@socketsecurity/lib 5.5.3 → 5.7.0

package/dist/dlx/package.js

@@ -31,7 +31,12 @@ var package_exports = {};
 __export(package_exports, {
   dlxPackage: () => dlxPackage,
   downloadPackage: () => downloadPackage,
-  executePackage: () => executePackage
+  ensurePackageInstalled: () => ensurePackageInstalled,
+  executePackage: () => executePackage,
+  findBinaryPath: () => findBinaryPath,
+  makePackageBinsExecutable: () => makePackageBinsExecutable,
+  parsePackageSpec: () => parsePackageSpec,
+  resolveBinaryPath: () => resolveBinaryPath
 });
 module.exports = __toCommonJS(package_exports);
 var import_platform = require("../constants/platform");
@@ -61,24 +66,45 @@ function getPath() {
   return _path;
 }
 const rangeOperatorsRegExp = /[~^><=xX* ]|\|\|/;
-function parsePackageSpec(spec) {
-  try {
-    const parsed = (0, import_npm_package_arg.default)(spec);
-    const version = parsed.type === "tag" ? parsed.fetchSpec : parsed.type === "version" || parsed.type === "range" ? parsed.fetchSpec : void 0;
-    return {
-      name: parsed.name || spec,
-      version
-    };
-  } catch {
-    const atIndex = spec.lastIndexOf("@");
-    if (atIndex === -1 || spec.startsWith("@")) {
-      return { name: spec, version: void 0 };
-    }
-    return {
-      name: spec.slice(0, atIndex),
-      version: spec.slice(atIndex + 1)
-    };
-  }
+async function dlxPackage(args, options, spawnExtra) {
+  const downloadResult = await downloadPackage(options);
+  const spawnPromise = executePackage(
+    downloadResult.binaryPath,
+    args,
+    options?.spawnOptions,
+    spawnExtra
+  );
+  return {
+    ...downloadResult,
+    spawnPromise
+  };
+}
+async function downloadPackage(options) {
+  const {
+    binaryName,
+    force: userForce,
+    package: packageSpec,
+    yes
+  } = {
+    __proto__: null,
+    ...options
+  };
+  const { name: packageName, version: packageVersion } = parsePackageSpec(packageSpec);
+  const isVersionRange = packageVersion !== void 0 && rangeOperatorsRegExp.test(packageVersion);
+  const force = userForce !== void 0 ? userForce : yes === true ? true : isVersionRange;
+  const fullPackageSpec = packageVersion ? `${packageName}@${packageVersion}` : packageName;
+  const { installed, packageDir } = await ensurePackageInstalled(
+    packageName,
+    fullPackageSpec,
+    force
+  );
+  const binaryPath = findBinaryPath(packageDir, packageName, binaryName);
+  makePackageBinsExecutable(packageDir, packageName);
+  return {
+    binaryPath,
+    installed,
+    packageDir
+  };
 }
 async function ensurePackageInstalled(packageName, packageSpec, force) {
   const fs = /* @__PURE__ */ getFs();
@@ -172,19 +198,13 @@ Check npm registry connectivity or package name.`,
     }
   );
 }
-function resolveBinaryPath(basePath) {
-  if (!import_platform.WIN32) {
-    return basePath;
-  }
-  const fs = /* @__PURE__ */ getFs();
-  const extensions = [".cmd", ".bat", ".ps1", ".exe", ""];
-  for (const ext of extensions) {
-    const testPath = basePath + ext;
-    if (fs.existsSync(testPath)) {
-      return testPath;
-    }
-  }
-  return basePath;
+function executePackage(binaryPath, args, spawnOptions, spawnExtra) {
+  const needsShell = import_platform.WIN32 && /\.(?:bat|cmd|ps1)$/i.test(binaryPath);
+  const finalOptions = needsShell ? {
+    ...spawnOptions,
+    shell: true
+  } : spawnOptions;
+  return (0, import_spawn.spawn)(binaryPath, args, finalOptions, spawnExtra);
 }
 function findBinaryPath(packageDir, packageName, binaryName) {
   const path = /* @__PURE__ */ getPath();
@@ -240,19 +260,6 @@ function findBinaryPath(packageDir, packageName, binaryName) {
