@socketsecurity/lib 5.20.1 → 5.23.0

package/dist/regexps.js

@@ -23,10 +23,67 @@ __export(regexps_exports, {
   escapeRegExp: () => escapeRegExp
 });
 module.exports = __toCommonJS(regexps_exports);
-// @__NO_SIDE_EFFECTS__
-function escapeRegExp(str) {
-  return str.replace(/[\\|{}()[\]^$+*?.]/g, "\\$&");
+const SYNTAX_CHARACTERS = new Set("^$\\.*+?()[]{}|/");
+const CONTROL_ESCAPES = /* @__PURE__ */ new Map([
+  [9, "\\t"],
+  [10, "\\n"],
+  [11, "\\v"],
+  [12, "\\f"],
+  [13, "\\r"]
+]);
+const OTHER_PUNCTUATORS = new Set(",-=<>#&!%:;@~'`\"");
+function isSpecHexEscapeCp(cp) {
+  if (OTHER_PUNCTUATORS.has(String.fromCodePoint(cp))) {
+    return true;
+  }
+  if (cp === 10 || cp === 13 || cp === 8232 || cp === 8233) {
+    return true;
+  }
+  if (cp === 9 || cp === 11 || cp === 12 || cp === 32 || cp === 160 || cp === 65279) {
+    return true;
+  }
+  if (cp >= 55296 && cp <= 57343) {
+    return true;
+  }
+  return false;
+}
+function hex2(n) {
+  return n.toString(16).padStart(2, "0");
+}
+function hex4(n) {
+  return n.toString(16).padStart(4, "0");
+}
+function escapeRegExpFallback(str) {
+  let out = "";
+  let isFirst = true;
+  for (const char of str) {
+    const cp = char.codePointAt(0);
+    if (isFirst && (cp >= 48 && cp <= 57 || cp >= 65 && cp <= 90 || cp >= 97 && cp <= 122)) {
+      out += "\\x" + hex2(cp);
+    } else if (SYNTAX_CHARACTERS.has(char)) {
+      out += "\\" + char;
+    } else {
+      const ctrl = CONTROL_ESCAPES.get(cp);
+      if (ctrl !== void 0) {
+        out += ctrl;
+      } else if (isSpecHexEscapeCp(cp)) {
+        if (cp <= 255) {
+          out += "\\x" + hex2(cp);
+        } else {
+          for (let i = 0; i < char.length; i++) {
+            out += "\\u" + hex4(char.charCodeAt(i));
+          }
+        }
+      } else {
+        out += char;
+      }
+    }
+    isFirst = false;
+  }
+  return out;
 }
+const maybeNativeEscape = RegExp.escape;
+const escapeRegExp = typeof maybeNativeEscape === "function" ? maybeNativeEscape : escapeRegExpFallback;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   escapeRegExp

package/dist/releases/github.js

@@ -43,6 +43,7 @@ module.exports = __toCommonJS(github_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_picomatch = __toESM(require("../external/picomatch"));
 var import_archives = require("../archives");
+var import_errors = require("../errors");
 var import_fs = require("../fs");
 var import_http_request = require("../http-request");
 var import_logger = require("../logger");
@@ -341,7 +342,7 @@ async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
             `Retry attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} for ${toolPrefix} release...`
           );
           logger.warn(
-            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${error instanceof Error ? error.message : String(error)}`
+            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${(0, import_errors.errorMessage)(error)}`
           );
         }
         return void 0;
@@ -395,7 +396,7 @@ async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
             `Retry attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} for asset URL...`
           );
           logger.warn(
-            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${error instanceof Error ? error.message : String(error)}`
+            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${(0, import_errors.errorMessage)(error)}`
           );
         }
         return void 0;

