@socketsecurity/lib 5.26.0 → 5.26.1

package/dist/git.js

@@ -52,13 +52,14 @@ var import_globs = require("./globs");
 var import_normalize = require("./paths/normalize");
 var import_spawn = require("./spawn");
 var import_strings = require("./strings");
+var import_primordials = require("./primordials");
 let _fs;
 let _path;
-const gitDiffCache = /* @__PURE__ */ new Map();
+const gitDiffCache = new import_primordials.MapCtor();
 const GIT_CACHE_MAX_SIZE = 100;
 let _gitPath;
-const realpathCache = /* @__PURE__ */ new Map();
-const gitRootCache = /* @__PURE__ */ new Map();
+const realpathCache = new import_primordials.MapCtor();
+const gitRootCache = new import_primordials.MapCtor();
 function getCachedGitDiff(key) {
   const result = gitDiffCache.get(key);
   if (result) {
@@ -68,7 +69,7 @@ function getCachedGitDiff(key) {
   return result;
 }
 function stableKey(value) {
-  return JSON.stringify(value, (_key, val) => {
+  return (0, import_primordials.JSONStringify)(value, (_key, val) => {
     if (val && typeof val === "object" && !Array.isArray(val)) {
       const sorted = {};
       for (const k of Object.keys(val).sort()) {
@@ -166,7 +167,7 @@ async function innerDiff(args, options) {
       ...args[2],
       stdioString: false
     });
-    const stdout = Buffer.isBuffer(spawnResult.stdout) ? spawnResult.stdout.toString("utf8") : String(spawnResult.stdout);
+    const stdout = (0, import_primordials.BufferIsBuffer)(spawnResult.stdout) ? spawnResult.stdout.toString("utf8") : String(spawnResult.stdout);
     const spawnCwd = typeof args[2]["cwd"] === "string" ? args[2]["cwd"] : void 0;
     result = parseGitDiffStdout(stdout, parseOptions, spawnCwd);
   } catch (e) {
@@ -196,7 +197,7 @@ function innerDiffSync(args, options) {
       ...args[2],
       stdioString: false
     });
-    const stdout = Buffer.isBuffer(spawnResult.stdout) ? spawnResult.stdout.toString("utf8") : String(spawnResult.stdout);
+    const stdout = (0, import_primordials.BufferIsBuffer)(spawnResult.stdout) ? spawnResult.stdout.toString("utf8") : String(spawnResult.stdout);
     const spawnCwd = typeof args[2]["cwd"] === "string" ? args[2]["cwd"] : void 0;
     result = parseGitDiffStdout(stdout, parseOptions, spawnCwd);
   } catch (e) {
@@ -225,7 +226,7 @@ function parseGitDiffStdout(stdout, options, spawnCwd) {
   let rawFiles = stdout ? (0, import_strings.stripAnsi)(stdout).split(/\r?\n/).map((line) => line.trimEnd()).filter((line) => line) : [];
   if (porcelain) {
     rawFiles = rawFiles.map((line) => {
-      return line.length > 3 ? line.substring(3) : line;
+      return line.length > 3 ? (0, import_primordials.StringPrototypeSubstring)(line, 3) : line;
     });
   }
   const files = absolute ? rawFiles.map((relPath2) => (0, import_normalize.normalizePath)(path.join(rootPath, relPath2))) : rawFiles.map((relPath2) => (0, import_normalize.normalizePath)(relPath2));
@@ -324,7 +325,7 @@ async function isChanged(pathname, options) {
   const resolvedPathname = getCachedRealpath(pathname);
   const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
-  return files.includes(relativePath);
+  return (0, import_primordials.ArrayPrototypeIncludes)(files, relativePath);
 }
 function isChangedSync(pathname, options) {
   const files = getChangedFilesSync({
@@ -337,7 +338,7 @@ function isChangedSync(pathname, options) {
     const resolvedPathname = getCachedRealpath(pathname);
     const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
     const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
-    return files.includes(relativePath);
+    return (0, import_primordials.ArrayPrototypeIncludes)(files, relativePath);
   } catch {
     return false;
   }
@@ -352,7 +353,7 @@ async function isStaged(pathname, options) {
   const resolvedPathname = getCachedRealpath(pathname);
   const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
-  return files.includes(relativePath);
+  return (0, import_primordials.ArrayPrototypeIncludes)(files, relativePath);
 }
 function isStagedSync(pathname, options) {
   const files = getStagedFilesSync({
@@ -364,7 +365,7 @@ function isStagedSync(pathname, options) {