   const rawPath = (0, import_normalize.normalizePath)(path.join(installedDir, binPath));
   return resolveBinaryPath(rawPath);
 }
-async function dlxPackage(args, options, spawnExtra) {
-  const downloadResult = await downloadPackage(options);
-  const spawnPromise = executePackage(
-    downloadResult.binaryPath,
-    args,
-    options?.spawnOptions,
-    spawnExtra
-  );
-  return {
-    ...downloadResult,
-    spawnPromise
-  };
-}
 function makePackageBinsExecutable(packageDir, packageName) {
   if (import_platform.WIN32) {
     return;
@@ -288,44 +295,47 @@ function makePackageBinsExecutable(packageDir, packageName) {
   } catch {
   }
 }
-async function downloadPackage(options) {
-  const {
-    binaryName,
-    force: userForce,
-    package: packageSpec,
-    yes
-  } = {
-    __proto__: null,
-    ...options
-  };
-  const { name: packageName, version: packageVersion } = parsePackageSpec(packageSpec);
-  const isVersionRange = packageVersion !== void 0 && rangeOperatorsRegExp.test(packageVersion);
-  const force = userForce !== void 0 ? userForce : yes === true ? true : isVersionRange;
-  const fullPackageSpec = packageVersion ? `${packageName}@${packageVersion}` : packageName;
-  const { installed, packageDir } = await ensurePackageInstalled(
-    packageName,
-    fullPackageSpec,
-    force
-  );
-  const binaryPath = findBinaryPath(packageDir, packageName, binaryName);
-  makePackageBinsExecutable(packageDir, packageName);
-  return {
-    binaryPath,
-    installed,
-    packageDir
-  };
+function parsePackageSpec(spec) {
+  try {
+    const parsed = (0, import_npm_package_arg.default)(spec);
+    const version = parsed.type === "tag" ? parsed.fetchSpec : parsed.type === "version" || parsed.type === "range" ? parsed.fetchSpec : void 0;
+    return {
+      name: parsed.name || spec,
+      version
+    };
+  } catch {
+    const atIndex = spec.lastIndexOf("@");
+    if (atIndex === -1 || atIndex === 0) {
+      return { name: spec, version: void 0 };
+    }
+    return {
+      name: spec.slice(0, atIndex),
+      version: spec.slice(atIndex + 1)
+    };
+  }
 }
-function executePackage(binaryPath, args, spawnOptions, spawnExtra) {
-  const needsShell = import_platform.WIN32 && /\.(?:bat|cmd|ps1)$/i.test(binaryPath);
-  const finalOptions = needsShell ? {
-    ...spawnOptions,
-    shell: true
-  } : spawnOptions;
-  return (0, import_spawn.spawn)(binaryPath, args, finalOptions, spawnExtra);
+function resolveBinaryPath(basePath) {
+  if (!import_platform.WIN32) {
+    return basePath;
+  }
+  const fs = /* @__PURE__ */ getFs();
+  const extensions = [".cmd", ".bat", ".ps1", ".exe", ""];
+  for (const ext of extensions) {
+    const testPath = basePath + ext;
+    if (fs.existsSync(testPath)) {
+      return testPath;
+    }
+  }
+  return basePath;
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   dlxPackage,
   downloadPackage,
-  executePackage
+  ensurePackageInstalled,
+  executePackage,
+  findBinaryPath,
+  makePackageBinsExecutable,
+  parsePackageSpec,
+  resolveBinaryPath
 });

package/dist/env/ci.js

@@ -22,11 +22,10 @@ __export(ci_exports, {
   getCI: () => getCI
 });
 module.exports = __toCommonJS(ci_exports);
-var import_helpers = require("./helpers");
 var import_rewire = require("./rewire");
 // @__NO_SIDE_EFFECTS__
 function getCI() {
-  return (0, import_helpers.envAsBoolean)((0, import_rewire.getEnvValue)("CI"));
+  return (0, import_rewire.isInEnv)("CI");
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/env/rewire.d.ts

@@ -1,3 +1,7 @@
+/**
+ * Clear a specific environment variable override.