package/dist/releases/socket-btm.d.ts

@@ -126,18 +126,74 @@ export declare function getBinaryAssetName(binaryBaseName: string, platform: Pla
  */
 export declare function getBinaryName(binaryBaseName: string, platform: Platform): string;
 /**
- * Get platform-arch identifier for directory structure.
- * Uses 'win' instead of 'win32' for file/folder names.
+ * Get platform-arch identifier for directory structure and asset names.
+ *
+ * # Format: `<os>-<arch>[-<libc>]`
+ *
+ * The OS segment is `process.platform` verbatim: `darwin` / `linux` /
+ * `win32`. The arch segment is `process.arch` verbatim: `x64` / `arm64`.
+ * The optional libc suffix is `-musl` (Linux only; the glibc default is
+ * unsuffixed to match Node.js's own linuxstatic convention).
+ *
+ * # Why these specific conventions
+ *
+ * ## Why `win32`, not `win`
+ *
+ * `win32` is what `process.platform` returns on every Windows host. Every
+ * npm package whose install-time platform filter uses the standard
+ * `os` / `cpu` / `libc` manifest fields must match `process.platform`
+ * strings exactly (npm compares them verbatim — there's no shorthand
+ * layer). Using `win` internally here would have forced a translation
+ * every time we constructed an install filter or a target triple, and
+ * reviewers would have to remember "we abbreviate on disk but not in
+ * package filters." Since the two now match, there's no translation
+ * step to get wrong.
+ *
+ * pnpm's pack-app (v11+) accepts `<os>-<arch>[-<libc>]` target strings
+ * and its shards are `@pnpm/exe.<os>-<arch>` (with `win32`, not `win` —
+ * see pnpm#11314). Our naming matches so asset names we emit can flow
+ * directly into pack-app's `--target` arg, `pnpm.app.targets` config,
+ * and sibling-package-name construction without a translation map.
+ *
+ * ## Why `-musl` is the suffix (and glibc is unsuffixed)
+ *
+ * Node.js's own linuxstatic tarballs historically used the unqualified
+ * `linux` for glibc and a separate download channel for musl. The pnpm
+ * ecosystem codified that as `linux-<arch>` (glibc, default) and
+ * `linux-<arch>-musl` (the libc outlier), matching the asymmetric
+ * reality of Linux distros — glibc is the majority case, musl is
+ * Alpine-and-similar. Adding `-glibc` for the default would be
+ * redundant noise in the name.
+ *
+ * ## Why libc is only appended for Linux
+ *
+ * macOS and Windows have exactly one system libc each (Apple libSystem,
+ * Microsoft UCRT). A hypothetical `darwin-arm64-libsystem` conveys no
+ * information. Node.js, npm, and pnpm all treat libc as a Linux-only
+ * axis; we follow the same convention so callers don't have to special-
+ * case `'darwin-arm64'.startsWith('darwin-arm64')` style matches.
+ *
+ * ## Why this function exists at all (vs. inlining)
+ *
+ * Two upstream APIs that socket-btm consumers end up calling — the
+ * npm manifest filter (`os`/`cpu`/`libc`) and pnpm's pack-app
+ * `--target` — both need the exact same triple format. Centralizing
+ * the construction here means a future schema change (e.g. Node
+ * introducing `riscv64`) gets one edit, and the error message for an
+ * unsupported platform is uniform across downloaders, pack-app
+ * invocations, and the `@socketbin/*` resolver logic.
  *
  * @param platform - Target platform
  * @param arch - Target architecture
- * @param libc - Linux libc variant (optional)
- * @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl', 'win-x64')
+ * @param libc - Linux libc variant (optional; non-linux platforms ignore)
+ * @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl', 'win32-x64')
  *
  * @example
  * ```typescript
  * getPlatformArch('linux', 'x64', 'musl')  // 'linux-x64-musl'
- * getPlatformArch('darwin', 'arm64')  // 'darwin-arm64'
+ * getPlatformArch('darwin', 'arm64')       // 'darwin-arm64'
+ * getPlatformArch('win32', 'x64')          // 'win32-x64'
+ * getPlatformArch('darwin', 'x64', 'musl') // 'darwin-x64' — libc ignored
  * ```
  */
 export declare function getPlatformArch(platform: Platform, arch: Arch, libc?: Libc | undefined): string;

