@socketsecurity/lib 5.26.0 → 5.27.0

package/dist/github.js

@@ -30,6 +30,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var github_exports = {};
 __export(github_exports, {
+  GitHubEmptyBodyError: () => GitHubEmptyBodyError,
   cacheFetchGhsa: () => cacheFetchGhsa,
   clearRefCache: () => clearRefCache,
   fetchGhsaDetails: () => fetchGhsaDetails,
@@ -47,14 +48,32 @@ var import_github = require("./env/github");
 var import_socket_cli = require("./env/socket-cli");
 var import_errors = require("./errors");
 var import_http_request = require("./http-request");
+var import_primordials = require("./primordials");
 var import_spawn = require("./spawn");
 const GITHUB_API_BASE_URL = "https://api.github.com";
+const GITHUB_GRAPHQL_URL = "https://api.github.com/graphql";
 const DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
 let _githubCache;
+class GitHubEmptyBodyError extends Error {
+  /** HTTP status (always 200 — that's what makes this case insidious). */
+  status;
+  constructor(url) {
+    super(`GitHub API returned HTTP 200 with empty body: ${url}`);
+    this.name = "GitHubEmptyBodyError";
+    this.status = 200;
+  }
+}
 async function fetchRefSha(owner, repo, ref, options) {
   const fetchOptions = {
     token: options.token
   };
+  let sawEmptyBody = false;
+  const note404 = (e) => {
+    if (e instanceof GitHubEmptyBodyError) {
+      sawEmptyBody = true;
+    }
+    return e;
+  };
   try {
     const tagUrl = `${GITHUB_API_BASE_URL}/repos/${owner}/${repo}/git/refs/tags/${ref}`;
     const tagData = await fetchGitHub(tagUrl, fetchOptions);
@@ -66,12 +85,14 @@ async function fetchRefSha(owner, repo, ref, options) {
       return tagObject.object.sha;
     }
     return tagData.object.sha;
-  } catch {
+  } catch (e) {
+    note404(e);
     try {
       const branchUrl = `${GITHUB_API_BASE_URL}/repos/${owner}/${repo}/git/refs/heads/${ref}`;
       const branchData = await fetchGitHub(branchUrl, fetchOptions);
       return branchData.object.sha;
-    } catch {
+    } catch (e2) {
+      note404(e2);
       try {
         const commitUrl = `${GITHUB_API_BASE_URL}/repos/${owner}/${repo}/commits/${ref}`;
         const commitData = await fetchGitHub(
@@ -79,14 +100,114 @@ async function fetchRefSha(owner, repo, ref, options) {
           fetchOptions
         );
         return commitData.sha;
-      } catch (e) {
-        throw new Error(
-          `failed to resolve ref "${ref}" for ${owner}/${repo}: ${(0, import_errors.errorMessage)(e)}`
+      } catch (e3) {
+        note404(e3);
+        if (sawEmptyBody) {
+          let graphqlSha;
+          let graphqlErr;
+          try {
+            graphqlSha = await fetchRefShaViaGraphQL(
+              owner,
+              repo,
+              ref,
+              fetchOptions
+            );
+          } catch (cause) {
+            graphqlErr = cause;
+          }
+          if (graphqlSha) {
+            return graphqlSha;
+          }
+          if (graphqlErr !== void 0) {
+            throw new import_primordials.ErrorCtor(
+              `Failed to resolve ref "${ref}" for ${owner}/${repo}: both REST and GraphQL backends degraded`,
+              { cause: graphqlErr }
+            );
+          }
+        }
+        throw new import_primordials.ErrorCtor(
+          `Failed to resolve ref "${ref}" for ${owner}/${repo}: ${(0, import_errors.errorMessage)(e3)}`
         );
       }
     }
   }
 }
+async function fetchRefShaViaGraphQL(owner, repo, ref, options) {
+  const token = options.token || getGitHubToken();
+  const headers = {
+    Accept: "application/vnd.github.v3+json",
+    "Content-Type": "application/json",
+    "User-Agent": "socket-registry-github-client",
+    ...options.headers
+  };
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  const query = `query($owner: String!, $repo: String!, $tag: String!, $branch: String!, $oid: GitObjectID!) {
+    repository(owner: $owner, name: $repo) {
+      tagRef: ref(qualifiedName: $tag) {
+        target {
+          __typename
+          ... on Tag { target { oid } }