   const resolvedPathname = getCachedRealpath(pathname);
   const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
-  return files.includes(relativePath);
+  return (0, import_primordials.ArrayPrototypeIncludes)(files, relativePath);
 }
 async function isUnstaged(pathname, options) {
   const files = await getUnstagedFiles({
@@ -376,7 +377,7 @@ async function isUnstaged(pathname, options) {
   const resolvedPathname = getCachedRealpath(pathname);
   const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
-  return files.includes(relativePath);
+  return (0, import_primordials.ArrayPrototypeIncludes)(files, relativePath);
 }
 function isUnstagedSync(pathname, options) {
   const files = getUnstagedFilesSync({
@@ -388,7 +389,7 @@ function isUnstagedSync(pathname, options) {
   const resolvedPathname = getCachedRealpath(pathname);
   const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
-  return files.includes(relativePath);
+  return (0, import_primordials.ArrayPrototypeIncludes)(files, relativePath);
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/github.d.ts

@@ -21,6 +21,40 @@
  * - Cache to minimize API calls
  */
 import type { SpawnOptions } from './spawn';
+/**
+ * Thrown by `fetchGitHub` when GitHub returns HTTP 200 OK with a
+ * zero-byte body — the "successful empty response" pattern.
+ *
+ * Why this exists (background for new contributors):
+ *   GitHub's REST API has a documented failure mode that is *very*
+ *   easy to miss in code review. During incidents where the search
+ *   / Elasticsearch backing index is degraded (see GitHub status
+ *   pages with titles like "search is degraded" or "Pull Requests
+ *   degraded"), the REST `/repos/...` GET endpoints return:
+ *     - HTTP status: 200 OK   ← looks like success
+ *     - Body:        ""       ← but the payload is empty
+ *     - Headers:     no Retry-After, no rate-limit signal, nothing
+ *
+ *   Without a typed error, calling code does
+ *     `JSON.parse(response.body.toString('utf8'))`
+ *   on an empty string, which throws a confusing
+ *   `SyntaxError: Unexpected end of JSON input`. That error has
+ *   nothing to do with our code — but it's the only signal upstream
+ *   sees. This class wraps that case in a *named* error so callers
+ *   can `instanceof GitHubEmptyBodyError` and choose what to do:
+ *   retry the same endpoint later, fall back to GraphQL (which uses
+ *   a different backend and is unaffected by ES outages), or surface
+ *   a clean message to the user.
+ *
+ *   The HTTP status is hard-coded to 200 because that's *exactly*
+ *   what makes this insidious — a real 4xx/5xx would already be
+ *   handled by the rate-limit / status-code branch above.
+ */
+export declare class GitHubEmptyBodyError extends Error {
+    /** HTTP status (always 200 — that's what makes this case insidious). */
+    status: number;
+    constructor(url: string);
+}
 /**
  * Options for GitHub API fetch requests.
  */

package/dist/github.js

@@ -30,6 +30,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var github_exports = {};
 __export(github_exports, {
+  GitHubEmptyBodyError: () => GitHubEmptyBodyError,
   cacheFetchGhsa: () => cacheFetchGhsa,
   clearRefCache: () => clearRefCache,
   fetchGhsaDetails: () => fetchGhsaDetails,
@@ -47,14 +48,32 @@ var import_github = require("./env/github");
 var import_socket_cli = require("./env/socket-cli");
 var import_errors = require("./errors");
 var import_http_request = require("./http-request");
+var import_primordials = require("./primordials");
 var import_spawn = require("./spawn");
 const GITHUB_API_BASE_URL = "https://api.github.com";
+const GITHUB_GRAPHQL_URL = "https://api.github.com/graphql";
 const DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
 let _githubCache;
+class GitHubEmptyBodyError extends Error {
+  /** HTTP status (always 200 — that's what makes this case insidious). */
+  status;
+  constructor(url) {
+    super(`GitHub API returned HTTP 200 with empty body: ${url}`);
+    this.name = "GitHubEmptyBodyError";
+    this.status = 200;
+  }
+}
 async function fetchRefSha(owner, repo, ref, options) {
   const fetchOptions = {
     token: options.token
