@socketsecurity/lib 5.21.0 → 5.24.0

package/dist/external/pony-cause.js

@@ -11,9 +11,9 @@ var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
 
-// node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/error-with-cause.js
+// node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/error-with-cause.js
 var require_error_with_cause = __commonJS({
-  "node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/error-with-cause.js"(exports2, module2) {
+  "node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/error-with-cause.js"(exports2, module2) {
     "use strict";
     var ErrorWithCause = class _ErrorWithCause extends Error {
       static {
@@ -41,13 +41,14 @@ var require_error_with_cause = __commonJS({
   }
 });
 
-// node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/helpers.js
+// node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/helpers.js
 var require_helpers = __commonJS({
-  "node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/lib/helpers.js"(exports2, module2) {
+  "node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/lib/helpers.js"(exports2, module2) {
     "use strict";
+    var isError = typeof Error.isError === "function" ? Error.isError : (v) => v !== null && typeof v === "object" && Object.prototype.toString.call(v) === "[object Error]";
     var findCauseByReference = /* @__PURE__ */ __name((err, reference) => {
       if (!err || !reference) return;
-      if (!(err instanceof Error)) return;
+      if (!isError(err)) return;
       if (!(reference.prototype instanceof Error) && // @ts-ignore
       reference !== Error) return;
       const seen = /* @__PURE__ */ new Set();
@@ -66,13 +67,13 @@ var require_helpers = __commonJS({
       }
       if (typeof err.cause === "function") {
         const causeResult = err.cause();
-        return causeResult instanceof Error ? causeResult : void 0;
+        return isError(causeResult) ? causeResult : void 0;
       } else {
-        return err.cause instanceof Error ? err.cause : void 0;
+        return isError(err.cause) ? err.cause : void 0;
       }
     }, "getErrorCause");
     var _stackWithCauses = /* @__PURE__ */ __name((err, seen) => {
-      if (!(err instanceof Error)) return "";
+      if (!isError(err)) return "";
       const stack = err.stack || "";
       if (seen.has(err)) {
         return stack + "\ncauses have become circular...";
@@ -87,7 +88,7 @@ var require_helpers = __commonJS({
     }, "_stackWithCauses");
     var stackWithCauses = /* @__PURE__ */ __name((err) => _stackWithCauses(err, /* @__PURE__ */ new Set()), "stackWithCauses");
     var _messageWithCauses = /* @__PURE__ */ __name((err, seen, skip) => {
-      if (!(err instanceof Error)) return "";
+      if (!isError(err)) return "";
       const message = skip ? "" : err.message || "";
       if (seen.has(err)) {
         return message + ": ...";
@@ -116,9 +117,9 @@ var require_helpers = __commonJS({
   }
 });
 
-// node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/index.js
+// node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/index.js
 var require_pony_cause = __commonJS({
-  "node_modules/.pnpm/pony-cause@2.1.11/node_modules/pony-cause/index.js"(exports2, module2) {
+  "node_modules/.pnpm/pony-cause@2.1.11_patch_hash=39b2eb2567818b7c60126d03e252dbbabd8738082fca850582300d45b0a8cfb8/node_modules/pony-cause/index.js"(exports2, module2) {
     "use strict";
     var { ErrorWithCause } = require_error_with_cause();
     var {

package/dist/github.js

@@ -45,6 +45,7 @@ var import_node_process = __toESM(require("node:process"));
 var import_cache_with_ttl = require("./cache-with-ttl");
 var import_github = require("./env/github");
 var import_socket_cli = require("./env/socket-cli");
+var import_errors = require("./errors");
 var import_http_request = require("./http-request");
 var import_spawn = require("./spawn");
 const GITHUB_API_BASE_URL = "https://api.github.com";
@@ -80,7 +81,7 @@ async function fetchRefSha(owner, repo, ref, options) {
         return commitData.sha;
       } catch (e) {
         throw new Error(
-          `failed to resolve ref "${ref}" for ${owner}/${repo}: ${e instanceof Error ? e.message : String(e)}`
+          `failed to resolve ref "${ref}" for ${owner}/${repo}: ${(0, import_errors.errorMessage)(e)}`
         );
       }
     }
@@ -165,7 +166,7 @@ async function fetchGitHub(url, options) {
     return JSON.parse(response.body.toString("utf8"));
   } catch (error) {
     throw new Error(
-      `Failed to parse GitHub API response: ${error instanceof Error ? error.message : String(error)}
+      `Failed to parse GitHub API response: ${(0, import_errors.errorMessage)(error)}
 URL: ${url}
 Response may be malformed or incomplete.`,
       { cause: error }

