+};
+/**
+ * Validate `data` against a Zod-style `schema`. Non-throwing.
+ *
+ * Accepted schemas:
+ * - `zod` schemas, v3 and v4 (detected via `.safeParse` on the schema)
+ * - Any object conforming to {@link Schema} (the socket-lib duck type)
+ *
+ * The return type narrows `value` to {@link Infer | `Infer<S>`}, so callers
+ * get `z.infer<typeof S>` with no casts.
+ *
+ * @example
+ * ```ts
+ * import { z } from 'zod'
+ * const U = z.object({ name: z.string() })
+ * const r = validateSchema(U, data)
+ * if (r.ok) r.value.name // string
+ * ```
+ *
+ * Errors are normalized to {@link ValidationIssue}: `{ path, message }`.
+ */
+export declare function validateSchema<S>(schema: S, data: unknown): ValidateResult<Infer<S>>;
+/**
+ * Parse `data` against `schema` and return the validated value. Throws if
+ * validation fails. This is the throwing twin of {@link validateSchema}.
+ *
+ * Use when you want fail-fast semantics at a trust boundary. For recoverable
+ * validation (form input, external configs), prefer {@link validateSchema}.
+ *
+ * @throws {Error} When validation fails. The message lists all issues.
+ */
+export declare function parseSchema<S>(schema: S, data: unknown): Infer<S>;
+export {};

package/dist/validation/validate-schema.js

@@ -0,0 +1,108 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var validate_schema_exports = {};
+__export(validate_schema_exports, {
+  parseSchema: () => parseSchema,
+  validateSchema: () => validateSchema
+});
+module.exports = __toCommonJS(validate_schema_exports);
+function isTypeBoxSchema(schema) {
+  if (schema === null || typeof schema !== "object") {
+    return false;
+  }
+  for (const sym of Object.getOwnPropertySymbols(schema)) {
+    if (sym.description === "TypeBox.Kind") {
+      return typeof schema[sym] === "string";
+    }
+  }
+  return false;
+}
+function normalizeTypeBoxErrors(errors) {
+  const out = [];
+  for (const err of errors) {
+    const segs = err.path.split("/").filter(Boolean);
+    out.push({
+      path: segs.map((s) => {
+        const n = Number(s);
+        return Number.isInteger(n) && String(n) === s ? n : s;
+      }),
+      message: err.message
+    });
+  }
+  return out;
+}
+function normalizeZodError(err) {
+  if (err === null || typeof err !== "object") {
+    return [{ path: [], message: String(err) }];
+  }
+  const issues = err.issues;
+  if (!Array.isArray(issues)) {
+    return [{ path: [], message: "Unknown validation error" }];
+  }
+  return issues.map((issue) => {
+    const i = issue;
+    return {
+      path: Array.isArray(i.path) ? i.path : [],
+      message: typeof i.message === "string" ? i.message : "Invalid value"
+    };
+  });
+}
+function validateSchema(schema, data) {
+  if (isTypeBoxSchema(schema)) {
+    const { Value } = require("../external/@sinclair/typebox/value");
+    if (Value.Check(schema, data)) {
+      return { ok: true, value: data };
+    }
+    return {
+      ok: false,
+      errors: normalizeTypeBoxErrors(Value.Errors(schema, data))
+    };
+  }
+  if (schema !== null && typeof schema === "object" && typeof schema.safeParse === "function") {
+    const result = schema.safeParse(data);
+    if (result.success === true) {
+      return {
+        ok: true,
+        value: result.data
+      };
+    }
+    return {
+      ok: false,
+      errors: normalizeZodError(result.error)
+    };
+  }
+  throw new TypeError(
+    "validateSchema: unsupported schema kind. Expected a TypeBox schema, a Zod schema, or an object with a safeParse method."
+  );
+}
+function parseSchema(schema, data) {
+  const result = validateSchema(schema, data);
+  if (result.ok) {
+    return result.value;
+  }
+  const summary = result.errors.map((e) => `${e.path.join(".") || "(root)"}: ${e.message}`).join(", ");
+  throw new Error(`Validation failed: ${summary}`);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  parseSchema,
+  validateSchema
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.19.1",
+  "version": "5.20.1",
   "packageManager": "pnpm@11.0.0-rc.2",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
@@ -663,6 +663,10 @@
       "types": "./dist/validation/types.d.ts",
       "default": "./dist/validation/types.js"
     },
+    "./validation/validate-schema": {
+      "types": "./dist/validation/validate-schema.d.ts",
+      "default": "./dist/validation/validate-schema.js"
+    },
     "./versions": {
       "types": "./dist/versions.d.ts",
       "default": "./dist/versions.js"
@@ -671,10 +675,6 @@
       "types": "./dist/words.d.ts",
       "default": "./dist/words.js"
     },
-    "./zod": {
-      "types": "./dist/zod.d.ts",
-      "default": "./dist/zod.js"
-    },
     "./data/extensions.json": "./data/extensions.json",
     "./package.json": "./package.json",
     "./tsconfig.dts.json": "./tsconfig.dts.json",
@@ -720,10 +720,11 @@
     "@npmcli/arborist": "9.1.4",
     "@npmcli/package-json": "7.0.0",
     "@npmcli/promise-spawn": "8.0.3",
+    "@sinclair/typebox": "0.34.49",
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.4.2",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.19.0",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.19.1",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20260415.1",
     "@vitest/coverage-v8": "4.0.3",