@socketsecurity/lib 5.2.1 → 5.4.0

package/dist/releases/github.d.ts

@@ -1,10 +1,53 @@
 /**
- * Socket-btm GitHub repository configuration.
+ * Pattern for matching release assets.
+ * Can be either:
+ * - A string with glob pattern syntax
+ * - A prefix/suffix pair for explicit matching (backward compatible)
+ * - A RegExp for complex patterns
+ *
+ * String patterns support full glob syntax via picomatch.
+ * Examples:
+ * - Simple wildcard: yoga-sync-*.mjs matches yoga-sync-abc123.mjs
+ * - Complex: models-*.tar.gz matches models-2024-01-15.tar.gz
+ * - Prefix wildcard: *-models.tar.gz matches foo-models.tar.gz
+ * - Suffix wildcard: yoga-* matches yoga-layout
+ * - Brace expansion: {yoga,models}-*.{mjs,js} matches yoga-abc.mjs or models-xyz.js
+ *
+ * For backward compatibility, prefix/suffix objects are still supported but glob patterns are recommended.
  */
-export declare const SOCKET_BTM_REPO: {
-    readonly owner: "SocketDev";
-    readonly repo: "socket-btm";
-};
+export type AssetPattern = string | {
+    prefix: string;
+    suffix: string;
+} | RegExp;
+/**
+ * Configuration for downloading a GitHub release.
+ */
+export interface DownloadGitHubReleaseConfig {
+    /** Asset name on GitHub. */
+    assetName: string;
+    /** Binary filename (e.g., 'node', 'binject'). */
+    binaryName: string;
+    /** Working directory (defaults to process.cwd()). */
+    cwd?: string;
+    /** Download destination directory. @default 'build/downloaded' */
+    downloadDir?: string;
+    /** GitHub repository owner/organization. */
+    owner: string;
+    /** Platform-arch identifier (e.g., 'linux-x64-musl'). */
+    platformArch: string;
+    /** Suppress log messages. @default false */
+    quiet?: boolean;
+    /** Remove macOS quarantine attribute after download. @default true */
+    removeMacOSQuarantine?: boolean;
+    /** GitHub repository name. */
+    repo: string;
+    /** Specific release tag to download. */
+    tag?: string;
+    /** Tool name for directory structure. */
+    toolName: string;
+    /** Tool prefix for finding latest release. */
+    toolPrefix?: string;
+}
 /**
  * Configuration for repository access.
  */
@@ -19,161 +62,63 @@ export interface RepoConfig {
     repo: string;
 }
 /**
- * Get latest release tag matching a tool prefix.
- *
- * Searches recent releases for the first tag matching the given prefix.
- * Useful for finding latest versions of tools with date-based tags like
- * `node-smol-20260105-c47753c` or `binject-20260106-1df5745`.
+ * Socket-btm GitHub repository configuration.
+ */
+export declare const SOCKET_BTM_REPO: {
+    readonly owner: "SocketDev";
+    readonly repo: "socket-btm";
+};
+/**
+ * Download a specific release asset.
+ * Supports pattern matching for dynamic asset discovery.
  *
- * @param toolPrefix - Tool name prefix to search for (e.g., 'node-smol-', 'binject-')
+ * @param tag - Release tag name
+ * @param assetPattern - Asset name or pattern (glob string, prefix/suffix object, or RegExp)
+ * @param outputPath - Path to write the downloaded file
  * @param repoConfig - Repository configuration (owner/repo)
  * @param options - Additional options
- * @returns Latest release tag or null if not found
- *
- * @example
- * ```ts
- * const tag = await getLatestRelease('node-smol-', {
- *   owner: 'SocketDev',
- *   repo: 'socket-btm'
- * })
- * // Returns: 'node-smol-20260105-c47753c'
- * ```
  */
-export declare function getLatestRelease(toolPrefix: string, repoConfig: RepoConfig, options?: {
+export declare function downloadReleaseAsset(tag: string, assetPattern: string | AssetPattern, outputPath: string, repoConfig: RepoConfig, options?: {
     quiet?: boolean;
-}): Promise<string | null>;
+}): Promise<void>;
 /**
- * Get download URL for a specific release asset.
