@socketsecurity/lib 5.7.0 → 5.8.0

package/dist/git.js

@@ -56,6 +56,16 @@ function getPath() {
   return _path;
 }
 const gitDiffCache = /* @__PURE__ */ new Map();
+const gitDiffAccessOrder = [];
+const GIT_CACHE_MAX_SIZE = 100;
+function evictLRUGitCache() {
+  if (gitDiffCache.size >= GIT_CACHE_MAX_SIZE && gitDiffAccessOrder.length > 0) {
+    const oldest = gitDiffAccessOrder.shift();
+    if (oldest) {
+      gitDiffCache.delete(oldest);
+    }
+  }
+}
 function getGitPath() {
   return "git";
 }
@@ -114,7 +124,9 @@ async function innerDiff(args, options) {
     return [];
   }
   if (cache && cacheKey) {
+    evictLRUGitCache();
     gitDiffCache.set(cacheKey, result);
+    gitDiffAccessOrder.push(cacheKey);
   }
   return result;
 }
@@ -144,7 +156,9 @@ function innerDiffSync(args, options) {
     return [];
   }
   if (cache && cacheKey) {
+    evictLRUGitCache();
     gitDiffCache.set(cacheKey, result);
+    gitDiffAccessOrder.push(cacheKey);
   }
   return result;
 }
@@ -256,10 +270,14 @@ function isChangedSync(pathname, options) {
   });
   const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  const resolvedPathname = fs.realpathSync(pathname);
-  const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
-  const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
-  return files.includes(relativePath);
+  try {
+    const resolvedPathname = fs.realpathSync(pathname);
+    const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
+    const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
+    return files.includes(relativePath);
+  } catch {
+    return false;
+  }
 }
 async function isUnstaged(pathname, options) {
   const files = await getUnstagedFiles({

package/dist/github.js

@@ -189,15 +189,14 @@ async function fetchGhsaDetails(ghsaId, options) {
 async function cacheFetchGhsa(ghsaId, options) {
   const cache = getGithubCache();
   const key = `ghsa:${ghsaId}`;
-  if (!process.env["DISABLE_GITHUB_CACHE"]) {
-    const cached = await cache.get(key);
-    if (cached) {
-      return JSON.parse(cached);
-    }
+  if (process.env["DISABLE_GITHUB_CACHE"]) {
+    return await fetchGhsaDetails(ghsaId, options);
   }
-  const data = await fetchGhsaDetails(ghsaId, options);
-  await cache.set(key, JSON.stringify(data));
-  return data;
+  const cached = await cache.getOrFetch(key, async () => {
+    const data = await fetchGhsaDetails(ghsaId, options);
+    return JSON.stringify(data);
+  });
+  return JSON.parse(cached);
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/globs.js

@@ -107,15 +107,33 @@ function globStreamLicenses(dirname, options) {
     }
   );
 }
+const MATCHER_CACHE_MAX_SIZE = 100;
 const matcherCache = /* @__PURE__ */ new Map();
+const matcherAccessOrder = [];
+function evictLRUMatcher() {
+  if (matcherCache.size >= MATCHER_CACHE_MAX_SIZE && matcherAccessOrder.length > 0) {
+    const oldest = matcherAccessOrder.shift();
+    if (oldest) {
+      matcherCache.delete(oldest);
+    }
+  }
+}
 // @__NO_SIDE_EFFECTS__
 function getGlobMatcher(glob2, options) {
   const patterns = Array.isArray(glob2) ? glob2 : [glob2];
-  const key = JSON.stringify({ patterns, options });
+  const sortedPatterns = [...patterns].sort();
+  const sortedOptions = options ? Object.keys(options).sort().map((k) => `${k}:${JSON.stringify(options[k])}`).join(",") : "";
+  const key = `${sortedPatterns.join("|")}:${sortedOptions}`;
   let matcher = matcherCache.get(key);
   if (matcher) {
+    const index = matcherAccessOrder.indexOf(key);
+    if (index !== -1) {
+      matcherAccessOrder.splice(index, 1);
+      matcherAccessOrder.push(key);
+    }
     return matcher;
   }
+  evictLRUMatcher();
   const positivePatterns = patterns.filter((p) => !p.startsWith("!"));
   const negativePatterns = patterns.filter((p) => p.startsWith("!")).map((p) => p.slice(1));
   const matchOptions = {
@@ -129,6 +147,7 @@ function getGlobMatcher(glob2, options) {
     matchOptions
   );
   matcherCache.set(key, matcher);
+  matcherAccessOrder.push(key);
   return matcher;
 }
 // @__NO_SIDE_EFFECTS__