+          ... on Commit { oid }
+        }
+      }
+      branchRef: ref(qualifiedName: $branch) {
+        target { oid }
+      }
+      commit: object(oid: $oid) {
+        __typename
+        ... on Commit { oid }
+      }
+    }
+  }`;
+  const looksLikeSha = /^[a-f0-9]{40}$/i.test(ref);
+  const oidArg = looksLikeSha ? ref : "0000000000000000000000000000000000000000";
+  const response = await (0, import_http_request.httpRequest)(GITHUB_GRAPHQL_URL, {
+    body: (0, import_primordials.JSONStringify)({
+      query,
+      variables: {
+        branch: `refs/heads/${ref}`,
+        oid: oidArg,
+        owner,
+        repo,
+        tag: `refs/tags/${ref}`
+      }
+    }),
+    headers,
+    method: "POST"
+  });
+  if (!response.ok || response.body.byteLength === 0) {
+    return void 0;
+  }
+  let parsed;
+  try {
+    parsed = (0, import_primordials.JSONParse)(response.body.toString("utf8"));
+  } catch {
+    return void 0;
+  }
+  const repoData = parsed.data?.repository;
+  if (!repoData) {
+    return void 0;
+  }
+  const tagTarget = repoData.tagRef?.target;
+  if (tagTarget) {
+    if (tagTarget.__typename === "Tag") {
+      return tagTarget.target?.oid ?? void 0;
+    }
+    if (tagTarget.__typename === "Commit") {
+      return tagTarget.oid ?? void 0;
+    }
+  }
+  const branchOid = repoData.branchRef?.target?.oid;
+  if (branchOid) {
+    return branchOid;
+  }
+  if (repoData.commit?.__typename === "Commit" && repoData.commit.oid) {
+    return repoData.commit.oid;
+  }
+  return void 0;
+}
 function getGithubCache() {
   if (_githubCache === void 0) {
     _githubCache = (0, import_cache_with_ttl.createTtlCache)({
@@ -114,20 +235,120 @@ async function clearRefCache() {
 }
 async function fetchGhsaDetails(ghsaId, options) {
   const url = `https://api.github.com/advisories/${ghsaId}`;
-  const data = await fetchGitHub(url, options);
+  try {
+    const data = await fetchGitHub(url, options);
+    return {
+      ghsaId: data.ghsa_id,
+      summary: data.summary,
+      details: data.details,
+      severity: data.severity,
+      aliases: data.aliases || [],
+      publishedAt: data.published_at,
+      updatedAt: data.updated_at,
+      withdrawnAt: data.withdrawn_at,
+      references: data.references || [],
+      vulnerabilities: data.vulnerabilities || [],
+      cvss: data.cvss,
+      cwes: data.cwes || []
+    };
+  } catch (e) {
+    if (e instanceof GitHubEmptyBodyError) {
+      try {
+        return await fetchGhsaDetailsViaGraphQL(ghsaId, options);
+      } catch (cause) {
+        throw new import_primordials.ErrorCtor(
+          `Failed to fetch advisory ${ghsaId}: both REST and GraphQL backends degraded`,
+          { cause }
+        );
+      }
+    }
+    throw e;
+  }
+}
+async function fetchGhsaDetailsViaGraphQL(ghsaId, options) {
+  const opts = { __proto__: null, ...options };
+  const token = opts.token || getGitHubToken();
+  const headers = {
+    Accept: "application/vnd.github.v3+json",
+    "Content-Type": "application/json",
+    "User-Agent": "socket-registry-github-client",
+    ...opts.headers
+  };
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  const query = `query($ghsaId: String!) {
+    securityAdvisory(ghsaId: $ghsaId) {
+      ghsaId
+      summary
+      description
+      severity
+      publishedAt
+      updatedAt
+      withdrawnAt
+      cvss { score vectorString }
+      cwes(first: 50) { nodes { cweId name description } }
+      references { url }
+      vulnerabilities(first: 100) {
+        nodes {
+          package { ecosystem name }
+          vulnerableVersionRange
+          firstPatchedVersion { identifier }
+        }
+      }
+      identifiers { type value }
+    }
+  }`;
+  const response = await (0, import_http_request.httpRequest)(GITHUB_GRAPHQL_URL, {
+    body: (0, import_primordials.JSONStringify)({ query, variables: { ghsaId } }),
+    headers,
+    method: "POST"
+  });
+  if (!response.ok) {
+    throw new import_primordials.ErrorCtor(
+      `GitHub GraphQL API error ${response.status}: ${response.statusText}`