+ */
+export declare function clearEnv(key: string): void;
 /**
  * Get an environment variable value, checking overrides first.
  *
@@ -9,6 +13,35 @@
  * @internal Used by env getters to support test rewiring
  */
 export declare function getEnvValue(key: string): string | undefined;
+/**
+ * Check if an environment variable has been overridden.
+ */
+export declare function hasOverride(key: string): boolean;
+/**
+ * Check if an environment variable exists (has a key), checking overrides first.
+ *
+ * Resolution order:
+ * 1. Isolated overrides (temporary - set via withEnv/withEnvSync)
+ * 2. Shared overrides (persistent - set via setEnv in beforeEach)
+ * 3. process.env (including vi.stubEnv modifications)
+ *
+ * @internal Used by env getters to check for key presence (not value truthiness)
+ */
+export declare function isInEnv(key: string): boolean;
+/**
+ * Clear all environment variable overrides.
+ * Useful in afterEach hooks to ensure clean test state.
+ *
+ * @example
+ * ```typescript
+ * import { resetEnv } from './rewire'
+ *
+ * afterEach(() => {
+ *   resetEnv()
+ * })
+ * ```
+ */
+export declare function resetEnv(): void;
 /**
  * Set an environment variable override for testing.
  * This does not modify process.env, only affects env getters.
@@ -35,28 +68,6 @@ export declare function getEnvValue(key: string): string | undefined;
  * ```
  */
 export declare function setEnv(key: string, value: string | undefined): void;
-/**
- * Clear a specific environment variable override.
- */
-export declare function clearEnv(key: string): void;
-/**
- * Clear all environment variable overrides.
- * Useful in afterEach hooks to ensure clean test state.
- *
- * @example
- * ```typescript
- * import { resetEnv } from './rewire'
- *
- * afterEach(() => {
- *   resetEnv()
- * })
- * ```
- */
-export declare function resetEnv(): void;
-/**
- * Check if an environment variable has been overridden.
- */
-export declare function hasOverride(key: string): boolean;
 /**
  * Run code with environment overrides in an isolated AsyncLocalStorage context.
  * Creates true context isolation - overrides don't leak to concurrent code.

package/dist/env/rewire.js

@@ -22,12 +22,14 @@ __export(rewire_exports, {
   clearEnv: () => clearEnv,
   getEnvValue: () => getEnvValue,
   hasOverride: () => hasOverride,
+  isInEnv: () => isInEnv,
   resetEnv: () => resetEnv,
   setEnv: () => setEnv,
   withEnv: () => withEnv,
   withEnvSync: () => withEnvSync
 });
 module.exports = __toCommonJS(rewire_exports);
+var import_objects = require("../objects");
 var import_helpers = require("./helpers");
 let _async_hooks;
 // @__NO_SIDE_EFFECTS__
@@ -47,6 +49,9 @@ if (isVitestEnv && !globalThis[sharedOverridesSymbol]) {
   globalThis[sharedOverridesSymbol] = /* @__PURE__ */ new Map();
 }
 const sharedOverrides = globalThis[sharedOverridesSymbol];
+function clearEnv(key) {
+  sharedOverrides?.delete(key);
+}
 function getEnvValue(key) {
   const isolatedOverrides = isolatedOverridesStorage.getStore();
   if (isolatedOverrides?.has(key)) {
@@ -57,18 +62,25 @@ function getEnvValue(key) {
   }
   return process.env[key];
 }
-function setEnv(key, value) {
-  sharedOverrides?.set(key, value);
+function hasOverride(key) {