package/dist/releases/socket-btm.js

@@ -38,7 +38,7 @@ const PLATFORM_MAP = {
   __proto__: null,
   darwin: "darwin",
   linux: "linux",
-  win32: "win"
+  win32: "win32"
 };
 const ARCH_MAP = {
   __proto__: null,
@@ -185,7 +185,7 @@ function getBinaryAssetName(binaryBaseName, platform, arch, libc) {
     return `${binaryBaseName}-linux-${mappedArch}${muslSuffix}${ext}`;
   }
   if (platform === "win32") {
-    return `${binaryBaseName}-win-${mappedArch}${ext}`;
+    return `${binaryBaseName}-win32-${mappedArch}${ext}`;
   }
   throw new Error(`Unsupported platform: ${platform}`);
 }

package/dist/schema/parse.d.ts

@@ -0,0 +1,26 @@
+/**
+ * @fileoverview Throwing twin of `validateSchema`.
+ *
+ * Use `parseSchema(schema, data)` for fail-fast trust boundaries (app
+ * startup, config files, internal assertions). Use the non-throwing
+ * `validateSchema` for recoverable input (form fields, API request bodies,
+ * anywhere errors need to surface to a user).
+ *
+ * @example
+ * ```ts
+ * import { z } from 'zod'
+ * import { parseSchema } from '@socketsecurity/lib/schema/parse'
+ *
+ * const Config = z.object({ host: z.string(), port: z.number() })
+ * const config = parseSchema(Config, json)  // throws on invalid
+ * ```
+ */
+import type { Infer } from './types';
+/**
+ * Parse `data` against `schema` and return the validated value.
+ *
+ * @throws {Error} When validation fails. The message lists all issues as
+ *   `path: message, path: message, ...`. Use `validateSchema` if you need
+ *   structured access to the error list.
+ */
+export declare function parseSchema<S>(schema: S, data: unknown): Infer<S>;

package/dist/schema/parse.js

@@ -0,0 +1,38 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var parse_exports = {};
+__export(parse_exports, {
+  parseSchema: () => parseSchema
+});
+module.exports = __toCommonJS(parse_exports);
+var import_validate = require("./validate");
+function parseSchema(schema, data) {
+  const result = (0, import_validate.validateSchema)(schema, data);
+  if (result.ok) {
+    return result.value;
+  }
+  const summary = result.errors.map((e) => `${e.path.join(".") || "(root)"}: ${e.message}`).join(", ");
+  throw new Error(`Validation failed: ${summary}`);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  parseSchema
+});