   };
+  let sawEmptyBody = false;
+  const note404 = (e) => {
+    if (e instanceof GitHubEmptyBodyError) {
+      sawEmptyBody = true;
+    }
+    return e;
+  };
   try {
     const tagUrl = `${GITHUB_API_BASE_URL}/repos/${owner}/${repo}/git/refs/tags/${ref}`;
     const tagData = await fetchGitHub(tagUrl, fetchOptions);
@@ -66,12 +85,14 @@ async function fetchRefSha(owner, repo, ref, options) {
       return tagObject.object.sha;
     }
     return tagData.object.sha;
-  } catch {
+  } catch (e) {
+    note404(e);
     try {
       const branchUrl = `${GITHUB_API_BASE_URL}/repos/${owner}/${repo}/git/refs/heads/${ref}`;
       const branchData = await fetchGitHub(branchUrl, fetchOptions);
       return branchData.object.sha;
-    } catch {
+    } catch (e2) {
+      note404(e2);
       try {
         const commitUrl = `${GITHUB_API_BASE_URL}/repos/${owner}/${repo}/commits/${ref}`;
         const commitData = await fetchGitHub(
@@ -79,14 +100,114 @@ async function fetchRefSha(owner, repo, ref, options) {
           fetchOptions
         );
         return commitData.sha;
-      } catch (e) {
-        throw new Error(
-          `failed to resolve ref "${ref}" for ${owner}/${repo}: ${(0, import_errors.errorMessage)(e)}`
+      } catch (e3) {
+        note404(e3);
+        if (sawEmptyBody) {
+          let graphqlSha;
+          let graphqlErr;
+          try {
+            graphqlSha = await fetchRefShaViaGraphQL(
+              owner,
+              repo,
+              ref,
+              fetchOptions
+            );
+          } catch (cause) {
+            graphqlErr = cause;
+          }
+          if (graphqlSha) {
+            return graphqlSha;
+          }
+          if (graphqlErr !== void 0) {
+            throw new import_primordials.ErrorCtor(
+              `Failed to resolve ref "${ref}" for ${owner}/${repo}: both REST and GraphQL backends degraded`,
+              { cause: graphqlErr }
+            );
+          }
+        }
+        throw new import_primordials.ErrorCtor(
+          `Failed to resolve ref "${ref}" for ${owner}/${repo}: ${(0, import_errors.errorMessage)(e3)}`
         );
       }
     }
   }
 }
+async function fetchRefShaViaGraphQL(owner, repo, ref, options) {
+  const token = options.token || getGitHubToken();
+  const headers = {
+    Accept: "application/vnd.github.v3+json",
+    "Content-Type": "application/json",
+    "User-Agent": "socket-registry-github-client",
+    ...options.headers
+  };
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  const query = `query($owner: String!, $repo: String!, $tag: String!, $branch: String!, $oid: GitObjectID!) {
+    repository(owner: $owner, name: $repo) {
+      tagRef: ref(qualifiedName: $tag) {
+        target {
+          __typename
+          ... on Tag { target { oid } }
+          ... on Commit { oid }
+        }
+      }
+      branchRef: ref(qualifiedName: $branch) {
+        target { oid }
+      }
+      commit: object(oid: $oid) {
+        __typename
+        ... on Commit { oid }
+      }
+    }
+  }`;
+  const looksLikeSha = /^[a-f0-9]{40}$/i.test(ref);
+  const oidArg = looksLikeSha ? ref : "0000000000000000000000000000000000000000";
+  const response = await (0, import_http_request.httpRequest)(GITHUB_GRAPHQL_URL, {
+    body: (0, import_primordials.JSONStringify)({
+      query,
+      variables: {
+        branch: `refs/heads/${ref}`,
+        oid: oidArg,
+        owner,
+        repo,
+        tag: `refs/tags/${ref}`
+      }
+    }),
+    headers,
+    method: "POST"
+  });
+  if (!response.ok || response.body.byteLength === 0) {
+    return void 0;
+  }
+  let parsed;
+  try {
+    parsed = (0, import_primordials.JSONParse)(response.body.toString("utf8"));
+  } catch {
+    return void 0;
+  }
+  const repoData = parsed.data?.repository;
+  if (!repoData) {
+    return void 0;
+  }
+  const tagTarget = repoData.tagRef?.target;
+  if (tagTarget) {
+    if (tagTarget.__typename === "Tag") {
+      return tagTarget.target?.oid ?? void 0;
+    }
+    if (tagTarget.__typename === "Commit") {
+      return tagTarget.oid ?? void 0;
+    }
+  }
+  const branchOid = repoData.branchRef?.target?.oid;