+ * Get GitHub authentication headers if token is available.
+ * Checks GH_TOKEN or GITHUB_TOKEN environment variables.
+ *
+ * @returns Headers object with Authorization header if token exists.
+ */
+export declare function getAuthHeaders(): Record<string, string>;
+/**
+ * Get latest release tag matching a tool prefix.
+ * Optionally filter by releases containing a matching asset.
  *
- * @param tag - Release tag name (e.g., 'node-smol-20260105-c47753c')
- * @param assetName - Asset name to download (e.g., 'node-linux-x64-musl')
+ * @param toolPrefix - Tool name prefix to search for (e.g., 'node-smol-')
  * @param repoConfig - Repository configuration (owner/repo)
  * @param options - Additional options
- * @returns Browser download URL for the asset
- *
- * @example
- * ```ts
- * const url = await getReleaseAssetUrl(
- *   'node-smol-20260105-c47753c',
- *   'node-linux-x64-musl',
- *   { owner: 'SocketDev', repo: 'socket-btm' }
- * )
- * ```
+ * @param options.assetPattern - Optional pattern to filter releases by matching asset
+ * @returns Latest release tag or null if not found
  */
-export declare function getReleaseAssetUrl(tag: string, assetName: string, repoConfig: RepoConfig, options?: {
+export declare function getLatestRelease(toolPrefix: string, repoConfig: RepoConfig, options?: {
+    assetPattern?: AssetPattern;
     quiet?: boolean;
 }): Promise<string | null>;
 /**
- * Download a specific release asset.
- *
- * Uses browser_download_url to avoid consuming GitHub API quota.
- * Automatically follows redirects and retries on failure.
+ * Get download URL for a specific release asset.
+ * Supports pattern matching for dynamic asset discovery.
  *
  * @param tag - Release tag name
- * @param assetName - Asset name to download
- * @param outputPath - Path to write the downloaded file
+ * @param assetPattern - Asset name or pattern (glob string, prefix/suffix object, or RegExp)
  * @param repoConfig - Repository configuration (owner/repo)
  * @param options - Additional options
- *
- * @example
- * ```ts
- * await downloadReleaseAsset(
- *   'node-smol-20260105-c47753c',
- *   'node-linux-x64-musl',
- *   '/path/to/output/node',
- *   { owner: 'SocketDev', repo: 'socket-btm' }
- * )
- * ```
+ * @returns Browser download URL for the asset
  */
-export declare function downloadReleaseAsset(tag: string, assetName: string, outputPath: string, repoConfig: RepoConfig, options?: {
+export declare function getReleaseAssetUrl(tag: string, assetPattern: string | AssetPattern, repoConfig: RepoConfig, options?: {
     quiet?: boolean;
-}): Promise<void>;
-/**
- * Configuration for downloading a GitHub release.
- */
-export interface DownloadGitHubReleaseConfig {
-    /**
-     * GitHub repository owner/organization.
-     */
-    owner: string;
-    /**
-     * GitHub repository name.
-     */
-    repo: string;
-    /**
-     * Working directory (defaults to process.cwd()).
-     * Used to resolve relative paths in downloadDir.
-     */
-    cwd?: string;
-    /**
-     * Download destination directory.
-     * Can be absolute or relative to cwd.
-     * @default 'build/downloaded' (relative to cwd)
-     */
-    downloadDir?: string;
-    /**
-     * Tool name for directory structure (e.g., 'node-smol', 'binject', 'lief').
-     * Creates subdirectory: {downloadDir}/{toolName}/{platformArch}/
-     */
-    toolName: string;
-    /**
-     * Platform-arch identifier (e.g., 'linux-x64-musl', 'darwin-arm64').
-     * Used for the download directory path.
-     */
-    platformArch: string;
-    /**
-     * Binary filename (e.g., 'node', 'binject', 'lief', 'node.exe').
