@socketsecurity/lib 5.23.0 → 5.25.0

package/CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.25.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.25.0) - 2026-04-26
+
+### Added
+
+- `@socketsecurity/lib/primordials` — new public module exposing safe references to ~100 built-in constructors, static methods, and prototype methods captured at module-load time. Mirrors the Node.js-internal primordials convention: static methods retain their name (`ObjectKeys`, `ArrayIsArray`, `JSONParse`, `ReflectApply`); prototype methods are uncurried via `uncurryThis` (`StringPrototypeSlice(str, 0, 3)` instead of `str.slice(0, 3)`); constructors get a `Ctor` suffix (`MapCtor`, `SetCtor`, `ErrorCtor`, …) to avoid shadowing the capital-case global. Library internals migrated to use these helpers so prototype-pollution attacks on the caller realm can't redirect them. Surface includes `Function`, `Math`, and the full Error subclass set (`TypeErrorCtor`, `RangeErrorCtor`, `SyntaxErrorCtor`, `ReferenceErrorCtor`, `URIErrorCtor`, `EvalErrorCtor`, `AggregateErrorCtor`) after audit-driven coverage passes
+
+## [5.24.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.24.0) - 2026-04-22
+
+### Removed
+
+- `@socketsecurity/lib/env/socket-cli-shadow` — deleted. Unused after Socket CLI's shadow infrastructure was removed
+
+### Fixed
+
+- `packPackage()` / `extractPackage()` now work for non-registry specs (local dir/tarball, remote tarball URL, git). The bundled pacote fetchers (`dir.js`, `file.js`, `remote.js`, `git.js`) were over-stubbed and broke every non-registry path
+- `EditablePackageJson.prepare()` no longer throws `git.find is not a function`. `@npmcli/git` is reached from `normalize.gitHead`, not just `arb.audit()`, so it can't be stubbed
+- `packPackage(<dir>)` now runs `prepack` / `postpack` scripts instead of throwing `runScript is not a function`. `@npmcli/run-script` is reachable whenever `ignoreScripts` isn't set
+
 ## [5.23.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.23.0) - 2026-04-22
 
 ### Added

package/dist/archives.js

@@ -212,9 +212,9 @@ async function extractTar(archivePath, outputDir, options = {}) {
   const readStream = (0, import_node_fs.createReadStream)(archivePath);
   try {
     await (0, import_promises.pipeline)(readStream, extractStream);
-  } catch (error) {
+  } catch (e) {
     readStream.destroy();
-    throw error;
+    throw e;
   }
 }
 async function extractTarGz(archivePath, outputDir, options = {}) {
@@ -304,9 +304,9 @@ async function extractTarGz(archivePath, outputDir, options = {}) {
   const readStream = (0, import_node_fs.createReadStream)(archivePath);
   try {
     await (0, import_promises.pipeline)(readStream, (0, import_node_zlib.createGunzip)(), extractStream);
-  } catch (error) {
+  } catch (e) {
     readStream.destroy();
-    throw error;
+    throw e;
   }
 }
 async function extractZip(archivePath, outputDir, options = {}) {

package/dist/constants/socket.js

@@ -77,7 +77,7 @@ const SOCKET_FIREWALL_APP_NAME = "sfw";
 const SOCKET_REGISTRY_APP_NAME = "registry";
 const SOCKET_APP_PREFIX = "_";
 const SOCKET_LIB_NAME = "@socketsecurity/lib";
-const SOCKET_LIB_VERSION = "5.23.0";
+const SOCKET_LIB_VERSION = "5.25.0";
 const SOCKET_LIB_URL = "https://github.com/SocketDev/socket-lib";
 const SOCKET_LIB_USER_AGENT = `socketsecurity-lib/${SOCKET_LIB_VERSION} (${SOCKET_LIB_URL})`;
 const SOCKET_IPC_HANDSHAKE = "SOCKET_IPC_HANDSHAKE";

