@socketsecurity/lib 5.6.0 → 5.8.0

package/dist/archives.js

@@ -0,0 +1,313 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var archives_exports = {};
+__export(archives_exports, {
+  detectArchiveFormat: () => detectArchiveFormat,
+  extractArchive: () => extractArchive,
+  extractTar: () => extractTar,
+  extractTarGz: () => extractTarGz,
+  extractZip: () => extractZip
+});
+module.exports = __toCommonJS(archives_exports);
+var import_node_fs = require("node:fs");
+var import_promises = require("node:stream/promises");
+var import_node_zlib = require("node:zlib");
+var import_adm_zip = __toESM(require("./external/adm-zip.js"));
+var import_tar_fs = __toESM(require("./external/tar-fs.js"));
+var import_fs = require("./fs.js");
+var import_normalize = require("./paths/normalize.js");
+let _path;
+// @__NO_SIDE_EFFECTS__
+function getPath() {
+  if (_path === void 0) {
+    _path = require("path");
+  }
+  return _path;
+}
+const DEFAULT_MAX_FILE_SIZE = 100 * 1024 * 1024;
+const DEFAULT_MAX_TOTAL_SIZE = 1024 * 1024 * 1024;
+function validatePathWithinBase(targetPath, baseDir, entryName) {
+  const path = /* @__PURE__ */ getPath();
+  const resolvedTarget = path.resolve(targetPath);
+  const resolvedBase = path.resolve(baseDir);
+  if (!resolvedTarget.startsWith(resolvedBase + path.sep) && resolvedTarget !== resolvedBase) {
+    throw new Error(
+      `Path traversal attempt detected: entry "${entryName}" would extract to "${resolvedTarget}" outside target directory "${resolvedBase}"`
+    );
+  }
+}
+function detectArchiveFormat(filePath) {
+  const lower = filePath.toLowerCase();
+  if (lower.endsWith(".tar.gz")) {
+    return "tar.gz";
+  }
+  if (lower.endsWith(".tgz")) {
+    return "tgz";
+  }
+  if (lower.endsWith(".tar")) {
+    return "tar";
+  }
+  if (lower.endsWith(".zip")) {
+    return "zip";
+  }
+  return null;
+}
+async function extractTar(archivePath, outputDir, options = {}) {
+  const {
+    maxFileSize = DEFAULT_MAX_FILE_SIZE,
+    maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
+    strip = 0
+  } = options;
+  const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
+  await (0, import_fs.safeMkdir)(normalizedOutputDir);
+  let totalExtractedSize = 0;
+  let destroyScheduled = false;
+  const extractStream = import_tar_fs.default.extract(normalizedOutputDir, {
+    map: (header) => {
+      if (destroyScheduled) {
+        return header;
+      }
+      if (header.type === "symlink" || header.type === "link") {
+        destroyScheduled = true;
+        process.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Symlink detected in archive: ${header.name}. Symlinks are not supported for security reasons.`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.size && header.size > maxFileSize) {
+        destroyScheduled = true;
+        process.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `File size exceeds limit: ${header.name} (${header.size} bytes > ${maxFileSize} bytes)`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.size) {
+        totalExtractedSize += header.size;
+        if (totalExtractedSize > maxTotalSize) {
+          destroyScheduled = true;
+          process.nextTick(() => {
+            extractStream.destroy(
+              new Error(
+                `Total extracted size exceeds limit: ${totalExtractedSize} bytes > ${maxTotalSize} bytes`
+              )
+            );
+          });
+          return header;
+        }
+      }
+      return header;
+    },
+    strip
+  });
+  extractStream.on("error", () => {
+  });
+  const readStream = (0, import_node_fs.createReadStream)(archivePath);
+  try {
+    await (0, import_promises.pipeline)(readStream, extractStream);
+  } catch (error) {
+    readStream.destroy();
+    throw error;
+  }
+}
+async function extractTarGz(archivePath, outputDir, options = {}) {
+  const {
+    maxFileSize = DEFAULT_MAX_FILE_SIZE,
+    maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
+    strip = 0
+  } = options;
+  const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
+  await (0, import_fs.safeMkdir)(normalizedOutputDir);
+  let totalExtractedSize = 0;
+  let destroyScheduled = false;
+  const extractStream = import_tar_fs.default.extract(normalizedOutputDir, {
+    map: (header) => {
+      if (destroyScheduled) {
+        return header;
+      }
+      if (header.type === "symlink" || header.type === "link") {
+        destroyScheduled = true;
+        process.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `Symlink detected in archive: ${header.name}. Symlinks are not supported for security reasons.`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.size && header.size > maxFileSize) {