-     */
-    binaryName: string;
-    /**
-     * Asset name on GitHub (e.g., 'node-linux-x64-musl', 'binject-darwin-arm64').
-     */
-    assetName: string;
-    /**
-     * Tool prefix for finding latest release (e.g., 'node-smol-', 'binject-').
-     * Either this or `tag` must be provided.
-     */
-    toolPrefix?: string;
-    /**
-     * Specific release tag to download (e.g., 'node-smol-20260105-c47753c').
-     * If not provided, uses `toolPrefix` to find the latest release.
-     */
-    tag?: string;
-    /**
-     * Suppress log messages.
-     * @default false
-     */
-    quiet?: boolean;
-    /**
-     * Remove macOS quarantine attribute after download.
-     * Only applies when downloading on macOS for macOS binaries.
-     * @default true
-     */
-    removeMacOSQuarantine?: boolean;
-}
+}): Promise<string | null>;
 /**
  * Download a binary from any GitHub repository with version caching.
  *
- * Downloads to: `{downloadDir}/{toolName}/{platformArch}/{binaryName}`
- * Caches version in: `{downloadDir}/{toolName}/{platformArch}/.version`
- *
  * @param config - Download configuration
  * @returns Path to the downloaded binary
- *
- * @example
- * ```ts
- * // Download from any GitHub repo
- * const nodePath = await downloadGitHubRelease({
- *   owner: 'nodejs',
- *   repo: 'node',
- *   cwd: process.cwd(),
- *   downloadDir: 'build/downloaded',  // relative to cwd
- *   toolName: 'node',
- *   platformArch: 'linux-x64',
- *   binaryName: 'node',
- *   assetName: 'node-v20.10.0-linux-x64.tar.gz',
- *   tag: 'v20.10.0'
- * })
- * ```
  */
 export declare function downloadGitHubRelease(config: DownloadGitHubReleaseConfig): Promise<string>;

package/dist/releases/github.js

@@ -32,23 +32,18 @@ __export(github_exports, {
   SOCKET_BTM_REPO: () => SOCKET_BTM_REPO,
   downloadGitHubRelease: () => downloadGitHubRelease,
   downloadReleaseAsset: () => downloadReleaseAsset,
+  getAuthHeaders: () => getAuthHeaders,
   getLatestRelease: () => getLatestRelease,
   getReleaseAssetUrl: () => getReleaseAssetUrl
 });
 module.exports = __toCommonJS(github_exports);
-var import_node_fs = require("node:fs");
-var import_promises = require("node:fs/promises");
-var import_node_path = __toESM(require("node:path"));
+var import_picomatch = __toESM(require("../external/picomatch.js"));
 var import_fs = require("../fs.js");
 var import_http_request = require("../http-request.js");
 var import_logger = require("../logger.js");
-var import_promises2 = require("../promises.js");
+var import_promises = require("../promises.js");
 var import_spawn = require("../spawn.js");
 const logger = (0, import_logger.getDefaultLogger)();
-const SOCKET_BTM_REPO = {
-  owner: "SocketDev",
-  repo: "socket-btm"
-};
 const RETRY_CONFIG = Object.freeze({
   __proto__: null,
   // Exponential backoff: delay doubles with each retry (5s, 10s, 20s).
@@ -58,6 +53,59 @@ const RETRY_CONFIG = Object.freeze({
   // Maximum number of retry attempts (excluding initial request).