package/dist/schema/types.d.ts

@@ -0,0 +1,121 @@
+/**
+ * @fileoverview Shared types for schema validation.
+ *
+ * `Schema<T>` is the Zod-shaped duck-type contract — any validator with
+ * a `.safeParse(data)` method returning `{ success, data?, error? }`
+ * satisfies it. socket-lib detects Zod (v3 and v4) structurally via this
+ * interface; consumers bring their own Zod.
+ *
+ * `ValidateResult<T>` / `ValidationIssue` / `Infer<S>` / `AnySchema` are
+ * the normalized shapes produced by `@socketsecurity/lib/schema/validate`
+ * and `@socketsecurity/lib/schema/parse`.
+ */
+/**
+ * Result of a Zod-shaped schema's `.safeParse()` call.
+ *
+ * @template T - The expected type of the parsed data
+ */
+export interface ParseResult<T> {
+    /** Indicates whether parsing was successful */
+    success: boolean;
+    /** Parsed and validated data (only present when `success` is `true`) */
+    data?: T | undefined;
+    /** Error information (only present when `success` is `false`) */
+    error?: unknown;
+}
+/**
+ * Zod-shaped duck-type for any validator exposing `safeParse` / `parse`.
+ *
+ * @template T - The expected output type after validation
+ *
+ * @example
+ * ```ts
+ * import { z } from 'zod'
+ *
+ * const userSchema = z.object({ name: z.string(), age: z.number() })
+ *
+ * // Schema satisfies this interface
+ * const schema: Schema<User> = userSchema
+ * const result = schema.safeParse({ name: 'Alice', age: 30 })
+ * ```
+ */
+export interface Schema<T = unknown> {
+    /** Non-throwing parse. */
+    safeParse(data: unknown): ParseResult<T>;
+    /** Throwing parse. */
+    parse(data: unknown): T;
+    /** Optional schema name for debugging. */
+    _name?: string | undefined;
+}
+/**
+ * Internal structural shape of a Zod v4 schema — carries the inferred
+ * output type on `_zod.output`. Used for type-only detection in `Infer<S>`.
+ *
+ * @internal
+ */
+interface ZodV4LikeSchema<O = unknown> {
+    _zod: {
+        output: O;
+    };
+    safeParse(data: unknown): unknown;
+}
+/**
+ * Internal structural shape of a Zod v3 schema — carries the inferred
+ * output type on `_output`. Used for type-only detection in `Infer<S>`.
+ *
+ * @internal
+ */
+interface ZodV3LikeSchema<O = unknown> {
+    _output: O;
+    safeParse(data: unknown): unknown;
+}
+/**
+ * Internal structural shape of a TypeBox `TSchema` — carries the inferred
+ * output type on the phantom `static` field. Only used inside socket-lib
+ * for type-only detection in `Infer<S>`; external callers should pass
+ * Zod schemas.
+ *
+ * @internal
+ */
+interface TypeBoxLikeSchema {
+    static: unknown;
+}
+/**
+ * Any schema kind the validators accept.
+ */
+export type AnySchema = ZodV4LikeSchema<unknown> | ZodV3LikeSchema<unknown> | TypeBoxLikeSchema | Schema<unknown>;
+/**
+ * Infer the validated output type from any supported schema kind.
+ *
+ * Order matters: TypeBox schemas carry a phantom `static` field, so we
+ * check for TypeBox before falling through to Zod and the duck-type.
+ */
+export type Infer<S> = S extends {
+    static: infer Static;
+} ? Static : S extends {
+    _zod: {
+        output: infer O;
+    };
+} ? O : S extends {
+    _output: infer O;
+} ? O : S extends Schema<infer T> ? T : unknown;
+/**
+ * A single normalized validation error.
+ */
+export interface ValidationIssue {
+    /** Array path into the value (e.g. `['user', 'age']`). */
+    path: Array<string | number>;
+    /** Human-readable description of the failure. */
+    message: string;
+}
+/**
+ * Tagged-union result of `validateSchema`. Callers narrow on `ok`.
+ */
+export type ValidateResult<T> = {
+    ok: true;
+    value: T;
+} | {
+    ok: false;
+    errors: ValidationIssue[];
+};
+export {};

package/dist/schema/validate.d.ts

@@ -0,0 +1,35 @@
+/**
+ * @fileoverview Universal schema validator — non-throwing.
+ *
+ * Accepts any Zod-shaped schema (`.safeParse`-exposing) and returns a tagged
+ * result `{ ok: true, value } | { ok: false, errors }` with normalized
+ * `{ path, message }` issues. No runtime dependency on `zod` — detection
+ * is purely structural.
+ *
+ * @internal
+ * socket-lib additionally recognizes TypeBox schemas for its own internal
+ * use (e.g. `src/ipc.ts`'s stub-file validation). That path is not a
+ * supported consumer API.
+ *
+ * @example
+ * ```ts
+ * import { z } from 'zod'
+ * import { validateSchema } from '@socketsecurity/lib/schema/validate'
+ *
+ * const User = z.object({ name: z.string() })
+ * const r = validateSchema(User, data)
+ * if (r.ok) r.value.name // string
+ * else r.errors           // ValidationIssue[]
+ * ```
+ */
+import type { Infer, ValidateResult } from './types';
+/**
+ * Validate `data` against a Zod-style `schema`. Non-throwing.
+ *
+ * The return type narrows `value` to `Infer<S>`, so callers get
+ * `z.infer<typeof S>` with no casts. Errors are normalized to
+ * `{ path, message }` regardless of the underlying validator.
+ *
+ * @throws {TypeError} When `schema` is not a recognized validator kind.
+ */
+export declare function validateSchema<S>(schema: S, data: unknown): ValidateResult<Infer<S>>;