+  const isolatedOverrides = isolatedOverridesStorage.getStore();
+  return !!(isolatedOverrides?.has(key) || sharedOverrides?.has(key));
 }
-function clearEnv(key) {
-  sharedOverrides?.delete(key);
+function isInEnv(key) {
+  const isolatedOverrides = isolatedOverridesStorage.getStore();
+  if (isolatedOverrides?.has(key)) {
+    return true;
+  }
+  if (sharedOverrides?.has(key)) {
+    return true;
+  }
+  return (0, import_objects.hasOwn)(process.env, key);
 }
 function resetEnv() {
   sharedOverrides?.clear();
 }
-function hasOverride(key) {
-  const isolatedOverrides = isolatedOverridesStorage.getStore();
-  return !!(isolatedOverrides?.has(key) || sharedOverrides?.has(key));
+function setEnv(key, value) {
+  sharedOverrides?.set(key, value);
 }
 async function withEnv(overrides, fn) {
   const map = new Map(Object.entries(overrides));
@@ -83,6 +95,7 @@ function withEnvSync(overrides, fn) {
   clearEnv,
   getEnvValue,
   hasOverride,
+  isInEnv,
   resetEnv,
   setEnv,
   withEnv,

package/dist/env/socket-cli.d.ts

@@ -38,6 +38,22 @@ export declare function getSocketCliApiTimeout(): number;
  */
 /*@__NO_SIDE_EFFECTS__*/
 export declare function getSocketCliApiToken(): string | undefined;
+/**
+ * Bootstrap cache directory path.
+ * Set by bootstrap wrappers to pass dlx cache location to CLI.
+ *
+ * @returns Bootstrap cache directory or undefined
+ */
+/*@__NO_SIDE_EFFECTS__*/
+export declare function getSocketCliBootstrapCacheDir(): string | undefined;
+/**
+ * Bootstrap package spec (e.g., @socketsecurity/cli@^2.0.11).
+ * Set by bootstrap wrappers (SEA/smol/npm) to pass package spec to CLI.
+ *
+ * @returns Bootstrap package spec or undefined
+ */
+/*@__NO_SIDE_EFFECTS__*/
+export declare function getSocketCliBootstrapSpec(): string | undefined;
 /**
  * Socket CLI configuration file path (alternative name).
  *
@@ -52,6 +68,14 @@ export declare function getSocketCliConfig(): string | undefined;
  */
 /*@__NO_SIDE_EFFECTS__*/
 export declare function getSocketCliFix(): string | undefined;
+/**
+ * Socket CLI GitHub authentication token.
+ * Checks SOCKET_CLI_GITHUB_TOKEN, SOCKET_SECURITY_GITHUB_PAT, then falls back to GITHUB_TOKEN.
+ *
+ * @returns GitHub token or undefined
+ */
+/*@__NO_SIDE_EFFECTS__*/
+export declare function getSocketCliGithubToken(): string | undefined;
 /**
  * Whether to skip Socket CLI API token requirement (alternative name).
  *
@@ -81,27 +105,3 @@ export declare function getSocketCliOrgSlug(): string | undefined;
  */
 /*@__NO_SIDE_EFFECTS__*/
 export declare function getSocketCliViewAllRisks(): boolean;
-/**
- * Socket CLI GitHub authentication token.
- * Checks SOCKET_CLI_GITHUB_TOKEN, SOCKET_SECURITY_GITHUB_PAT, then falls back to GITHUB_TOKEN.
- *
- * @returns GitHub token or undefined
- */
-/*@__NO_SIDE_EFFECTS__*/
-export declare function getSocketCliGithubToken(): string | undefined;
-/**
- * Bootstrap package spec (e.g., @socketsecurity/cli@^2.0.11).
- * Set by bootstrap wrappers (SEA/smol/npm) to pass package spec to CLI.
- *
- * @returns Bootstrap package spec or undefined
- */
-/*@__NO_SIDE_EFFECTS__*/
-export declare function getSocketCliBootstrapSpec(): string | undefined;
-/**
- * Bootstrap cache directory path.
- * Set by bootstrap wrappers to pass dlx cache location to CLI.