   retries: 2
 });
+let _fs;
+let _path;
+function createMatcher(pattern) {
+  if (typeof pattern === "string") {
+    const isMatch = (0, import_picomatch.default)(pattern);
+    return (input) => isMatch(input);
+  }
+  if (pattern instanceof RegExp) {
+    return (input) => pattern.test(input);
+  }
+  const { prefix, suffix } = pattern;
+  return (input) => input.startsWith(prefix) && input.endsWith(suffix);
+}
+// @__NO_SIDE_EFFECTS__
+function getFs() {
+  if (_fs === void 0) {
+    _fs = require("fs");
+  }
+  return _fs;
+}
+// @__NO_SIDE_EFFECTS__
+function getPath() {
+  if (_path === void 0) {
+    _path = require("path");
+  }
+  return _path;
+}
+const SOCKET_BTM_REPO = {
+  owner: "SocketDev",
+  repo: "socket-btm"
+};
+async function downloadReleaseAsset(tag, assetPattern, outputPath, repoConfig, options = {}) {
+  const { owner, repo } = repoConfig;
+  const { quiet = false } = options;
+  const downloadUrl = await getReleaseAssetUrl(
+    tag,
+    assetPattern,
+    { owner, repo },
+    { quiet }
+  );
+  if (!downloadUrl) {
+    const patternDesc = typeof assetPattern === "string" ? assetPattern : "matching pattern";
+    throw new Error(`Asset ${patternDesc} not found in release ${tag}`);
+  }
+  const path = /* @__PURE__ */ getPath();
+  await (0, import_fs.safeMkdir)(path.dirname(outputPath));
+  await (0, import_http_request.httpDownload)(downloadUrl, outputPath, {
+    logger: quiet ? void 0 : logger,
+    progressInterval: 10,
+    retries: 2,
+    retryDelay: 5e3
+  });
+}
 function getAuthHeaders() {
   const token = process.env["GH_TOKEN"] || process.env["GITHUB_TOKEN"];
   const headers = {
@@ -70,9 +118,10 @@ function getAuthHeaders() {
   return headers;
 }
 async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
+  const { assetPattern, quiet = false } = options;
   const { owner, repo } = repoConfig;
-  const { quiet = false } = options;
-  return await (0, import_promises2.pRetry)(
+  const isMatch = assetPattern ? createMatcher(assetPattern) : void 0;
+  return await (0, import_promises.pRetry)(
     async () => {
       const response = await (0, import_http_request.httpRequest)(
         `https://api.github.com/repos/${owner}/${repo}/releases?per_page=100`,
@@ -85,13 +134,22 @@ async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
       }
       const releases = JSON.parse(response.body.toString("utf8"));
       for (const release of releases) {
-        const { tag_name: tag } = release;
-        if (tag.startsWith(toolPrefix)) {
-          if (!quiet) {
-            logger.info(`Found release: ${tag}`);
+        const { assets, tag_name: tag } = release;
+        if (!tag.startsWith(toolPrefix)) {
+          continue;
+        }
+        if (isMatch) {
+          const hasMatchingAsset = assets.some(
+            (a) => isMatch(a.name)
+          );
+          if (!hasMatchingAsset) {
+            continue;
           }
-          return tag;
         }
+        if (!quiet) {
+          logger.info(`Found release: ${tag}`);
+        }
+        return tag;
       }
       if (!quiet) {
         logger.info(`No ${toolPrefix} release found in latest 100 releases`);
@@ -114,10 +172,11 @@ async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
     }
   );
 }
-async function getReleaseAssetUrl(tag, assetName, repoConfig, options = {}) {
+async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
   const { owner, repo } = repoConfig;
   const { quiet = false } = options;
-  return await (0, import_promises2.pRetry)(
+  const isMatch = typeof assetPattern === "string" && !assetPattern.includes("*") && !assetPattern.includes("{") ? (input) => input === assetPattern : createMatcher(assetPattern);
+  return await (0, import_promises.pRetry)(
     async () => {
       const response = await (0, import_http_request.httpRequest)(
         `https://api.github.com/repos/${owner}/${repo}/releases/tags/${tag}`,