+  if (branchOid) {
+    return branchOid;
+  }
+  if (repoData.commit?.__typename === "Commit" && repoData.commit.oid) {
+    return repoData.commit.oid;
+  }
+  return void 0;
+}
 function getGithubCache() {
   if (_githubCache === void 0) {
     _githubCache = (0, import_cache_with_ttl.createTtlCache)({
@@ -114,20 +235,120 @@ async function clearRefCache() {
 }
 async function fetchGhsaDetails(ghsaId, options) {
   const url = `https://api.github.com/advisories/${ghsaId}`;
-  const data = await fetchGitHub(url, options);
+  try {
+    const data = await fetchGitHub(url, options);
+    return {
+      ghsaId: data.ghsa_id,
+      summary: data.summary,
+      details: data.details,
+      severity: data.severity,
+      aliases: data.aliases || [],
+      publishedAt: data.published_at,
+      updatedAt: data.updated_at,
+      withdrawnAt: data.withdrawn_at,
+      references: data.references || [],
+      vulnerabilities: data.vulnerabilities || [],
+      cvss: data.cvss,
+      cwes: data.cwes || []
+    };
+  } catch (e) {
+    if (e instanceof GitHubEmptyBodyError) {
+      try {
+        return await fetchGhsaDetailsViaGraphQL(ghsaId, options);
+      } catch (cause) {
+        throw new import_primordials.ErrorCtor(
+          `Failed to fetch advisory ${ghsaId}: both REST and GraphQL backends degraded`,
+          { cause }
+        );
+      }
+    }
+    throw e;
+  }
+}
+async function fetchGhsaDetailsViaGraphQL(ghsaId, options) {
+  const opts = { __proto__: null, ...options };
+  const token = opts.token || getGitHubToken();
+  const headers = {
+    Accept: "application/vnd.github.v3+json",
+    "Content-Type": "application/json",
+    "User-Agent": "socket-registry-github-client",
+    ...opts.headers
+  };
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  const query = `query($ghsaId: String!) {
+    securityAdvisory(ghsaId: $ghsaId) {
+      ghsaId
+      summary
+      description
+      severity
+      publishedAt
+      updatedAt
+      withdrawnAt
+      cvss { score vectorString }
+      cwes(first: 50) { nodes { cweId name description } }
+      references { url }
+      vulnerabilities(first: 100) {
+        nodes {
+          package { ecosystem name }
+          vulnerableVersionRange
+          firstPatchedVersion { identifier }
+        }
+      }
+      identifiers { type value }
+    }
+  }`;
+  const response = await (0, import_http_request.httpRequest)(GITHUB_GRAPHQL_URL, {
+    body: (0, import_primordials.JSONStringify)({ query, variables: { ghsaId } }),
+    headers,
+    method: "POST"
+  });
+  if (!response.ok) {
+    throw new import_primordials.ErrorCtor(
+      `GitHub GraphQL API error ${response.status}: ${response.statusText}`
+    );
+  }
+  if (response.body.byteLength === 0) {
+    throw new GitHubEmptyBodyError(GITHUB_GRAPHQL_URL);
+  }
+  let parsed;
+  try {
+    parsed = (0, import_primordials.JSONParse)(response.body.toString("utf8"));
+  } catch (cause) {
+    throw new import_primordials.ErrorCtor(
+      `Failed to parse GitHub GraphQL response for advisory ${ghsaId}`,
+      { cause }
+    );
+  }
+  if (parsed.errors?.length) {
+    throw new import_primordials.ErrorCtor(
+      `GraphQL securityAdvisory(${ghsaId}) returned errors: ${parsed.errors.map((e) => e.message).join("; ")}`
+    );
+  }
+  const adv = parsed.data?.securityAdvisory;
+  if (!adv) {
+    throw new import_primordials.ErrorCtor(`GHSA ${ghsaId} not found`);
+  }
   return {
-    ghsaId: data.ghsa_id,
-    summary: data.summary,
-    details: data.details,
-    severity: data.severity,
-    aliases: data.aliases || [],
-    publishedAt: data.published_at,
-    updatedAt: data.updated_at,
-    withdrawnAt: data.withdrawn_at,
-    references: data.references || [],
-    vulnerabilities: data.vulnerabilities || [],
-    cvss: data.cvss,
-    cwes: data.cwes || []
+    ghsaId: adv.ghsaId,
+    summary: adv.summary,
+    details: adv.description,
+    // REST returns severity lowercase ("moderate"); GraphQL uppercases
+    // ("MODERATE"). Normalize so callers can compare against a single
+    // canonical form regardless of which transport ran.