+    );
+  }
+  if (response.body.byteLength === 0) {
+    throw new GitHubEmptyBodyError(GITHUB_GRAPHQL_URL);
+  }
+  let parsed;
+  try {
+    parsed = (0, import_primordials.JSONParse)(response.body.toString("utf8"));
+  } catch (cause) {
+    throw new import_primordials.ErrorCtor(
+      `Failed to parse GitHub GraphQL response for advisory ${ghsaId}`,
+      { cause }
+    );
+  }
+  if (parsed.errors?.length) {
+    throw new import_primordials.ErrorCtor(
+      `GraphQL securityAdvisory(${ghsaId}) returned errors: ${parsed.errors.map((e) => e.message).join("; ")}`
+    );
+  }
+  const adv = parsed.data?.securityAdvisory;
+  if (!adv) {
+    throw new import_primordials.ErrorCtor(`GHSA ${ghsaId} not found`);
+  }
   return {
-    ghsaId: data.ghsa_id,
-    summary: data.summary,
-    details: data.details,
-    severity: data.severity,
-    aliases: data.aliases || [],
-    publishedAt: data.published_at,
-    updatedAt: data.updated_at,
-    withdrawnAt: data.withdrawn_at,
-    references: data.references || [],
-    vulnerabilities: data.vulnerabilities || [],
-    cvss: data.cvss,
-    cwes: data.cwes || []
+    ghsaId: adv.ghsaId,
+    summary: adv.summary,
+    details: adv.description,
+    // REST returns severity lowercase ("moderate"); GraphQL uppercases
+    // ("MODERATE"). Normalize so callers can compare against a single
+    // canonical form regardless of which transport ran.
+    severity: adv.severity.toLowerCase(),
+    // REST `aliases` is the list of non-GHSA identifiers (CVE ids,
+    // typically). GraphQL `identifiers` includes the advisory's own
+    // GHSA id alongside CVE ids; filter it out to match REST shape.
+    aliases: adv.identifiers?.filter((i) => i.type !== "GHSA").map((i) => i.value) ?? [],
+    publishedAt: adv.publishedAt,
+    updatedAt: adv.updatedAt,
+    withdrawnAt: adv.withdrawnAt ?? "",
+    references: adv.references ?? [],
+    vulnerabilities: adv.vulnerabilities?.nodes ?? [],
+    cvss: adv.cvss ?? null,
+    cwes: adv.cwes?.nodes ?? []
   };
 }
 async function fetchGitHub(url, options) {
@@ -149,8 +370,8 @@ async function fetchGitHub(url, options) {
       if (rateLimitStr === "0") {
         const resetTime = response.headers["x-ratelimit-reset"];
         const resetTimeStr = typeof resetTime === "string" ? resetTime : resetTime?.[0];
-        const resetDate = resetTimeStr ? new Date(Number(resetTimeStr) * 1e3) : void 0;
-        const error = new Error(
+        const resetDate = resetTimeStr ? new import_primordials.DateCtor(Number(resetTimeStr) * 1e3) : void 0;
+        const error = new import_primordials.ErrorCtor(
           `GitHub API rate limit exceeded${resetDate ? `. Resets at ${resetDate.toLocaleString()}` : ""}. Use GITHUB_TOKEN environment variable to increase rate limit.`
         );
         error.status = 403;
@@ -158,14 +379,17 @@ async function fetchGitHub(url, options) {
         throw error;
       }
     }
-    throw new Error(
+    throw new import_primordials.ErrorCtor(
       `GitHub API error ${response.status}: ${response.statusText}`
     );
   }
+  if (response.body.byteLength === 0) {
+    throw new GitHubEmptyBodyError(url);
+  }
   try {
-    return JSON.parse(response.body.toString("utf8"));
+    return (0, import_primordials.JSONParse)(response.body.toString("utf8"));
   } catch (e) {
-    throw new Error(
+    throw new import_primordials.ErrorCtor(
       `Failed to parse GitHub API response: ${(0, import_errors.errorMessage)(e)}
 URL: ${url}
 Response may be malformed or incomplete.`,
@@ -211,6 +435,7 @@ async function resolveRefToSha(owner, repo, ref, options) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  GitHubEmptyBodyError,
   cacheFetchGhsa,
   clearRefCache,
   fetchGhsaDetails,

package/dist/globs.d.ts

@@ -32,6 +32,16 @@ export interface GlobOptions extends FastGlobOptions {
     recursive?: boolean;
 }
 export type { Pattern, FastGlobOptions };
+/**
+ * Resolve `path.matchesGlob` (or `undefined` if the runtime predates
+ * it). Probes once and caches the result for every subsequent call.