package/dist/{validation/validate-schema.js → schema/validate.js}

@@ -18,12 +18,11 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var validate_schema_exports = {};
-__export(validate_schema_exports, {
-  parseSchema: () => parseSchema,
+var validate_exports = {};
+__export(validate_exports, {
   validateSchema: () => validateSchema
 });
-module.exports = __toCommonJS(validate_schema_exports);
+module.exports = __toCommonJS(validate_exports);
 function isTypeBoxSchema(schema) {
   if (schema === null || typeof schema !== "object") {
     return false;
@@ -90,19 +89,10 @@ function validateSchema(schema, data) {
     };
   }
   throw new TypeError(
-    "validateSchema: unsupported schema kind. Expected a TypeBox schema, a Zod schema, or an object with a safeParse method."
+    "validateSchema: unsupported schema kind. Expected a Zod schema or an object with a safeParse method."
   );
 }
-function parseSchema(schema, data) {
-  const result = validateSchema(schema, data);
-  if (result.ok) {
-    return result.value;
-  }
-  const summary = result.errors.map((e) => `${e.path.join(".") || "(root)"}: ${e.message}`).join(", ");
-  throw new Error(`Validation failed: ${summary}`);
-}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  parseSchema,
   validateSchema
 });

package/dist/suppress-warnings.js

@@ -95,7 +95,6 @@ function suppressWarningType(warningType) {
 }
 async function withSuppressedWarnings(warningType, callback) {
   const wasAlreadySuppressed = suppressedWarnings.has(warningType);
-  const original = import_node_process.default.emitWarning;
   suppressWarningType(warningType);
   try {
     return await callback();
@@ -103,7 +102,6 @@ async function withSuppressedWarnings(warningType, callback) {
     if (!wasAlreadySuppressed) {
       suppressedWarnings.delete(warningType);
     }
-    import_node_process.default.emitWarning = original;
   }
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/url.js

@@ -73,7 +73,11 @@ function urlSearchParamAsBoolean(value, options) {
   };
   if (typeof value === "string") {
     const trimmed = value.trim();
-    return trimmed === "1" || trimmed.toLowerCase() === "true";
+    if (trimmed === "") {
+      return !!defaultValue;
+    }
+    const lowered = trimmed.toLowerCase();
+    return lowered === "1" || lowered === "true" || lowered === "yes" || lowered === "on";
   }
   if (value === null || value === void 0) {
     return !!defaultValue;

package/dist/versions.js

@@ -111,11 +111,11 @@ function isValidVersion(version) {
 }
 function maxVersion(versions) {
   const semver = getSemver();
-  return semver.maxSatisfying(versions, "*") || void 0;
+  return semver.maxSatisfying(versions, "*", { includePrerelease: true }) || void 0;
 }
 function minVersion(versions) {
   const semver = getSemver();
-  return semver.minSatisfying(versions, "*") || void 0;
+  return semver.minSatisfying(versions, "*", { includePrerelease: true }) || void 0;
 }
 function parseVersion(version) {
   const semver = getSemver();

