@socketsecurity/lib 5.20.1 → 5.23.0

package/dist/cache-with-ttl.js

@@ -84,7 +84,7 @@ function createTtlCache(options) {
     }
     const escaped = fullPattern.replaceAll(/[.+?^${}()|[\]\\]/g, "\\$&");
     const regexPattern = escaped.replaceAll("*", ".*");
-    const regex = new RegExp(`^${regexPattern}`);
+    const regex = new RegExp(`^${regexPattern}$`);
     return (key) => regex.test(key);
   }
   async function get(key) {

package/dist/constants/socket.js

@@ -77,7 +77,7 @@ const SOCKET_FIREWALL_APP_NAME = "sfw";
 const SOCKET_REGISTRY_APP_NAME = "registry";
 const SOCKET_APP_PREFIX = "_";
 const SOCKET_LIB_NAME = "@socketsecurity/lib";
-const SOCKET_LIB_VERSION = "5.20.1";
+const SOCKET_LIB_VERSION = "5.23.0";
 const SOCKET_LIB_URL = "https://github.com/SocketDev/socket-lib";
 const SOCKET_LIB_USER_AGENT = `socketsecurity-lib/${SOCKET_LIB_VERSION} (${SOCKET_LIB_URL})`;
 const SOCKET_IPC_HANDSHAKE = "SOCKET_IPC_HANDSHAKE";

package/dist/dlx/detect.js

@@ -33,7 +33,20 @@ var import_socket = require("../paths/socket");
 let _fs;
 let _path;
 const NODE_JS_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".mjs", ".cjs"]);
+const PACKAGE_JSON_PATH_CACHE_MAX_SIZE = 200;
+const PACKAGE_JSON_NEGATIVE_TTL_MS = 1e4;
 const packageJsonPathCache = /* @__PURE__ */ new Map();
+function packageJsonPathCacheSet(key, value) {
+  if (packageJsonPathCache.has(key)) {
+    packageJsonPathCache.delete(key);
+  } else if (packageJsonPathCache.size >= PACKAGE_JSON_PATH_CACHE_MAX_SIZE) {
+    const oldest = packageJsonPathCache.keys().next().value;
+    if (oldest !== void 0) {
+      packageJsonPathCache.delete(oldest);
+    }
+  }
+  packageJsonPathCache.set(key, { path: value, at: Date.now() });
+}
 const packageJsonContentCache = /* @__PURE__ */ new Map();
 function findPackageJson(filePath) {
   const fs = /* @__PURE__ */ getFs();
@@ -41,25 +54,29 @@ function findPackageJson(filePath) {
   const startDir = path.dirname(path.resolve(filePath));
   const cached = packageJsonPathCache.get(startDir);
   if (cached !== void 0) {
-    if (cached === null) {
-      return void 0;
-    }
-    if (fs.existsSync(cached)) {
-      return cached;
+    if (cached.path === null) {
+      if (Date.now() - cached.at < PACKAGE_JSON_NEGATIVE_TTL_MS) {
+        return void 0;
+      }
+      packageJsonPathCache.delete(startDir);
+    } else if (fs.existsSync(cached.path)) {
+      packageJsonPathCacheSet(startDir, cached.path);
+      return cached.path;
+    } else {
+      packageJsonPathCache.delete(startDir);
     }
-    packageJsonPathCache.delete(startDir);
   }
   let currentDir = startDir;
   const root = path.parse(currentDir).root;
   while (currentDir !== root) {
     const packageJsonPath = path.join(currentDir, "package.json");
     if (fs.existsSync(packageJsonPath)) {
-      packageJsonPathCache.set(startDir, packageJsonPath);
+      packageJsonPathCacheSet(startDir, packageJsonPath);
       return packageJsonPath;
     }
     currentDir = path.dirname(currentDir);
   }
-  packageJsonPathCache.set(startDir, null);
+  packageJsonPathCacheSet(startDir, null);
   return void 0;
 }
 // @__NO_SIDE_EFFECTS__