+ *
+ * Used by `getGlobMatcher`'s narrow fast-path — see the conditions
+ * spelled out at the call site. Exported for unit tests.
+ *
+ * @internal
+ */
+export declare function getMatchesGlob(): ((p: string, pattern: string) => boolean) | undefined;
 export declare const defaultIgnore: readonly string[];
 /**
  * Return a glob-matcher function, memoized by pattern + options.
@@ -73,6 +83,16 @@ export declare function getGlobMatcher(glob: Pattern | Pattern[], options?: {
  * console.log(files) // ['src/index.ts', 'src/utils.ts']
  * ```
  */
+/**
+ * Whether the caller's option bag is fully expressible with
+ * `node:fs.glob` (`cwd` + `exclude`). Any other option means we must
+ * fall back to fast-glob, which exposes the wider surface.
+ *
+ * Exported for unit tests; not part of the public API.
+ *
+ * @internal
+ */
+export declare function canUseNodeFsGlob(options: FastGlobOptions | undefined): boolean;
 export declare function glob(patterns: Pattern | Pattern[], options?: FastGlobOptions): Promise<string[]>;
 /**
  * Create a stream of license file paths matching glob patterns.

package/dist/globs.js

@@ -20,8 +20,10 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var globs_exports = {};
 __export(globs_exports, {
+  canUseNodeFsGlob: () => canUseNodeFsGlob,
   defaultIgnore: () => defaultIgnore,
   getGlobMatcher: () => getGlobMatcher,
+  getMatchesGlob: () => getMatchesGlob,
   glob: () => glob,
   globStreamLicenses: () => globStreamLicenses,
   globSync: () => globSync
@@ -29,10 +31,42 @@ __export(globs_exports, {
 module.exports = __toCommonJS(globs_exports);
 var import_objects = require("./objects");
 var import_globs = require("./paths/globs");
+var import_normalize = require("./paths/normalize");
+var import_promises = require("./promises");
+var import_primordials = require("./primordials");
 let _fastGlob;
+let _fs;
+let _fsPromises;
 let _picomatch;
+let _matchesGlob;
+let _matchesGlobProbed = false;
+// @__NO_SIDE_EFFECTS__
+function getFs() {
+  if (_fs === void 0) {
+    _fs = require("node:fs");
+  }
+  return _fs;
+}
+// @__NO_SIDE_EFFECTS__
+function getFsPromises() {
+  if (_fsPromises === void 0) {
+    _fsPromises = require("node:fs/promises");
+  }
+  return _fsPromises;
+}
+// @__NO_SIDE_EFFECTS__
+function getMatchesGlob() {
+  if (!_matchesGlobProbed) {
+    const fn = require("node:path").matchesGlob;
+    if (typeof fn === "function") {
+      _matchesGlob = fn;
+    }
+    _matchesGlobProbed = true;
+  }
+  return _matchesGlob;
+}
 const MATCHER_CACHE_MAX_SIZE = 100;
-const matcherCache = /* @__PURE__ */ new Map();
+const matcherCache = new import_primordials.MapCtor();
 const defaultIgnore = (0, import_objects.objectFreeze)([
   // Most of these ignored files can be included specifically if included in the
   // files globs. Exceptions to this are:
@@ -80,6 +114,30 @@ function getFastGlob() {
   }
   return _fastGlob;
 }
+function stripTrailingSlash(pattern) {