package/dist/json/edit.js

@@ -35,6 +35,7 @@ __export(edit_exports, {
 module.exports = __toCommonJS(edit_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_promises = require("node:timers/promises");
+var import_errors = require("../errors");
 var import_format = require("./format");
 const identSymbol = import_format.INDENT_SYMBOL;
 const newlineSymbol = import_format.NEWLINE_SYMBOL;
@@ -59,7 +60,7 @@ async function readFile(filepath) {
       return await fsPromises.readFile(filepath, "utf8");
     } catch (err) {
       const isLastAttempt = attempt === maxRetries;
-      const isEnoent = err instanceof Error && "code" in err && err.code === "ENOENT";
+      const isEnoent = (0, import_errors.isErrnoException)(err) && err.code === "ENOENT";
       if (!isEnoent || isLastAttempt) {
         throw err;
       }
@@ -92,7 +93,7 @@ async function retryWrite(filepath, content, retries = 3, baseDelay = 10) {
       return;
     } catch (err) {
       const isLastAttempt = attempt === retries;
-      const isRetriableError = err instanceof Error && "code" in err && (err.code === "EPERM" || err.code === "EBUSY" || err.code === "ENOENT");
+      const isRetriableError = (0, import_errors.isErrnoException)(err) && (err.code === "EPERM" || err.code === "EBUSY" || err.code === "ENOENT");
       if (!isRetriableError || isLastAttempt) {
         throw err;
       }

package/dist/packages/isolation.js

@@ -35,6 +35,7 @@ __export(isolation_exports, {
 module.exports = __toCommonJS(isolation_exports);
 var import_npm_package_arg = __toESM(require("../external/npm-package-arg"));
 var import_platform = require("../constants/platform");
+var import_errors = require("../errors");
 var import_normalize = require("../paths/normalize");
 var import_socket = require("../paths/socket");
 var import_spawn = require("../spawn");
@@ -69,10 +70,9 @@ async function mergePackageJson(pkgJsonPath, originalPkgJson) {
   try {
     pkgJson = JSON.parse(await fs.promises.readFile(pkgJsonPath, "utf8"));
   } catch (error) {
-    throw new Error(
-      `Failed to parse ${pkgJsonPath}: ${error instanceof Error ? error.message : String(error)}`,
-      { cause: error }
-    );
+    throw new Error(`Failed to parse ${pkgJsonPath}: ${(0, import_errors.errorMessage)(error)}`, {
+      cause: error
+    });
   }
   const mergedPkgJson = originalPkgJson ? { ...originalPkgJson, ...pkgJson } : pkgJson;
   return mergedPkgJson;

package/dist/performance.js

@@ -44,6 +44,7 @@ __export(performance_exports, {
 module.exports = __toCommonJS(performance_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_debug = require("./debug");
+var import_errors = require("./errors");
 const performanceMetrics = [];
 function isPerfEnabled() {
   return import_node_process.default.env["DEBUG"]?.includes("perf") || false;
@@ -128,7 +129,7 @@ async function measure(operation, fn, metadata) {
   } catch (e) {
     stop({
       success: false,
-      error: e instanceof Error ? e.message : "Unknown"
+      error: (0, import_errors.errorMessage)(e)
     });
     throw e;
   }
@@ -143,7 +144,7 @@ function measureSync(operation, fn, metadata) {
   } catch (e) {
     stop({
       success: false,
-      error: e instanceof Error ? e.message : "Unknown"
+      error: (0, import_errors.errorMessage)(e)
     });
     throw e;
   }