+        destroyScheduled = true;
+        process.nextTick(() => {
+          extractStream.destroy(
+            new Error(
+              `File size exceeds limit: ${header.name} (${header.size} bytes > ${maxFileSize} bytes)`
+            )
+          );
+        });
+        return header;
+      }
+      if (header.size) {
+        totalExtractedSize += header.size;
+        if (totalExtractedSize > maxTotalSize) {
+          destroyScheduled = true;
+          process.nextTick(() => {
+            extractStream.destroy(
+              new Error(
+                `Total extracted size exceeds limit: ${totalExtractedSize} bytes > ${maxTotalSize} bytes`
+              )
+            );
+          });
+          return header;
+        }
+      }
+      return header;
+    },
+    strip
+  });
+  extractStream.on("error", () => {
+  });
+  const readStream = (0, import_node_fs.createReadStream)(archivePath);
+  try {
+    await (0, import_promises.pipeline)(readStream, (0, import_node_zlib.createGunzip)(), extractStream);
+  } catch (error) {
+    readStream.destroy();
+    throw error;
+  }
+}
+async function extractZip(archivePath, outputDir, options = {}) {
+  const {
+    maxFileSize = DEFAULT_MAX_FILE_SIZE,
+    maxTotalSize = DEFAULT_MAX_TOTAL_SIZE,
+    strip = 0
+  } = options;
+  const normalizedOutputDir = (0, import_normalize.normalizePath)(outputDir);
+  await (0, import_fs.safeMkdir)(normalizedOutputDir);
+  const zip = new import_adm_zip.default(archivePath);
+  const path = /* @__PURE__ */ getPath();
+  const entries = zip.getEntries();
+  let totalExtractedSize = 0;
+  for (const entry of entries) {
+    if (entry.isDirectory) {
+      continue;
+    }
+    const uncompressedSize = entry.header.size;
+    if (uncompressedSize > maxFileSize) {
+      throw new Error(
+        `File size exceeds limit: ${entry.entryName} (${uncompressedSize} bytes > ${maxFileSize} bytes)`
+      );
+    }
+    totalExtractedSize += uncompressedSize;
+    if (totalExtractedSize > maxTotalSize) {
+      throw new Error(
+        `Total extracted size exceeds limit: ${totalExtractedSize} bytes > ${maxTotalSize} bytes`
+      );
+    }
+    const parts = entry.entryName.split("/");
+    if (parts.length <= strip) {
+      continue;
+    }
+    const strippedPath = parts.slice(strip).join("/");
+    const targetPath = path.join(normalizedOutputDir, strippedPath);
+    validatePathWithinBase(targetPath, normalizedOutputDir, entry.entryName);
+  }
+  if (strip === 0) {
+    for (const entry of entries) {
+      if (!entry.isDirectory) {
+        const targetPath = path.join(normalizedOutputDir, entry.entryName);
+        validatePathWithinBase(targetPath, normalizedOutputDir, entry.entryName);
+      }
+    }
+    zip.extractAllTo(normalizedOutputDir, true);
+  } else {
+    const path2 = /* @__PURE__ */ getPath();
+    const entries2 = zip.getEntries();
+    const dirsToCreate = /* @__PURE__ */ new Set();
+    for (const entry of entries2) {
+      if (entry.isDirectory) {
+        continue;
+      }
+      const parts = entry.entryName.split("/");
+      if (parts.length <= strip) {
+        continue;
+      }
+      const strippedPath = parts.slice(strip).join("/");
+      const targetPath = path2.join(normalizedOutputDir, strippedPath);
+      dirsToCreate.add(path2.dirname(targetPath));
+    }
+    await Promise.all(Array.from(dirsToCreate).map((dir) => (0, import_fs.safeMkdir)(dir)));
+    for (const entry of entries2) {
+      if (entry.isDirectory) {
+        continue;
+      }
+      const parts = entry.entryName.split("/");
+      if (parts.length <= strip) {
+        continue;
+      }
+      const strippedPath = parts.slice(strip).join("/");
+      const targetPath = path2.join(normalizedOutputDir, strippedPath);
+      zip.extractEntryTo(entry, path2.dirname(targetPath), false, true);
+    }
+  }
+}
+async function extractArchive(archivePath, outputDir, options = {}) {
+  const format = detectArchiveFormat(archivePath);
+  if (!format) {
+    const path = /* @__PURE__ */ getPath();
+    const ext = path.extname(archivePath).toLowerCase();
+    throw new Error(
+      `Unsupported archive format${ext ? ` (extension: ${ext})` : ""}: ${archivePath}. Supported formats: .zip, .tar, .tar.gz, .tgz`
+    );
+  }
+  switch (format) {
+    case "zip":
+      return await extractZip(archivePath, outputDir, options);
+    case "tar":
+      return await extractTar(archivePath, outputDir, options);
+    case "tar.gz":
+    case "tgz":
+      return await extractTarGz(archivePath, outputDir, options);
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  detectArchiveFormat,
+  extractArchive,
+  extractTar,
+  extractTarGz,
+  extractZip
+});