+  if (pattern.length > 1 && (0, import_primordials.StringPrototypeCharCodeAt)(pattern, pattern.length - 1) === 47) {
+    return pattern.slice(0, -1);
+  }
+  return pattern;
+}
+function normalizeGlobResults(out) {
+  for (let i = 0; i < out.length; i += 1) {
+    out[i] = (0, import_normalize.normalizePath)(out[i]);
+  }
+  return out;
+}
+function normalizeIgnorePatterns(ignore) {
+  if (!(0, import_primordials.ArrayIsArray)(ignore)) {
+    return void 0;
+  }
+  const source = ignore;
+  const { length } = source;
+  const normalized = new import_primordials.ArrayCtor(length);
+  for (let i = 0; i < length; i++) {
+    normalized[i] = stripTrailingSlash(source[i]);
+  }
+  return normalized;
+}
 // @__NO_SIDE_EFFECTS__
 function getPicomatch() {
   if (_picomatch === void 0) {
@@ -89,12 +147,12 @@ function getPicomatch() {
 }
 // @__NO_SIDE_EFFECTS__
 function getGlobMatcher(glob2, options) {
-  const patterns = Array.isArray(glob2) ? glob2 : [glob2];
+  const patterns = (0, import_primordials.ArrayIsArray)(glob2) ? glob2 : [glob2];
   const sortedPatterns = [...patterns].sort();
-  const sortedOptions = options ? Object.keys(options).sort().map((k) => {
+  const sortedOptions = options ? (0, import_primordials.ObjectKeys)(options).sort().map((k) => {
     const value = options[k];
-    const normalized = Array.isArray(value) ? [...value].sort() : value;
-    return `${k}:${JSON.stringify(normalized)}`;
+    const normalized = (0, import_primordials.ArrayIsArray)(value) ? [...value].sort() : value;
+    return `${k}:${(0, import_primordials.JSONStringify)(normalized)}`;
   }).join(",") : "";
   const key = `${sortedPatterns.join("|")}:${sortedOptions}`;
   const existing = matcherCache.get(key);
@@ -109,26 +167,63 @@ function getGlobMatcher(glob2, options) {
       matcherCache.delete(oldest);
     }
   }
-  const positivePatterns = patterns.filter((p) => !p.startsWith("!"));
-  const negativePatterns = patterns.filter((p) => p.startsWith("!")).map((p) => p.slice(1));
-  const matchOptions = {
-    dot: true,
-    nocase: true,
-    ...options,
-    ...negativePatterns.length > 0 ? { ignore: negativePatterns } : {}
-  };
-  const picomatch = /* @__PURE__ */ getPicomatch();
-  const matcher = picomatch(
-    positivePatterns.length > 0 ? positivePatterns : patterns,
-    matchOptions
-  );
+  let matcher;
+  if (patterns.length === 1 && !(0, import_primordials.StringPrototypeStartsWith)(patterns[0], "!") && options !== void 0 && options.nocase === false && options.dot === false && (options.ignore === void 0 || options.ignore.length === 0)) {
+    const matchesGlob = /* @__PURE__ */ getMatchesGlob();
+    if (matchesGlob !== void 0) {
+      const pattern = patterns[0];
+      matcher = (p) => matchesGlob(p, pattern);
+    }
+  }
+  if (matcher === void 0) {
+    const positivePatterns = patterns.filter(
+      (p) => !(0, import_primordials.StringPrototypeStartsWith)(p, "!")