package/dist/dlx/manifest.js

@@ -26,6 +26,7 @@ __export(manifest_exports, {
   isPackageEntry: () => isPackageEntry
 });
 module.exports = __toCommonJS(manifest_exports);
+var import_errors = require("../errors");
 var import_fs = require("../fs");
 var import_logger = require("../logger");
 var import_socket = require("../paths/socket");
@@ -79,9 +80,7 @@ class DlxManifest {
       }
       return JSON.parse(content);
     } catch (error) {
-      logger.warn(
-        `Failed to read manifest: ${error instanceof Error ? error.message : String(error)}`
-      );
+      logger.warn(`Failed to read manifest: ${(0, import_errors.errorMessage)(error)}`);
       return { __proto__: null };
     }
   }
@@ -94,9 +93,7 @@ class DlxManifest {
     try {
       (0, import_fs.safeMkdirSync)(manifestDir, { recursive: true });
     } catch (error) {
-      logger.warn(
-        `Failed to create manifest directory: ${error instanceof Error ? error.message : String(error)}`
-      );
+      logger.warn(`Failed to create manifest directory: ${(0, import_errors.errorMessage)(error)}`);
     }
     const content = JSON.stringify(data, null, 2);
     const tempPath = `${this.manifestPath}.tmp`;
@@ -130,9 +127,7 @@ class DlxManifest {
         delete data[name];
         await this.writeManifest(data);
       } catch (error) {
-        logger.warn(
-          `Failed to clear cache for ${name}: ${error instanceof Error ? error.message : String(error)}`
-        );
+        logger.warn(`Failed to clear cache for ${name}: ${(0, import_errors.errorMessage)(error)}`);
       }
     });
   }
@@ -146,9 +141,7 @@ class DlxManifest {
           fs.unlinkSync(this.manifestPath);
         }
       } catch (error) {
-        logger.warn(
-          `Failed to clear all cache: ${error instanceof Error ? error.message : String(error)}`
-        );
+        logger.warn(`Failed to clear all cache: ${(0, import_errors.errorMessage)(error)}`);
       }
     });
   }
@@ -180,9 +173,7 @@ class DlxManifest {
       const data = JSON.parse(content);
       return Object.keys(data);
     } catch (error) {
-      logger.warn(
-        `Failed to get package list: ${error instanceof Error ? error.message : String(error)}`
-      );
+      logger.warn(`Failed to get package list: ${(0, import_errors.errorMessage)(error)}`);
       return [];
     }
   }
@@ -224,9 +215,7 @@ class DlxManifest {
           }
         }
       } catch (error) {
-        logger.warn(
-          `Failed to read existing manifest: ${error instanceof Error ? error.message : String(error)}`
-        );
+        logger.warn(`Failed to read existing manifest: ${(0, import_errors.errorMessage)(error)}`);
       }
       data[name] = record;
       const manifestDir = path.dirname(this.manifestPath);
@@ -234,7 +223,7 @@ class DlxManifest {
         (0, import_fs.safeMkdirSync)(manifestDir, { recursive: true });
       } catch (error) {
         logger.warn(
-          `Failed to create manifest directory: ${error instanceof Error ? error.message : String(error)}`
+          `Failed to create manifest directory: ${(0, import_errors.errorMessage)(error)}`
         );
       }
       const content = JSON.stringify(data, null, 2);