- *
- * @returns Bootstrap cache directory or undefined
- */
-/*@__NO_SIDE_EFFECTS__*/
-export declare function getSocketCliBootstrapCacheDir(): string | undefined;

package/dist/env/socket-cli.js

@@ -58,6 +58,14 @@ function getSocketCliApiToken() {
   return (0, import_rewire.getEnvValue)("SOCKET_CLI_API_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_CLI_API_KEY") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_API_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_API_KEY");
 }
 // @__NO_SIDE_EFFECTS__
+function getSocketCliBootstrapCacheDir() {
+  return (0, import_rewire.getEnvValue)("SOCKET_CLI_BOOTSTRAP_CACHE_DIR");
+}
+// @__NO_SIDE_EFFECTS__
+function getSocketCliBootstrapSpec() {
+  return (0, import_rewire.getEnvValue)("SOCKET_CLI_BOOTSTRAP_SPEC");
+}
+// @__NO_SIDE_EFFECTS__
 function getSocketCliConfig() {
   return (0, import_rewire.getEnvValue)("SOCKET_CLI_CONFIG");
 }
@@ -66,6 +74,10 @@ function getSocketCliFix() {
   return (0, import_rewire.getEnvValue)("SOCKET_CLI_FIX");
 }
 // @__NO_SIDE_EFFECTS__
+function getSocketCliGithubToken() {
+  return (0, import_rewire.getEnvValue)("SOCKET_CLI_GITHUB_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_GITHUB_PAT") || (0, import_rewire.getEnvValue)("GITHUB_TOKEN");
+}
+// @__NO_SIDE_EFFECTS__
 function getSocketCliNoApiToken() {
   return (0, import_helpers.envAsBoolean)((0, import_rewire.getEnvValue)("SOCKET_CLI_NO_API_TOKEN"));
 }
@@ -81,18 +93,6 @@ function getSocketCliOrgSlug() {
 function getSocketCliViewAllRisks() {
   return (0, import_helpers.envAsBoolean)((0, import_rewire.getEnvValue)("SOCKET_CLI_VIEW_ALL_RISKS"));
 }
-// @__NO_SIDE_EFFECTS__
-function getSocketCliGithubToken() {
-  return (0, import_rewire.getEnvValue)("SOCKET_CLI_GITHUB_TOKEN") || (0, import_rewire.getEnvValue)("SOCKET_SECURITY_GITHUB_PAT") || (0, import_rewire.getEnvValue)("GITHUB_TOKEN");
-}
-// @__NO_SIDE_EFFECTS__
-function getSocketCliBootstrapSpec() {
-  return (0, import_rewire.getEnvValue)("SOCKET_CLI_BOOTSTRAP_SPEC");
-}
-// @__NO_SIDE_EFFECTS__
-function getSocketCliBootstrapCacheDir() {
-  return (0, import_rewire.getEnvValue)("SOCKET_CLI_BOOTSTRAP_CACHE_DIR");
-}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   getSocketCliAcceptRisks,

package/dist/env/temp-dir.d.ts

@@ -1,9 +1,3 @@
-/**
- * TMPDIR environment variable.
- * Unix/macOS temporary directory path.
- */
-/*@__NO_SIDE_EFFECTS__*/
-export declare function getTmpdir(): string | undefined;
 /**
  * TEMP environment variable.
  * Windows temporary directory path.
@@ -16,3 +10,9 @@ export declare function getTemp(): string | undefined;
  */
 /*@__NO_SIDE_EFFECTS__*/
 export declare function getTmp(): string | undefined;
+/**
+ * TMPDIR environment variable.
+ * Unix/macOS temporary directory path.