package/dist/words.js

@@ -27,18 +27,15 @@ __export(words_exports, {
 module.exports = __toCommonJS(words_exports);
 // @__NO_SIDE_EFFECTS__
 function capitalize(word) {
-  const { length } = word;
-  if (length === 0) {
+  if (word.length === 0) {
     return word;
   }
-  if (length === 1) {
-    return word.toUpperCase();
-  }
-  return `${word.charAt(0).toUpperCase()}${word.slice(1).toLowerCase()}`;
+  const [first, ...rest] = [...word];
+  return (first ?? "").toUpperCase() + rest.join("").toLowerCase();
 }
 // @__NO_SIDE_EFFECTS__
 function determineArticle(word) {
-  return /^[aeiou]/.test(word) ? "an" : "a";
+  return /^[aeiou]/i.test(word) ? "an" : "a";
 }
 // @__NO_SIDE_EFFECTS__
 function pluralize(word, options) {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.20.1",
-  "packageManager": "pnpm@11.0.0-rc.2",
+  "version": "5.23.0",
+  "packageManager": "pnpm@11.0.0-rc.5",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
   "keywords": [
@@ -547,6 +547,18 @@
       "types": "./dist/releases/socket-btm.d.ts",
       "default": "./dist/releases/socket-btm.js"
     },
+    "./schema/parse": {
+      "types": "./dist/schema/parse.d.ts",
+      "default": "./dist/schema/parse.js"
+    },
+    "./schema/types": {
+      "types": "./dist/schema/types.d.ts",
+      "default": "./dist/schema/types.js"
+    },
+    "./schema/validate": {
+      "types": "./dist/schema/validate.d.ts",
+      "default": "./dist/schema/validate.js"
+    },
     "./sea": {
       "types": "./dist/sea.d.ts",
       "default": "./dist/sea.js"
@@ -655,18 +667,6 @@
       "types": "./dist/url.d.ts",
       "default": "./dist/url.js"
     },
-    "./validation/json-parser": {
-      "types": "./dist/validation/json-parser.d.ts",
-      "default": "./dist/validation/json-parser.js"
-    },
-    "./validation/types": {
-      "types": "./dist/validation/types.d.ts",
-      "default": "./dist/validation/types.js"
-    },
-    "./validation/validate-schema": {
-      "types": "./dist/validation/validate-schema.d.ts",
-      "default": "./dist/validation/validate-schema.js"
-    },
     "./versions": {
       "types": "./dist/versions.d.ts",
       "default": "./dist/versions.js"
@@ -724,7 +724,7 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.4.2",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.19.1",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.21.0",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20260415.1",
     "@vitest/coverage-v8": "4.0.3",

package/dist/validation/json-parser.d.ts

@@ -1,58 +0,0 @@
-/**
- * @fileoverview Safe JSON parsing with validation and security controls.
- * Provides protection against prototype pollution, size limits, and schema
- * validation.
- *
- * Key Features:
- * - Prototype pollution protection: Blocks `__proto__`, `constructor`, and
- *   `prototype` keys via JSON.parse reviver at any depth.
- * - Size limits: Configurable maximum JSON string size (default 10MB).
- * - Schema validation: Optional Zod-compatible schema validation.
- * - Memory safety: Prevents memory exhaustion attacks.
- */
-import type { SafeJsonParseOptions, Schema } from './types';
-/**
- * Safely parse JSON with optional schema validation and security controls.
- * Throws errors on parse failures, validation failures, or security violations.
- *
- * This is the recommended method for parsing untrusted JSON input as it
- * provides multiple layers of security including prototype pollution
- * protection and size limits.
- *
- * @template T - The expected type of the parsed data
- * @param jsonString - The JSON string to parse
- * @param schema - Optional Zod-compatible schema for validation
- * @param options - Parsing options for security and behavior control
- * @returns The parsed and validated data
- *
- * @throws {Error} When JSON string exceeds `maxSize`.
- * @throws {Error} When JSON parsing fails.
- * @throws {Error} When prototype pollution keys are detected (unless
- *   `allowPrototype` is `true`).
- * @throws {Error} When schema validation fails.
- *
- * @example
- * ```ts
- * // Basic parsing with type inference
- * const data = safeJsonParse<User>('{"name":"Alice","age":30}')
- *
- * // With schema validation
- * import { z } from 'zod'
- * const userSchema = z.object({
- *   name: z.string(),
- *   age: z.number()
- * })
- * const user = safeJsonParse('{"name":"Alice","age":30}', userSchema)
- *
- * // With size limit
- * const data = safeJsonParse(jsonString, undefined, {
- *   maxSize: 1024 * 1024 // 1MB
- * })
- *
- * // Allow prototype keys (DANGEROUS — only for trusted sources)
- * const data = safeJsonParse('{"__proto__": {}}', undefined, {
- *   allowPrototype: true
- * })
- * ```
- */
-export declare function safeJsonParse<T = unknown>(jsonString: string, schema?: Schema<T> | undefined, options?: SafeJsonParseOptions): T;