package/dist/process-lock.js

@@ -23,6 +23,7 @@ __export(process_lock_exports, {
   processLock: () => processLock
 });
 module.exports = __toCommonJS(process_lock_exports);
+var import_errors = require("./errors");
 var import_fs = require("./fs");
 var import_logger = require("./logger");
 var import_promises = require("./promises");
@@ -87,9 +88,7 @@ class ProcessLockManager {
         fs.utimesSync(lockPath, now, now);
       }
     } catch (error) {
-      logger.warn(
-        `Failed to touch lock ${lockPath}: ${error instanceof Error ? error.message : String(error)}`
-      );
+      logger.warn(`Failed to touch lock ${lockPath}: ${(0, import_errors.errorMessage)(error)}`);
     }
   }
   /**
@@ -277,9 +276,7 @@ To resolve:
       }
       this.activeLocks.delete(lockPath);
     } catch (error) {
-      logger.warn(
-        `Failed to release lock ${lockPath}: ${error instanceof Error ? error.message : String(error)}`
-      );
+      logger.warn(`Failed to release lock ${lockPath}: ${(0, import_errors.errorMessage)(error)}`);
     }
   }
   /**

package/dist/releases/github.js

@@ -43,6 +43,7 @@ module.exports = __toCommonJS(github_exports);
 var import_node_process = __toESM(require("node:process"));
 var import_picomatch = __toESM(require("../external/picomatch"));
 var import_archives = require("../archives");
+var import_errors = require("../errors");
 var import_fs = require("../fs");
 var import_http_request = require("../http-request");
 var import_logger = require("../logger");
@@ -341,7 +342,7 @@ async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
             `Retry attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} for ${toolPrefix} release...`
           );
           logger.warn(
-            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${error instanceof Error ? error.message : String(error)}`
+            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${(0, import_errors.errorMessage)(error)}`
           );
         }
         return void 0;
@@ -395,7 +396,7 @@ async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
             `Retry attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} for asset URL...`
           );
           logger.warn(
-            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${error instanceof Error ? error.message : String(error)}`
+            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${(0, import_errors.errorMessage)(error)}`
           );
         }
         return void 0;

package/dist/releases/socket-btm.d.ts

@@ -126,18 +126,74 @@ export declare function getBinaryAssetName(binaryBaseName: string, platform: Pla
  */
 export declare function getBinaryName(binaryBaseName: string, platform: Platform): string;
 /**
- * Get platform-arch identifier for directory structure.
- * Uses 'win' instead of 'win32' for file/folder names.
+ * Get platform-arch identifier for directory structure and asset names.
+ *
+ * # Format: `<os>-<arch>[-<libc>]`
+ *
+ * The OS segment is `process.platform` verbatim: `darwin` / `linux` /
+ * `win32`. The arch segment is `process.arch` verbatim: `x64` / `arm64`.
+ * The optional libc suffix is `-musl` (Linux only; the glibc default is
+ * unsuffixed to match Node.js's own linuxstatic convention).
+ *
+ * # Why these specific conventions
+ *
+ * ## Why `win32`, not `win`
+ *
+ * `win32` is what `process.platform` returns on every Windows host. Every
+ * npm package whose install-time platform filter uses the standard
+ * `os` / `cpu` / `libc` manifest fields must match `process.platform`
+ * strings exactly (npm compares them verbatim — there's no shorthand
+ * layer). Using `win` internally here would have forced a translation
+ * every time we constructed an install filter or a target triple, and
+ * reviewers would have to remember "we abbreviate on disk but not in
+ * package filters." Since the two now match, there's no translation
+ * step to get wrong.
+ *
+ * pnpm's pack-app (v11+) accepts `<os>-<arch>[-<libc>]` target strings
+ * and its shards are `@pnpm/exe.<os>-<arch>` (with `win32`, not `win` —
+ * see pnpm#11314). Our naming matches so asset names we emit can flow
+ * directly into pack-app's `--target` arg, `pnpm.app.targets` config,
+ * and sibling-package-name construction without a translation map.
+ *
+ * ## Why `-musl` is the suffix (and glibc is unsuffixed)
+ *
+ * Node.js's own linuxstatic tarballs historically used the unqualified
+ * `linux` for glibc and a separate download channel for musl. The pnpm
+ * ecosystem codified that as `linux-<arch>` (glibc, default) and
+ * `linux-<arch>-musl` (the libc outlier), matching the asymmetric
+ * reality of Linux distros — glibc is the majority case, musl is
+ * Alpine-and-similar. Adding `-glibc` for the default would be
+ * redundant noise in the name.
+ *
+ * ## Why libc is only appended for Linux
+ *
+ * macOS and Windows have exactly one system libc each (Apple libSystem,
+ * Microsoft UCRT). A hypothetical `darwin-arm64-libsystem` conveys no
+ * information. Node.js, npm, and pnpm all treat libc as a Linux-only
+ * axis; we follow the same convention so callers don't have to special-
+ * case `'darwin-arm64'.startsWith('darwin-arm64')` style matches.
+ *
+ * ## Why this function exists at all (vs. inlining)
+ *
+ * Two upstream APIs that socket-btm consumers end up calling — the
+ * npm manifest filter (`os`/`cpu`/`libc`) and pnpm's pack-app
+ * `--target` — both need the exact same triple format. Centralizing
+ * the construction here means a future schema change (e.g. Node
+ * introducing `riscv64`) gets one edit, and the error message for an
+ * unsupported platform is uniform across downloaders, pack-app
+ * invocations, and the `@socketbin/*` resolver logic.
  *
  * @param platform - Target platform
  * @param arch - Target architecture
- * @param libc - Linux libc variant (optional)
- * @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl', 'win-x64')
+ * @param libc - Linux libc variant (optional; non-linux platforms ignore)
+ * @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl', 'win32-x64')
  *
  * @example
  * ```typescript
  * getPlatformArch('linux', 'x64', 'musl')  // 'linux-x64-musl'
- * getPlatformArch('darwin', 'arm64')  // 'darwin-arm64'
+ * getPlatformArch('darwin', 'arm64')       // 'darwin-arm64'
+ * getPlatformArch('win32', 'x64')          // 'win32-x64'
+ * getPlatformArch('darwin', 'x64', 'musl') // 'darwin-x64' — libc ignored
  * ```
  */
 export declare function getPlatformArch(platform: Platform, arch: Arch, libc?: Libc | undefined): string;