package/dist/dlx/package.js

@@ -43,6 +43,7 @@ __export(package_exports, {
 module.exports = __toCommonJS(package_exports);
 var import_platform = require("../constants/platform");
 var import_socket = require("../constants/socket");
+var import_errors = require("../errors");
 var import_arborist = __toESM(require("../external/@npmcli/arborist"));
 var import_libnpmexec = __toESM(require("../external/libnpmexec"));
 var import_npm_package_arg = __toESM(require("../external/npm-package-arg"));
@@ -62,7 +63,19 @@ const FIREWALL_BLOCK_SEVERITIES = /* @__PURE__ */ new Set([
   "critical",
   "high"
 ]);
+const BINARY_PATH_CACHE_MAX_SIZE = 200;
 const binaryPathCache = /* @__PURE__ */ new Map();
+function binaryPathCacheSet(key, value) {
+  if (binaryPathCache.has(key)) {
+    binaryPathCache.delete(key);
+  } else if (binaryPathCache.size >= BINARY_PATH_CACHE_MAX_SIZE) {
+    const oldest = binaryPathCache.keys().next().value;
+    if (oldest !== void 0) {
+      binaryPathCache.delete(oldest);
+    }
+  }
+  binaryPathCache.set(key, value);
+}
 async function checkFirewallPurls(arb, requestedPackage) {
   const idealTree = arb.idealTree;
   if (!idealTree) {
@@ -264,7 +277,7 @@ Ensure the filesystem is writable or set SOCKET_DLX_DIR to a writable location.`
         await checkFirewallPurls(arb, packageName);
         await arb.reify({ save: true });
       } catch (e) {
-        if (e instanceof Error && e.message.startsWith("Socket Firewall blocked")) {
+        if ((0, import_errors.isError)(e) && e.message.startsWith("Socket Firewall blocked")) {
           throw e;
         }
         const code = e?.code;
@@ -431,6 +444,7 @@ function resolveBinaryPath(basePath) {
   const cached = binaryPathCache.get(basePath);
   if (cached) {
     if (fs.existsSync(cached)) {
+      binaryPathCacheSet(basePath, cached);
       return cached;
     }
     binaryPathCache.delete(basePath);
@@ -439,7 +453,7 @@ function resolveBinaryPath(basePath) {
   for (const ext of extensions) {
     const testPath = basePath + ext;
     if (fs.existsSync(testPath)) {
-      binaryPathCache.set(basePath, testPath);
+      binaryPathCacheSet(basePath, testPath);
       return testPath;
     }
   }

package/dist/env/socket-cli.d.ts

@@ -63,9 +63,10 @@ export declare function getSocketCliApiProxy(): string | undefined;
  */
 export declare function getSocketCliApiTimeout(): number;
 /**
- * Socket CLI API authentication token (alternative name).
- * Checks SOCKET_CLI_API_TOKEN, SOCKET_CLI_API_KEY, SOCKET_SECURITY_API_TOKEN, SOCKET_SECURITY_API_KEY.
- * Maintains full v1.x backward compatibility.
+ * Socket CLI API authentication token.
+ * Checks SOCKET_API_TOKEN (canonical), then the legacy names
+ * SOCKET_CLI_API_TOKEN, SOCKET_CLI_API_KEY, SOCKET_SECURITY_API_TOKEN,
+ * SOCKET_SECURITY_API_KEY. Maintains full v1.x backward compatibility.
  *
  * @returns API token or undefined
  *

package/dist/env/socket-cli.js

@@ -56,7 +56,7 @@ function getSocketCliApiTimeout() {
 }
 // @__NO_SIDE_EFFECTS__
 function getSocketCliApiToken() {
-  return (0, import_rewire.getEnvValue)("SOCKET_CLI_API_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_CLI_API_KEY") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_API_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_API_KEY");
+  return (0, import_rewire.getEnvValue)("SOCKET_API_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_CLI_API_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_CLI_API_KEY") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_API_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_API_KEY");
 }
 // @__NO_SIDE_EFFECTS__
 function getSocketCliBootstrapCacheDir() {