package/dist/debug.js

@@ -50,9 +50,9 @@ var import_is_unicode_supported = __toESM(require("./external/@socketregistry/is
 var import_debug2 = __toESM(require("./external/debug"));
 var import_logger = require("./logger");
 var import_objects = require("./objects");
+var import_primordials = require("./primordials");
 var import_spinner = require("./spinner");
 var import_strings = require("./strings");
-const ReflectApply = Reflect.apply;
 const logger = (0, import_logger.getDefaultLogger)();
 const debugByNamespace = /* @__PURE__ */ new Map();
 let _util;
@@ -65,7 +65,7 @@ function customLog(...args) {
     showHidden: import_debug2.default.inspectOpts.showHidden === null ? void 0 : import_debug2.default.inspectOpts.showHidden,
     depth: import_debug2.default.inspectOpts.depth === null || typeof import_debug2.default.inspectOpts.depth === "boolean" ? void 0 : import_debug2.default.inspectOpts.depth
   } : {};
-  ReflectApply(logger.info, logger, [
+  (0, import_primordials.ReflectApply)(logger.info, logger, [
     util.formatWithOptions(inspectOpts, ...args)
   ]);
 }
@@ -189,7 +189,7 @@ function debugCacheNs(namespacesOrOpts, operation, key, meta) {
   const spinnerInstance = options.spinner || (0, import_spinner.getDefaultSpinner)();
   const wasSpinning = spinnerInstance?.isSpinning;
   spinnerInstance?.stop();
-  ReflectApply(logger.info, logger, logArgs);
+  (0, import_primordials.ReflectApply)(logger.info, logger, logArgs);
   if (wasSpinning) {
     spinnerInstance?.start();
   }
@@ -253,7 +253,7 @@ function debugLogNs(namespacesOrOpts, ...args) {
   const spinnerInstance = options.spinner || (0, import_spinner.getDefaultSpinner)();
   const wasSpinning = spinnerInstance?.isSpinning;
   spinnerInstance?.stop();
-  ReflectApply(logger.info, logger, logArgs);
+  (0, import_primordials.ReflectApply)(logger.info, logger, logArgs);
   if (wasSpinning) {
     spinnerInstance?.start();
   }
@@ -285,7 +285,7 @@ function debugNs(namespacesOrOpts, ...args) {
   const spinnerInstance = options.spinner || (0, import_spinner.getDefaultSpinner)();
   const wasSpinning = spinnerInstance?.isSpinning;
   spinnerInstance?.stop();
-  ReflectApply(logger.info, logger, logArgs);
+  (0, import_primordials.ReflectApply)(logger.info, logger, logArgs);
   if (wasSpinning) {
     spinnerInstance?.start();
   }