package/dist/releases/socket-btm.js

@@ -38,7 +38,7 @@ const PLATFORM_MAP = {
   __proto__: null,
   darwin: "darwin",
   linux: "linux",
-  win32: "win"
+  win32: "win32"
 };
 const ARCH_MAP = {
   __proto__: null,
@@ -185,7 +185,7 @@ function getBinaryAssetName(binaryBaseName, platform, arch, libc) {
     return `${binaryBaseName}-linux-${mappedArch}${muslSuffix}${ext}`;
   }
   if (platform === "win32") {
-    return `${binaryBaseName}-win-${mappedArch}${ext}`;
+    return `${binaryBaseName}-win32-${mappedArch}${ext}`;
   }
   throw new Error(`Unsupported platform: ${platform}`);
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.21.0",
-  "packageManager": "pnpm@11.0.0-rc.2",
+  "version": "5.24.0",
+  "packageManager": "pnpm@11.0.0-rc.5",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
   "keywords": [
@@ -351,10 +351,6 @@
       "types": "./dist/env/socket-cli.d.ts",
       "default": "./dist/env/socket-cli.js"
     },
-    "./env/socket-cli-shadow": {
-      "types": "./dist/env/socket-cli-shadow.d.ts",
-      "default": "./dist/env/socket-cli-shadow.js"
-    },
     "./env/temp-dir": {
       "types": "./dist/env/temp-dir.d.ts",
       "default": "./dist/env/temp-dir.js"
@@ -724,7 +720,7 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.4.2",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.20.1",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.23.0",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20260415.1",
     "@vitest/coverage-v8": "4.0.3",