package/dist/arrays.js

@@ -57,10 +57,9 @@ function arrayChunk(arr, size) {
     throw new Error("Chunk size must be greater than 0");
   }
   const { length } = arr;
-  const actualChunkSize = Math.min(length, chunkSize);
   const chunks = [];
-  for (let i = 0; i < length; i += actualChunkSize) {
-    chunks.push(arr.slice(i, i + actualChunkSize));
+  for (let i = 0; i < length; i += chunkSize) {
+    chunks.push(arr.slice(i, i + chunkSize));
   }
   return chunks;
 }

package/dist/cache-with-ttl.js

@@ -54,7 +54,12 @@ function createTtlCache(options) {
     return `${opts.prefix}:${key}`;
   }
   function isExpired(entry) {
-    return Date.now() > entry.expiresAt;
+    const now = Date.now();
+    const maxFutureMs = 1e4;
+    if (entry.expiresAt > now + ttl + maxFutureMs) {
+      return true;
+    }
+    return now > entry.expiresAt;
   }
   function createMatcher(pattern) {
     const fullPattern = buildKey(pattern);
@@ -110,7 +115,7 @@ function createTtlCache(options) {
           memoCache.delete(key);
           continue;
         }
-        const originalKey = key.slice((opts.prefix?.length ?? 0) + 1);
+        const originalKey = opts.prefix ? key.slice(opts.prefix.length + 1) : key;
         results.set(originalKey, entry.data);
       }
     }
@@ -124,7 +129,7 @@ function createTtlCache(options) {
       if (!matches(cacheEntry.key)) {
         continue;
       }
-      const originalKey = cacheEntry.key.slice((opts.prefix?.length ?? 0) + 1);
+      const originalKey = opts.prefix ? cacheEntry.key.slice(opts.prefix.length + 1) : cacheEntry.key;
       if (results.has(originalKey)) {
         continue;
       }
@@ -170,14 +175,28 @@ function createTtlCache(options) {
     } catch {
     }
   }
+  const inflightRequests = /* @__PURE__ */ new Map();
   async function getOrFetch(key, fetcher) {
     const cached = await get(key);
     if (cached !== void 0) {
       return cached;
     }
-    const data = await fetcher();
-    await set(key, data);
-    return data;
+    const fullKey = buildKey(key);
+    const existing = inflightRequests.get(fullKey);
+    if (existing) {
+      return await existing;
+    }
+    const promise = (async () => {
+      try {
+        const data = await fetcher();
+        await set(key, data);
+        return data;
+      } finally {
+        inflightRequests.delete(fullKey);
+      }
+    })();
+    inflightRequests.set(fullKey, promise);
+    return await promise;
   }
   async function deleteEntry(key) {
     if (key.includes("*")) {