package/dist/errors.d.ts

@@ -1,6 +1,100 @@
 /**
  * @fileoverview Error utilities with cause chain support.
- * Provides helpers for working with error causes and stack traces.
+ *
+ * Provides:
+ *   - `isError(value)` — cross-realm-safe Error check (ES2025 `Error.isError`
+ *     when available, `@@toStringTag` fallback otherwise).
+ *   - `errorMessage(value)` — read the message (with cause chain) from any
+ *     caught value, falling back to the shared `UNKNOWN_ERROR` sentinel.
+ *   - `errorStack(value)` — read the stack (with cause chain) from any
+ *     caught value, or `undefined` for non-Errors.
+ *
+ * `messageWithCauses` / `stackWithCauses` are re-exported from pony-cause;
+ * a patched copy recognizes cross-realm Errors via `isError`.
  */
+import { UNKNOWN_ERROR } from './constants/core';
 import { messageWithCauses, stackWithCauses } from './external/pony-cause';
-export { messageWithCauses, stackWithCauses };
+export { UNKNOWN_ERROR, messageWithCauses, stackWithCauses };
+/**
+ * Spec-compliant [`Error.isError`](https://tc39.es/ecma262/#sec-error.iserror)
+ * with a fallback shim for engines that don't ship it yet.
+ *
+ * Returns `true` for Errors from any realm (worker threads, vm contexts,
+ * iframes) — things same-realm `instanceof Error` misses. Plain objects
+ * with `name` + `message` properties are **not** recognized.
+ *
+ * @example
+ * try {
+ *   await doWork()
+ * } catch (e) {
+ *   if (isError(e)) {
+ *     logger.error(e.message)
+ *   } else {
+ *     logger.error(String(e))
+ *   }
+ * }
+ */
+/**
+ * `Error.isError` fallback shim — the in-language approximation used
+ * when the native ES2025 method isn't available.
+ *
+ * Exported separately so test suites on engines that ship the native
+ * method can still exercise the shim branch directly. Consumers should
+ * prefer {@link isError}, which picks the native method when present.
+ */
+export declare function isErrorShim(value: unknown): value is Error;
+/**
+ * Reference to the native ES2025 `Error.isError` when the running
+ * engine ships it, otherwise `undefined`. Exposed separately so tests
+ * and callers can detect the fast-path without re-probing.
+ */
+export declare const isErrorBuiltin: ((value: unknown) => value is Error) | undefined;
+/**
+ * Prefer the native ES2025 `Error.isError` when available (exact
+ * `[[ErrorData]]` slot check, cross-realm-safe); fall back to
+ * {@link isErrorShim} otherwise.
+ */
+export declare const isError: (value: unknown) => value is Error;
+/**
+ * Narrow a caught value to a Node.js `ErrnoException` — an Error with a
+ * `.code` string set by libuv/syscall failures (e.g. `'ENOENT'`,
+ * `'EACCES'`, `'EBUSY'`, `'EPERM'`). Cross-realm safe (builds on
+ * {@link isError}), and checks that `code` is a string so a merely
+ * branded Error without a real errno code returns `false`.
+ *
+ * @example
+ * try {
+ *   await fsPromises.readFile(path)
+ * } catch (e) {
+ *   if (isErrnoException(e) && e.code === 'ENOENT') {
+ *     // … retry, or return default …
+ *   } else {
+ *     throw e
+ *   }
+ * }
+ */
+export declare function isErrnoException(value: unknown): value is NodeJS.ErrnoException;
+/**
+ * Extract a human-readable message from any caught value.
+ *
+ * Walks the `cause` chain for Errors (via {@link messageWithCauses});
+ * coerces primitives and objects to string; returns
+ * {@link UNKNOWN_ERROR} for `null`, `undefined`, empty strings,
+ * `[object Object]`, or Errors with no message.
+ *
+ * @example
+ * try {
+ *   await readConfig(path)
+ * } catch (e) {
+ *   throw new Error(`Failed to read ${path}: ${errorMessage(e)}`, { cause: e })
+ * }
+ */
+export declare function errorMessage(value: unknown): string;
+/**
+ * Extract a stack trace (with causes) from any caught value.
+ *
+ * Returns the cause-aware stack via {@link stackWithCauses} for Errors;
+ * returns `undefined` for non-Error values, so callers can
+ * `logger.error(msg, { stack: errorStack(e) })` safely.
+ */
+export declare function errorStack(value: unknown): string | undefined;

package/dist/errors.js

@@ -20,13 +20,68 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var errors_exports = {};
 __export(errors_exports, {
+  UNKNOWN_ERROR: () => import_core.UNKNOWN_ERROR,
+  errorMessage: () => errorMessage,
+  errorStack: () => errorStack,
+  isErrnoException: () => isErrnoException,
+  isError: () => isError,
+  isErrorBuiltin: () => isErrorBuiltin,
+  isErrorShim: () => isErrorShim,
   messageWithCauses: () => import_pony_cause.messageWithCauses,
   stackWithCauses: () => import_pony_cause.stackWithCauses
 });
 module.exports = __toCommonJS(errors_exports);
+var import_core = require("./constants/core");
 var import_pony_cause = require("./external/pony-cause");
+const ObjectPrototypeToString = Object.prototype.toString;
+const ReflectApply = Reflect.apply;
+function isErrorShim(value) {
+  if (value === null || typeof value !== "object") {
+    return false;
+  }
+  return ReflectApply(ObjectPrototypeToString, value, []) === "[object Error]";
+}
+const isErrorBuiltin = Error.isError;
+const isError = isErrorBuiltin ?? isErrorShim;
+function isErrnoException(value) {
+  if (!isError(value)) {
+    return false;
+  }
+  const code = value.code;
+  if (typeof code !== "string" || code.length === 0) {
+    return false;
+  }
+  const first = code.charCodeAt(0);
+  return first >= 65 && first <= 90;
+}
+function errorMessage(value) {
+  if (isError(value)) {
+    return (0, import_pony_cause.messageWithCauses)(value) || import_core.UNKNOWN_ERROR;
+  }
+  if (value === null || value === void 0) {
+    return import_core.UNKNOWN_ERROR;
+  }
+  const s = String(value);
+  if (s === "" || s === "[object Object]") {
+    return import_core.UNKNOWN_ERROR;
+  }
+  return s;
+}
+function errorStack(value) {
+  if (isError(value)) {
+    return (0, import_pony_cause.stackWithCauses)(value);
+  }
+  return void 0;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  UNKNOWN_ERROR,
+  errorMessage,
+  errorStack,
+  isErrnoException,
+  isError,
+  isErrorBuiltin,
+  isErrorShim,
   messageWithCauses,
   stackWithCauses
 });