package/dist/env/socket-cli-shadow.d.ts

@@ -1,77 +0,0 @@
-/**
- * @fileoverview Socket CLI shadow mode environment variables.
- * Provides typed getters for SOCKET_CLI_SHADOW_* environment variables.
- */
-/**
- * Controls Socket CLI shadow mode risk acceptance.
- *
- * @returns Whether to accept all risks in shadow mode
- *
- * @example
- * ```typescript
- * import { getSocketCliShadowAcceptRisks } from '@socketsecurity/lib/env/socket-cli-shadow'
- *
- * if (getSocketCliShadowAcceptRisks()) {
- *   console.log('Shadow mode risks accepted')
- * }
- * ```
- */
-export declare function getSocketCliShadowAcceptRisks(): boolean;
-/**
- * API token for Socket CLI shadow mode.
- *
- * @returns Shadow mode API token or undefined
- *
- * @example
- * ```typescript
- * import { getSocketCliShadowApiToken } from '@socketsecurity/lib/env/socket-cli-shadow'
- *
- * const token = getSocketCliShadowApiToken()
- * // e.g. 'sk_shadow_abc123...' or undefined
- * ```
- */
-export declare function getSocketCliShadowApiToken(): string | undefined;
-/**
- * Binary path for Socket CLI shadow mode.
- *
- * @returns Shadow mode binary path or undefined
- *
- * @example
- * ```typescript
- * import { getSocketCliShadowBin } from '@socketsecurity/lib/env/socket-cli-shadow'
- *
- * const bin = getSocketCliShadowBin()
- * // e.g. '/usr/local/bin/socket-shadow' or undefined
- * ```
- */
-export declare function getSocketCliShadowBin(): string | undefined;
-/**
- * Controls Socket CLI shadow mode progress display.
- *
- * @returns Whether to show progress in shadow mode
- *
- * @example
- * ```typescript
- * import { getSocketCliShadowProgress } from '@socketsecurity/lib/env/socket-cli-shadow'
- *
- * if (getSocketCliShadowProgress()) {
- *   console.log('Shadow mode progress enabled')
- * }
- * ```
- */
-export declare function getSocketCliShadowProgress(): boolean;
-/**
- * Controls Socket CLI shadow mode silent operation.
- *
- * @returns Whether shadow mode should operate silently
- *
- * @example
- * ```typescript
- * import { getSocketCliShadowSilent } from '@socketsecurity/lib/env/socket-cli-shadow'
- *
- * if (getSocketCliShadowSilent()) {
- *   console.log('Shadow mode is silent')
- * }
- * ```
- */
-export declare function getSocketCliShadowSilent(): boolean;

package/dist/env/socket-cli-shadow.js

@@ -1,59 +0,0 @@
-"use strict";
-/* Socket Lib - Built with esbuild */
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var socket_cli_shadow_exports = {};
-__export(socket_cli_shadow_exports, {
-  getSocketCliShadowAcceptRisks: () => getSocketCliShadowAcceptRisks,
-  getSocketCliShadowApiToken: () => getSocketCliShadowApiToken,
-  getSocketCliShadowBin: () => getSocketCliShadowBin,
-  getSocketCliShadowProgress: () => getSocketCliShadowProgress,
-  getSocketCliShadowSilent: () => getSocketCliShadowSilent
-});
-module.exports = __toCommonJS(socket_cli_shadow_exports);
-var import_helpers = require("./helpers");
-var import_rewire = require("./rewire");
-// @__NO_SIDE_EFFECTS__
-function getSocketCliShadowAcceptRisks() {
-  return (0, import_helpers.envAsBoolean)((0, import_rewire.getEnvValue)("SOCKET_CLI_SHADOW_ACCEPT_RISKS"));
-}
-// @__NO_SIDE_EFFECTS__
-function getSocketCliShadowApiToken() {
-  return (0, import_rewire.getEnvValue)("SOCKET_CLI_SHADOW_API_TOKEN");
-}
-// @__NO_SIDE_EFFECTS__
-function getSocketCliShadowBin() {
-  return (0, import_rewire.getEnvValue)("SOCKET_CLI_SHADOW_BIN");
-}
-// @__NO_SIDE_EFFECTS__
-function getSocketCliShadowProgress() {
-  return (0, import_helpers.envAsBoolean)((0, import_rewire.getEnvValue)("SOCKET_CLI_SHADOW_PROGRESS"));
-}
-// @__NO_SIDE_EFFECTS__
-function getSocketCliShadowSilent() {
-  return (0, import_helpers.envAsBoolean)((0, import_rewire.getEnvValue)("SOCKET_CLI_SHADOW_SILENT"));
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  getSocketCliShadowAcceptRisks,
-  getSocketCliShadowApiToken,
-  getSocketCliShadowBin,
-  getSocketCliShadowProgress,
-  getSocketCliShadowSilent
-});