package/dist/constants/node.js

@@ -47,7 +47,8 @@ function getNodeVersion() {
   return NODE_VERSION;
 }
 function getNodeMajorVersion() {
-  return Number.parseInt(NODE_VERSION.slice(1).split(".")[0] ?? "0", 10);
+  const major = NODE_VERSION.slice(1).split(".")[0] ?? "0";
+  return Number.parseInt(major, 10) || 0;
 }
 function getNodeMinorVersion() {
   return Number.parseInt(NODE_VERSION.split(".")[1] ?? "0", 10);

package/dist/cover/formatters.js

@@ -77,7 +77,8 @@ function formatCoverage(options) {
       { count: 2 }
     );
   }
-  const emoji = getCoverageEmoji(Number.parseFloat(overall));
+  const overallValue = Number.parseFloat(overall);
+  const emoji = getCoverageEmoji(Number.isNaN(overallValue) ? 0 : overallValue);
   output += `
 Overall: ${overall}%${emoji}
 `;
@@ -89,9 +90,10 @@ function calculateOverall(code, type) {
     Number.parseFloat(code.branches.percent),
     Number.parseFloat(code.functions.percent),
     Number.parseFloat(code.lines.percent)
-  ];
+  ].map((val) => Number.isNaN(val) ? 0 : val);
   if (type) {
-    metrics.push(Number.parseFloat(type.percent));
+    const typePercent = Number.parseFloat(type.percent);
+    metrics.push(Number.isNaN(typePercent) ? 0 : typePercent);
   }
   const average = metrics.reduce((sum, val) => sum + val, 0) / metrics.length;
   return average.toFixed(2);

package/dist/dlx/binary.d.ts

@@ -123,6 +123,12 @@ export declare function downloadBinary(options: Omit<DlxBinaryOptions, 'spawnOpt
     binaryPath: string;
     downloaded: boolean;
 }>;
+/**
+ * Download a file from a URL with integrity checking and concurrent download protection.
+ * Uses processLock to prevent multiple processes from downloading the same binary simultaneously.
+ * Internal helper function for downloading binary files.
+ */
+export declare function downloadBinaryFile(url: string, destPath: string, integrity?: string | undefined): Promise<string>;
 /**
  * Execute a cached binary without re-downloading.
  * Similar to executePackage from dlx-package.
@@ -141,6 +147,14 @@ export declare function executeBinary(binaryPath: string, args: readonly string[
  * Uses same directory as dlx-package for unified DLX storage.
  */
 export declare function getDlxCachePath(): string;
+/**
+ * Get metadata file path for a cached binary.
+ */
+export declare function getBinaryCacheMetadataPath(cacheEntryPath: string): string;
+/**
+ * Check if a cached binary is still valid.
+ */
+export declare function isBinaryCacheValid(cacheEntryPath: string, cacheTtl: number): Promise<boolean>;
 /**
  * Get information about cached binaries.
  */
@@ -151,3 +165,9 @@ export declare function listDlxCache(): Promise<Array<{
     size: number;
     url: string;
 }>>;
+/**
+ * Write metadata for a cached binary.
+ * Uses unified schema shared with C++ decompressor and CLI dlxBinary.
+ * Schema documentation: See DlxMetadata interface in this file (exported).
+ */
+export declare function writeBinaryCacheMetadata(cacheEntryPath: string, cacheKey: string, url: string, integrity: string, size: number): Promise<void>;