package/dist/external/pony-cause.js

@@ -11,9 +11,9 @@ var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
 
-// node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/error-with-cause.js
+// node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/error-with-cause.js
 var require_error_with_cause = __commonJS({
-  "node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/error-with-cause.js"(exports2, module2) {
+  "node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/error-with-cause.js"(exports2, module2) {
     "use strict";
     var ErrorWithCause = class _ErrorWithCause extends Error {
       static {
@@ -41,13 +41,14 @@ var require_error_with_cause = __commonJS({
   }
 });
 
-// node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/helpers.js
+// node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/helpers.js
 var require_helpers = __commonJS({
-  "node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/helpers.js"(exports2, module2) {
+  "node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/helpers.js"(exports2, module2) {
     "use strict";
+    var isError = typeof Error.isError === "function" ? Error.isError : (v) => v !== null && typeof v === "object" && Object.prototype.toString.call(v) === "[object Error]";
     var findCauseByReference = /* @__PURE__ */ __name((err, reference) => {
       if (!err || !reference) return;
-      if (!(err instanceof Error)) return;
+      if (!isError(err)) return;
       if (!(reference.prototype instanceof Error) && // @ts-ignore
       reference !== Error) return;
       const seen = /* @__PURE__ */ new Set();
@@ -66,13 +67,13 @@ var require_helpers = __commonJS({
       }
       if (typeof err.cause === "function") {
         const causeResult = err.cause();
-        return causeResult instanceof Error ? causeResult : void 0;
+        return isError(causeResult) ? causeResult : void 0;
       } else {
-        return err.cause instanceof Error ? err.cause : void 0;
+        return isError(err.cause) ? err.cause : void 0;
       }
     }, "getErrorCause");
     var _stackWithCauses = /* @__PURE__ */ __name((err, seen) => {
-      if (!(err instanceof Error)) return "";
+      if (!isError(err)) return "";
       const stack = err.stack || "";
       if (seen.has(err)) {
         return stack + "\ncauses have become circular...";
@@ -87,7 +88,7 @@ var require_helpers = __commonJS({
     }, "_stackWithCauses");
     var stackWithCauses = /* @__PURE__ */ __name((err) => _stackWithCauses(err, /* @__PURE__ */ new Set()), "stackWithCauses");
     var _messageWithCauses = /* @__PURE__ */ __name((err, seen, skip) => {
-      if (!(err instanceof Error)) return "";
+      if (!isError(err)) return "";
       const message = skip ? "" : err.message || "";
       if (seen.has(err)) {
         return message + ": ...";
@@ -116,9 +117,9 @@ var require_helpers = __commonJS({
   }
 });
 
-// node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/index.js
+// node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/index.js
 var require_pony_cause = __commonJS({
-  "node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/index.js"(exports2, module2) {
+  "node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/index.js"(exports2, module2) {
     "use strict";
     var { ErrorWithCause } = require_error_with_cause();
     var {