+    severity: adv.severity.toLowerCase(),
+    // REST `aliases` is the list of non-GHSA identifiers (CVE ids,
+    // typically). GraphQL `identifiers` includes the advisory's own
+    // GHSA id alongside CVE ids; filter it out to match REST shape.
+    aliases: adv.identifiers?.filter((i) => i.type !== "GHSA").map((i) => i.value) ?? [],
+    publishedAt: adv.publishedAt,
+    updatedAt: adv.updatedAt,
+    withdrawnAt: adv.withdrawnAt ?? "",
+    references: adv.references ?? [],
+    vulnerabilities: adv.vulnerabilities?.nodes ?? [],
+    cvss: adv.cvss ?? null,
+    cwes: adv.cwes?.nodes ?? []
   };
 }
 async function fetchGitHub(url, options) {
@@ -149,8 +370,8 @@ async function fetchGitHub(url, options) {
       if (rateLimitStr === "0") {
         const resetTime = response.headers["x-ratelimit-reset"];
         const resetTimeStr = typeof resetTime === "string" ? resetTime : resetTime?.[0];
-        const resetDate = resetTimeStr ? new Date(Number(resetTimeStr) * 1e3) : void 0;
-        const error = new Error(
+        const resetDate = resetTimeStr ? new import_primordials.DateCtor(Number(resetTimeStr) * 1e3) : void 0;
+        const error = new import_primordials.ErrorCtor(
           `GitHub API rate limit exceeded${resetDate ? `. Resets at ${resetDate.toLocaleString()}` : ""}. Use GITHUB_TOKEN environment variable to increase rate limit.`
         );
         error.status = 403;
@@ -158,14 +379,17 @@ async function fetchGitHub(url, options) {
         throw error;
       }
     }
-    throw new Error(
+    throw new import_primordials.ErrorCtor(
       `GitHub API error ${response.status}: ${response.statusText}`
     );
   }
+  if (response.body.byteLength === 0) {
+    throw new GitHubEmptyBodyError(url);
+  }
   try {
-    return JSON.parse(response.body.toString("utf8"));
+    return (0, import_primordials.JSONParse)(response.body.toString("utf8"));
   } catch (e) {
-    throw new Error(
+    throw new import_primordials.ErrorCtor(
       `Failed to parse GitHub API response: ${(0, import_errors.errorMessage)(e)}
 URL: ${url}
 Response may be malformed or incomplete.`,
@@ -211,6 +435,7 @@ async function resolveRefToSha(owner, repo, ref, options) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  GitHubEmptyBodyError,
   cacheFetchGhsa,
   clearRefCache,
   fetchGhsaDetails,

package/dist/globs.d.ts

@@ -32,6 +32,16 @@ export interface GlobOptions extends FastGlobOptions {
     recursive?: boolean;
 }
 export type { Pattern, FastGlobOptions };
+/**
+ * Resolve `path.matchesGlob` (or `undefined` if the runtime predates
+ * it). Probes once and caches the result for every subsequent call.
+ *
+ * Used by `getGlobMatcher`'s narrow fast-path — see the conditions
+ * spelled out at the call site. Exported for unit tests.
+ *
+ * @internal
+ */
+export declare function getMatchesGlob(): ((p: string, pattern: string) => boolean) | undefined;
 export declare const defaultIgnore: readonly string[];
 /**
  * Return a glob-matcher function, memoized by pattern + options.
@@ -73,6 +83,16 @@ export declare function getGlobMatcher(glob: Pattern | Pattern[], options?: {
  * console.log(files) // ['src/index.ts', 'src/utils.ts']
  * ```
  */
+/**
+ * Whether the caller's option bag is fully expressible with
+ * `node:fs.glob` (`cwd` + `exclude`). Any other option means we must
+ * fall back to fast-glob, which exposes the wider surface.
+ *
+ * Exported for unit tests; not part of the public API.
+ *
+ * @internal
+ */
+export declare function canUseNodeFsGlob(options: FastGlobOptions | undefined): boolean;
 export declare function glob(patterns: Pattern | Pattern[], options?: FastGlobOptions): Promise<string[]>;
 /**
  * Create a stream of license file paths matching glob patterns.