+ */
+/*@__NO_SIDE_EFFECTS__*/
+export declare function getTmpdir(): string | undefined;

package/dist/env/temp-dir.js

@@ -26,10 +26,6 @@ __export(temp_dir_exports, {
 module.exports = __toCommonJS(temp_dir_exports);
 var import_rewire = require("./rewire");
 // @__NO_SIDE_EFFECTS__
-function getTmpdir() {
-  return (0, import_rewire.getEnvValue)("TMPDIR");
-}
-// @__NO_SIDE_EFFECTS__
 function getTemp() {
   return (0, import_rewire.getEnvValue)("TEMP");
 }
@@ -37,6 +33,10 @@ function getTemp() {
 function getTmp() {
   return (0, import_rewire.getEnvValue)("TMP");
 }
+// @__NO_SIDE_EFFECTS__
+function getTmpdir() {
+  return (0, import_rewire.getEnvValue)("TMPDIR");
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   getTemp,

package/dist/env/windows.d.ts

@@ -4,6 +4,12 @@
  */
 /*@__NO_SIDE_EFFECTS__*/
 export declare function getAppdata(): string | undefined;
+/**
+ * COMSPEC environment variable.
+ * Points to the Windows command processor (typically cmd.exe).
+ */
+/*@__NO_SIDE_EFFECTS__*/
+export declare function getComspec(): string | undefined;
 /**
  * LOCALAPPDATA environment variable.
  * Points to the Local Application Data directory on Windows.
@@ -16,9 +22,3 @@ export declare function getLocalappdata(): string | undefined;
  */
 /*@__NO_SIDE_EFFECTS__*/
 export declare function getUserprofile(): string | undefined;
-/**
- * COMSPEC environment variable.
- * Points to the Windows command processor (typically cmd.exe).
- */
-/*@__NO_SIDE_EFFECTS__*/
-export declare function getComspec(): string | undefined;

package/dist/env/windows.js

@@ -31,6 +31,10 @@ function getAppdata() {
   return (0, import_rewire.getEnvValue)("APPDATA");
 }
 // @__NO_SIDE_EFFECTS__
+function getComspec() {
+  return (0, import_rewire.getEnvValue)("COMSPEC");
+}
+// @__NO_SIDE_EFFECTS__
 function getLocalappdata() {
   return (0, import_rewire.getEnvValue)("LOCALAPPDATA");
 }
@@ -38,10 +42,6 @@ function getLocalappdata() {
 function getUserprofile() {
   return (0, import_rewire.getEnvValue)("USERPROFILE");
 }
-// @__NO_SIDE_EFFECTS__
-function getComspec() {
-  return (0, import_rewire.getEnvValue)("COMSPEC");
-}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   getAppdata,

package/dist/external/libnpmexec.js

@@ -11,9 +11,9 @@ var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
 
-// node_modules/.pnpm/libnpmexec@10.1.11_supports-color@10.0.0/node_modules/libnpmexec/lib/get-bin-from-manifest.js
+// node_modules/.pnpm/libnpmexec@10.2.0_supports-color@10.0.0/node_modules/libnpmexec/lib/get-bin-from-manifest.js
 var require_get_bin_from_manifest = __commonJS({
-  "node_modules/.pnpm/libnpmexec@10.1.11_supports-color@10.0.0/node_modules/libnpmexec/lib/get-bin-from-manifest.js"(exports2, module2) {
+  "node_modules/.pnpm/libnpmexec@10.2.0_supports-color@10.0.0/node_modules/libnpmexec/lib/get-bin-from-manifest.js"(exports2, module2) {
     var getBinFromManifest2 = /* @__PURE__ */ __name((mani) => {
       const bin = mani.bin || {};
       if (new Set(Object.values(bin)).size === 1) {

package/dist/github.js

@@ -83,7 +83,16 @@ async function fetchGitHub(url, options) {
       `GitHub API error ${response.status}: ${response.statusText}`
     );
   }
-  return JSON.parse(response.body.toString("utf8"));
+  try {
+    return JSON.parse(response.body.toString("utf8"));
+  } catch (error) {
+    throw new Error(
+      `Failed to parse GitHub API response: ${error instanceof Error ? error.message : String(error)}
+URL: ${url}
+Response may be malformed or incomplete.`,
+      { cause: error }
+    );
+  }
 }
 async function resolveRefToSha(owner, repo, ref, options) {
   const opts = {