@@ -130,13 +189,14 @@ async function getReleaseAssetUrl(tag, assetName, repoConfig, options = {}) {
       }
       const release = JSON.parse(response.body.toString("utf8"));
       const asset = release.assets.find(
-        (a) => a.name === assetName
+        (a) => isMatch(a.name)
       );
       if (!asset) {
-        throw new Error(`Asset ${assetName} not found in release ${tag}`);
+        const patternDesc = typeof assetPattern === "string" ? assetPattern : "matching pattern";
+        throw new Error(`Asset ${patternDesc} not found in release ${tag}`);
       }
       if (!quiet) {
-        logger.info(`Found asset: ${assetName}`);
+        logger.info(`Found asset: ${asset.name}`);
       }
       return asset.browser_download_url;
     },
@@ -156,26 +216,6 @@ async function getReleaseAssetUrl(tag, assetName, repoConfig, options = {}) {
     }
   );
 }
-async function downloadReleaseAsset(tag, assetName, outputPath, repoConfig, options = {}) {
-  const { owner, repo } = repoConfig;
-  const { quiet = false } = options;
-  const downloadUrl = await getReleaseAssetUrl(
-    tag,
-    assetName,
-    { owner, repo },
-    { quiet }
-  );
-  if (!downloadUrl) {
-    throw new Error(`Asset ${assetName} not found in release ${tag}`);
-  }
-  await (0, import_fs.safeMkdir)(import_node_path.default.dirname(outputPath));
-  await (0, import_http_request.httpDownload)(downloadUrl, outputPath, {
-    logger: quiet ? void 0 : logger,
-    progressInterval: 10,
-    retries: 2,
-    retryDelay: 5e3
-  });
-}
 async function downloadGitHubRelease(config) {
   const {
     assetName,
@@ -207,12 +247,14 @@ async function downloadGitHubRelease(config) {
   } else {
     throw new Error("Either toolPrefix or tag must be provided");
   }
-  const resolvedDownloadDir = import_node_path.default.isAbsolute(downloadDir) ? downloadDir : import_node_path.default.join(cwd, downloadDir);
-  const binaryDir = import_node_path.default.join(resolvedDownloadDir, toolName, platformArch);
-  const binaryPath = import_node_path.default.join(binaryDir, binaryName);
-  const versionPath = import_node_path.default.join(binaryDir, ".version");
-  if ((0, import_node_fs.existsSync)(versionPath) && (0, import_node_fs.existsSync)(binaryPath)) {
-    const cachedVersion = (await (0, import_promises.readFile)(versionPath, "utf8")).trim();
+  const path = /* @__PURE__ */ getPath();
+  const resolvedDownloadDir = path.isAbsolute(downloadDir) ? downloadDir : path.join(cwd, downloadDir);
+  const binaryDir = path.join(resolvedDownloadDir, toolName, platformArch);
+  const binaryPath = path.join(binaryDir, binaryName);
+  const versionPath = path.join(binaryDir, ".version");
+  const fs = /* @__PURE__ */ getFs();
+  if (fs.existsSync(versionPath) && fs.existsSync(binaryPath)) {
+    const cachedVersion = (await fs.promises.readFile(versionPath, "utf8")).trim();
     if (cachedVersion === tag) {
       if (!quiet) {
         logger.info(`Using cached ${toolName} (${platformArch}): ${binaryPath}`);
@@ -232,7 +274,7 @@ async function downloadGitHubRelease(config) {
   );
   const isWindows = binaryName.endsWith(".exe");
   if (!isWindows) {
-    (0, import_node_fs.chmodSync)(binaryPath, 493);
+    fs.chmodSync(binaryPath, 493);
     if (removeMacOSQuarantine && process.platform === "darwin" && platformArch.startsWith("darwin")) {
       try {
         await (0, import_spawn.spawn)("xattr", ["-d", "com.apple.quarantine", binaryPath], {
@@ -242,7 +284,7 @@ async function downloadGitHubRelease(config) {
       }
     }
   }
-  await (0, import_promises.writeFile)(versionPath, tag, "utf8");
+  await fs.promises.writeFile(versionPath, tag, "utf8");
   if (!quiet) {
     logger.info(`Downloaded ${toolName} to ${binaryPath}`);
   }
@@ -253,6 +295,7 @@ async function downloadGitHubRelease(config) {
   SOCKET_BTM_REPO,
   downloadGitHubRelease,
   downloadReleaseAsset,
+  getAuthHeaders,
   getLatestRelease,
   getReleaseAssetUrl
 });