+    );
+    const negativePatterns = patterns.filter((p) => (0, import_primordials.StringPrototypeStartsWith)(p, "!")).map((p) => p.slice(1));
+    const matchOptions = {
+      dot: true,
+      nocase: true,
+      ...options,
+      ...negativePatterns.length > 0 ? { ignore: negativePatterns } : {}
+    };
+    const picomatch = /* @__PURE__ */ getPicomatch();
+    matcher = picomatch(
+      positivePatterns.length > 0 ? positivePatterns : patterns,
+      matchOptions
+    );
+  }
   matcherCache.set(key, matcher);
   return matcher;
 }
+function canUseNodeFsGlob(options) {
+  if (!options) {
+    return true;
+  }
+  for (const key of (0, import_primordials.ObjectKeys)(options)) {
+    if (key !== "cwd" && key !== "ignore") {
+      return false;
+    }
+  }
+  return true;
+}
 // @__NO_SIDE_EFFECTS__
-function glob(patterns, options) {
+async function glob(patterns, options) {
+  const normalizedIgnore = normalizeIgnorePatterns(options?.ignore);
+  if (canUseNodeFsGlob(options)) {
+    const out2 = await (0, import_promises.fromAsync)(
+      (/* @__PURE__ */ getFsPromises()).glob(patterns, {
+        ...options?.cwd ? { cwd: options.cwd } : {},
+        ...normalizedIgnore ? { exclude: normalizedIgnore } : {}
+      })
+    );
+    return normalizeGlobResults(out2);
+  }
   const fastGlob = /* @__PURE__ */ getFastGlob();
-  return fastGlob.glob(patterns, options);
+  const out = await fastGlob.glob(patterns, {
+    ...options,
+    ...normalizedIgnore ? { ignore: normalizedIgnore } : {}
+  });
+  return normalizeGlobResults(out);
 }
 // @__NO_SIDE_EFFECTS__
 function globStreamLicenses(dirname, options) {
@@ -138,10 +233,8 @@ function globStreamLicenses(dirname, options) {
     recursive,
     ...globOptions
   } = { __proto__: null, ...options };
-  const ignore = [
-    ...Array.isArray(ignoreOpt) ? ignoreOpt : defaultIgnore,
-    "**/*.{cjs,cts,js,json,mjs,mts,ts}"
-  ];
+  const baseIgnore = (0, import_primordials.ArrayIsArray)(ignoreOpt) ? normalizeIgnorePatterns(ignoreOpt) : defaultIgnore;
+  const ignore = [...baseIgnore, "**/*.{cjs,cts,js,json,mjs,mts,ts}"];
   if (ignoreOriginals) {
     ignore.push(import_globs.LICENSE_ORIGINAL_GLOB_RECURSIVE);
   }
@@ -160,13 +253,29 @@ function globStreamLicenses(dirname, options) {
 }
 // @__NO_SIDE_EFFECTS__
 function globSync(patterns, options) {
+  const normalizedIgnore = normalizeIgnorePatterns(options?.ignore);
+  if (canUseNodeFsGlob(options)) {
+    return normalizeGlobResults([
+      ...(/* @__PURE__ */ getFs()).globSync(patterns, {
+        ...options?.cwd ? { cwd: options.cwd } : {},
+        ...normalizedIgnore ? { exclude: normalizedIgnore } : {}
+      })
+    ]);
+  }
   const fastGlob = /* @__PURE__ */ getFastGlob();
-  return fastGlob.globSync(patterns, options);
+  return normalizeGlobResults(
+    fastGlob.globSync(patterns, {
+      ...options,
+      ...normalizedIgnore ? { ignore: normalizedIgnore } : {}
+    })
+  );
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  canUseNodeFsGlob,
   defaultIgnore,
   getGlobMatcher,
+  getMatchesGlob,
   glob,
   globStreamLicenses,
   globSync

package/dist/http-request.d.ts

@@ -905,9 +905,10 @@ export declare function parseChecksums(text: string): Checksums;
  *
  * @example
  * ```ts
- * const delay = parseRetryAfterHeader(response.headers['retry-after'])
- * if (delay !== undefined) {
- *   await new Promise(resolve => setTimeout(resolve, delay))
+ * import { setTimeout as delay } from 'node:timers/promises'
+ * const ms = parseRetryAfterHeader(response.headers['retry-after'])
+ * if (ms !== undefined) {
+ *   await delay(ms)
  * }
  * ```
  */