package/dist/fs.js

@@ -167,7 +167,7 @@ async function findUp(name, options) {
   let dir = path.resolve(cwd);
   const { root } = path.parse(dir);
   const names = (0, import_arrays.isArray)(name) ? name : [name];
-  while (dir && dir !== root) {
+  while (dir) {
     for (const n of names) {
       if (signal?.aborted) {
         return void 0;
@@ -184,6 +184,9 @@ async function findUp(name, options) {
       } catch {
       }
     }
+    if (dir === root) {
+      break;
+    }
     dir = path.dirname(dir);
   }
   return void 0;
@@ -210,7 +213,7 @@ function findUpSync(name, options) {
   const { root } = path.parse(dir);
   const stopDir = stopAt ? path.resolve(stopAt) : void 0;
   const names = (0, import_arrays.isArray)(name) ? name : [name];
-  while (dir && dir !== root) {
+  while (dir) {
     if (stopDir && dir === stopDir) {
       for (const n of names) {
         const thePath = path.join(dir, n);
@@ -240,6 +243,9 @@ function findUpSync(name, options) {
       } catch {
       }
     }
+    if (dir === root) {
+      break;
+    }
     dir = path.dirname(dir);
   }
   return void 0;

package/dist/github.js

@@ -45,6 +45,7 @@ var import_node_process = __toESM(require("node:process"));
 var import_cache_with_ttl = require("./cache-with-ttl");
 var import_github = require("./env/github");
 var import_socket_cli = require("./env/socket-cli");
+var import_errors = require("./errors");
 var import_http_request = require("./http-request");
 var import_spawn = require("./spawn");
 const GITHUB_API_BASE_URL = "https://api.github.com";
@@ -80,7 +81,7 @@ async function fetchRefSha(owner, repo, ref, options) {
         return commitData.sha;
       } catch (e) {
         throw new Error(
-          `failed to resolve ref "${ref}" for ${owner}/${repo}: ${e instanceof Error ? e.message : String(e)}`
+          `failed to resolve ref "${ref}" for ${owner}/${repo}: ${(0, import_errors.errorMessage)(e)}`
         );
       }
     }
@@ -165,7 +166,7 @@ async function fetchGitHub(url, options) {
     return JSON.parse(response.body.toString("utf8"));
   } catch (error) {
     throw new Error(
-      `Failed to parse GitHub API response: ${error instanceof Error ? error.message : String(error)}
+      `Failed to parse GitHub API response: ${(0, import_errors.errorMessage)(error)}
 URL: ${url}
 Response may be malformed or incomplete.`,
       { cause: error }

package/dist/globs.js

@@ -91,7 +91,11 @@ function getPicomatch() {
 function getGlobMatcher(glob2, options) {
   const patterns = Array.isArray(glob2) ? glob2 : [glob2];
   const sortedPatterns = [...patterns].sort();
-  const sortedOptions = options ? Object.keys(options).sort().map((k) => `${k}:${JSON.stringify(options[k])}`).join(",") : "";
+  const sortedOptions = options ? Object.keys(options).sort().map((k) => {
+    const value = options[k];
+    const normalized = Array.isArray(value) ? [...value].sort() : value;
+    return `${k}:${JSON.stringify(normalized)}`;
+  }).join(",") : "";
   const key = `${sortedPatterns.join("|")}:${sortedOptions}`;
   const existing = matcherCache.get(key);
   if (existing) {

package/dist/ipc.js

@@ -37,7 +37,7 @@ module.exports = __toCommonJS(ipc_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_typebox = require("./external/@sinclair/typebox");
 var import_socket = require("./paths/socket");
-var import_validate_schema = require("./validation/validate-schema");
+var import_parse = require("./schema/parse");
 const IpcStubSchema = import_typebox.Type.Object({
   /** Process ID that created the stub. */
   pid: import_typebox.Type.Integer({ minimum: 1 }),
@@ -100,7 +100,7 @@ async function writeIpcStub(appName, data) {
     pid: import_node_process.default.pid,
     timestamp: Date.now()
   };
-  const validated = (0, import_validate_schema.parseSchema)(IpcStubSchema, ipcData);
+  const validated = (0, import_parse.parseSchema)(IpcStubSchema, ipcData);
   const fs = /* @__PURE__ */ getFs();
   const flags = fs.constants.O_CREAT | fs.constants.O_WRONLY | fs.constants.O_EXCL | fs.constants.O_NOFOLLOW;
   let handle;