package/dist/dlx/manifest.js

@@ -79,8 +79,8 @@ class DlxManifest {
         return { __proto__: null };
       }
       return JSON.parse(content);
-    } catch (error) {
-      logger.warn(`Failed to read manifest: ${(0, import_errors.errorMessage)(error)}`);
+    } catch (e) {
+      logger.warn(`Failed to read manifest: ${(0, import_errors.errorMessage)(e)}`);
       return { __proto__: null };
     }
   }
@@ -92,22 +92,22 @@ class DlxManifest {
     const manifestDir = path.dirname(this.manifestPath);
     try {
       (0, import_fs.safeMkdirSync)(manifestDir, { recursive: true });
-    } catch (error) {
-      logger.warn(`Failed to create manifest directory: ${(0, import_errors.errorMessage)(error)}`);
+    } catch (e) {
+      logger.warn(`Failed to create manifest directory: ${(0, import_errors.errorMessage)(e)}`);
     }
     const content = JSON.stringify(data, null, 2);
     const tempPath = `${this.manifestPath}.tmp`;
     try {
       fs.writeFileSync(tempPath, content, "utf8");
       fs.renameSync(tempPath, this.manifestPath);
-    } catch (error) {
+    } catch (e) {
       try {
         if (fs.existsSync(tempPath)) {
           fs.unlinkSync(tempPath);
         }
       } catch {
       }
-      throw error;
+      throw e;
     }
   }
   /**
@@ -126,8 +126,8 @@ class DlxManifest {
         const data = JSON.parse(content);
         delete data[name];
         await this.writeManifest(data);
-      } catch (error) {
-        logger.warn(`Failed to clear cache for ${name}: ${(0, import_errors.errorMessage)(error)}`);
+      } catch (e) {
+        logger.warn(`Failed to clear cache for ${name}: ${(0, import_errors.errorMessage)(e)}`);
       }
     });
   }
@@ -140,8 +140,8 @@ class DlxManifest {
         if (fs.existsSync(this.manifestPath)) {
           fs.unlinkSync(this.manifestPath);
         }
-      } catch (error) {
-        logger.warn(`Failed to clear all cache: ${(0, import_errors.errorMessage)(error)}`);
+      } catch (e) {
+        logger.warn(`Failed to clear all cache: ${(0, import_errors.errorMessage)(e)}`);
       }
     });
   }
@@ -172,8 +172,8 @@ class DlxManifest {
       }
       const data = JSON.parse(content);
       return Object.keys(data);
-    } catch (error) {
-      logger.warn(`Failed to get package list: ${(0, import_errors.errorMessage)(error)}`);
+    } catch (e) {
+      logger.warn(`Failed to get package list: ${(0, import_errors.errorMessage)(e)}`);
       return [];
     }
   }
@@ -214,31 +214,29 @@ class DlxManifest {
             data = JSON.parse(content2);
           }
         }
-      } catch (error) {
-        logger.warn(`Failed to read existing manifest: ${(0, import_errors.errorMessage)(error)}`);
+      } catch (e) {
+        logger.warn(`Failed to read existing manifest: ${(0, import_errors.errorMessage)(e)}`);
       }
       data[name] = record;
       const manifestDir = path.dirname(this.manifestPath);
       try {
         (0, import_fs.safeMkdirSync)(manifestDir, { recursive: true });
-      } catch (error) {
-        logger.warn(
-          `Failed to create manifest directory: ${(0, import_errors.errorMessage)(error)}`
-        );
+      } catch (e) {
+        logger.warn(`Failed to create manifest directory: ${(0, import_errors.errorMessage)(e)}`);
       }
       const content = JSON.stringify(data, null, 2);
       const tempPath = `${this.manifestPath}.tmp`;
       try {
         fs.writeFileSync(tempPath, content, "utf8");
         fs.renameSync(tempPath, this.manifestPath);
-      } catch (error) {
+      } catch (e) {
         try {
           if (fs.existsSync(tempPath)) {
             fs.unlinkSync(tempPath);
           }
         } catch {
         }
-        throw error;
+        throw e;
       }
     });
   }

package/dist/errors.js

@@ -33,13 +33,12 @@ __export(errors_exports, {
 module.exports = __toCommonJS(errors_exports);
 var import_core = require("./constants/core");
 var import_pony_cause = require("./external/pony-cause");
-const ObjectPrototypeToString = Object.prototype.toString;
-const ReflectApply = Reflect.apply;
+var import_primordials = require("./primordials");
 function isErrorShim(value) {
   if (value === null || typeof value !== "object") {
     return false;
   }
-  return ReflectApply(ObjectPrototypeToString, value, []) === "[object Error]";
+  return (0, import_primordials.ObjectPrototypeToString)(value) === "[object Error]";
 }
 const isErrorBuiltin = Error.isError;
 const isError = isErrorBuiltin ?? isErrorShim;

package/dist/external/@npmcli/package-json/lib/read-package.js

@@ -1,3 +1,4 @@
+const { SymbolFor: _p_SymbolFor } = require('../../../../primordials.js')
 "use strict";
 /**
  * Bundled from @npmcli/package-json/lib/read-package.js
@@ -15,8 +16,8 @@ var __commonJS = (cb, mod) => function __require() {
 var require_lib = __commonJS({
   "node_modules/.pnpm/json-parse-even-better-errors@5.0.0/node_modules/json-parse-even-better-errors/lib/index.js"(exports2, module2) {
     "use strict";
-    var INDENT = Symbol.for("indent");
-    var NEWLINE = Symbol.for("newline");
+    var INDENT = _p_SymbolFor("indent");
+    var NEWLINE = _p_SymbolFor("newline");
     var DEFAULT_NEWLINE = "\n";
     var DEFAULT_INDENT = "  ";
     var BOM = /^\uFEFF/;