package/dist/json/edit.js

@@ -35,6 +35,7 @@ __export(edit_exports, {
 module.exports = __toCommonJS(edit_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_promises = require("node:timers/promises");
+var import_errors = require("../errors");
 var import_format = require("./format");
 const identSymbol = import_format.INDENT_SYMBOL;
 const newlineSymbol = import_format.NEWLINE_SYMBOL;
@@ -59,7 +60,7 @@ async function readFile(filepath) {
       return await fsPromises.readFile(filepath, "utf8");
     } catch (err) {
       const isLastAttempt = attempt === maxRetries;
-      const isEnoent = err instanceof Error && "code" in err && err.code === "ENOENT";
+      const isEnoent = (0, import_errors.isErrnoException)(err) && err.code === "ENOENT";
       if (!isEnoent || isLastAttempt) {
         throw err;
       }
@@ -92,7 +93,7 @@ async function retryWrite(filepath, content, retries = 3, baseDelay = 10) {
       return;
     } catch (err) {
       const isLastAttempt = attempt === retries;
-      const isRetriableError = err instanceof Error && "code" in err && (err.code === "EPERM" || err.code === "EBUSY" || err.code === "ENOENT");
+      const isRetriableError = (0, import_errors.isErrnoException)(err) && (err.code === "EPERM" || err.code === "EBUSY" || err.code === "ENOENT");
       if (!isRetriableError || isLastAttempt) {
         throw err;
       }

package/dist/json/parse.d.ts

@@ -1,8 +1,11 @@
 /**
  * @fileoverview JSON parsing utilities with Buffer detection and BOM stripping.
- * Provides safe JSON parsing with automatic encoding handling.
+ * Provides safe JSON parsing with automatic encoding handling, plus
+ * `safeJsonParse` for untrusted input (prototype-pollution protection +
+ * size limits + optional schema validation).
  */
-import type { JsonParseOptions, JsonPrimitive, JsonValue } from './types';
+import type { Schema } from '../schema/types';
+import type { JsonParseOptions, JsonPrimitive, JsonValue, SafeJsonParseOptions } from './types';
 /**
  * Check if a value is a JSON primitive type.
  * JSON primitives are: `null`, `boolean`, `number`, or `string`.
@@ -76,3 +79,45 @@ export declare function isJsonPrimitive(value: unknown): value is JsonPrimitive;
  * ```
  */
 export declare function jsonParse(content: string | Buffer, options?: JsonParseOptions | undefined): JsonValue | undefined;
+/**
+ * Safely parse JSON with optional schema validation and security controls.
+ * Throws on parse failure, validation failure, or security violation.
+ *
+ * Recommended for parsing untrusted JSON (user input, network payloads,
+ * anything beyond a trust boundary). Layers:
+ * 1. Size cap (default 10 MB) prevents memory exhaustion.
+ * 2. Prototype-pollution reviver rejects `__proto__` / `constructor` /
+ *    `prototype` keys at any depth (unless `allowPrototype: true`).
+ * 3. Optional Zod-shaped schema validation via
+ *    `@socketsecurity/lib/schema/validate`.
+ *
+ * For trusted-source reads (package.json, local config files), prefer
+ * `jsonParse()` — it offers Buffer/BOM handling and filepath-aware error
+ * messages, without the untrusted-input overhead.
+ *
+ * @throws {Error} When `jsonString` exceeds `maxSize`.
+ * @throws {Error} When JSON parsing fails.
+ * @throws {Error} When prototype-pollution keys are detected (and
+ *   `allowPrototype` is not `true`).
+ * @throws {Error} When schema validation fails.
+ *
+ * @example
+ * ```ts
+ * // Basic parsing with type inference.
+ * const data = safeJsonParse<User>('{"name":"Alice","age":30}')
+ *
+ * // With schema validation.
+ * import { z } from 'zod'
+ * const userSchema = z.object({ name: z.string(), age: z.number() })
+ * const user = safeJsonParse('{"name":"Alice","age":30}', userSchema)
+ *
+ * // With size limit.
+ * const data = safeJsonParse(jsonString, undefined, { maxSize: 1024 })
+ *
+ * // Allow prototype keys (DANGEROUS — only for trusted sources).
+ * const data = safeJsonParse('{"__proto__":{}}', undefined, {
+ *   allowPrototype: true,
+ * })
+ * ```
+ */
+export declare function safeJsonParse<T = unknown>(jsonString: string, schema?: Schema<T> | undefined, options?: SafeJsonParseOptions): T;