package/dist/http-request.js

@@ -299,7 +299,7 @@ async function httpDownload(url, destPath, options) {
   } else if (logger) {
     let lastPercent = 0;
     progressCallback = (downloaded, total) => {
-      const percent = Math.floor(downloaded / total * 100);
+      const percent = total === 0 ? 0 : Math.floor(downloaded / total * 100);
       if (percent >= lastPercent + progressInterval) {
         logger.log(
           `  Progress: ${percent}% (${(downloaded / 1024 / 1024).toFixed(1)} MB / ${(total / 1024 / 1024).toFixed(1)} MB)`

package/dist/memoization.js

@@ -36,6 +36,9 @@ function memoize(fn, options = {}) {
     name = fn.name || "anonymous",
     ttl = Number.POSITIVE_INFINITY
   } = options;
+  if (ttl < 0) {
+    throw new TypeError("TTL must be non-negative");
+  }
   const cache = /* @__PURE__ */ new Map();
   const accessOrder = [];
   function evictLRU() {
@@ -123,7 +126,24 @@ function memoizeAsync(fn, options = {}) {
       return await cached.value;
     }
     (0, import_debug.debugLog)(`[memoizeAsync:${name}] miss`, { key });
-    const promise = fn(...args);
+    const promise = fn(...args).then(
+      (result) => {
+        const entry = cache.get(key);
+        if (entry) {
+          entry.value = Promise.resolve(result);
+        }
+        return result;
+      },
+      (error) => {
+        cache.delete(key);
+        const index = accessOrder.indexOf(key);
+        if (index !== -1) {
+          accessOrder.splice(index, 1);
+        }
+        (0, import_debug.debugLog)(`[memoizeAsync:${name}] error`, { key, error });
+        throw error;
+      }
+    );
     evictLRU();
     cache.set(key, {
       value: promise,
@@ -132,18 +152,7 @@ function memoizeAsync(fn, options = {}) {
     });
     accessOrder.push(key);
     (0, import_debug.debugLog)(`[memoizeAsync:${name}] set`, { key, cacheSize: cache.size });
-    try {
-      const result = await promise;
-      return result;
-    } catch (e) {
-      cache.delete(key);
-      const orderIndex = accessOrder.indexOf(key);
-      if (orderIndex !== -1) {
-        accessOrder.splice(orderIndex, 1);
-      }
-      (0, import_debug.debugLog)(`[memoizeAsync:${name}] clear`, { key, reason: "error" });
-      throw e;
-    }
+    return await promise;
   };
 }
 function Memoize(options = {}) {

package/dist/package-extensions.js

@@ -64,8 +64,10 @@ const packageExtensions = ObjectFreeze(
       }
     ]
   ].sort((a_, b_) => {
-    const a = a_[0].slice(0, a_[0].lastIndexOf("@"));
-    const b = b_[0].slice(0, b_[0].lastIndexOf("@"));
+    const aIndex = a_[0].lastIndexOf("@");
+    const bIndex = b_[0].lastIndexOf("@");
+    const a = aIndex === -1 ? a_[0] : a_[0].slice(0, aIndex);
+    const b = bIndex === -1 ? b_[0] : b_[0].slice(0, bIndex);
     if (a < b) {
       return -1;
     }

package/dist/packages/normalize.js

@@ -91,6 +91,9 @@ function resolveOriginalPackageName(sockRegPkgName) {
 }
 // @__NO_SIDE_EFFECTS__
 function unescapeScope(escapedScope) {
+  if (escapedScope.length < import_socket.REGISTRY_SCOPE_DELIMITER.length) {
+    return `@${escapedScope}`;
+  }
   return `@${escapedScope.slice(0, -import_socket.REGISTRY_SCOPE_DELIMITER.length)}`;
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/process-lock.js

@@ -204,7 +204,8 @@ class ProcessLockManager {
             );
           }
           if (code === "ENOTDIR") {
-            const parentDir = lockPath.slice(0, lockPath.lastIndexOf("/"));
+            const lastSlashIndex = lockPath.lastIndexOf("/");
+            const parentDir = lastSlashIndex === -1 ? "." : lockPath.slice(0, lastSlashIndex);
             throw new Error(
               `Cannot create lock directory: ${lockPath}
 A path component is a file when it should be a directory.
@@ -217,7 +218,8 @@ To resolve:
             );
           }
           if (code === "ENOENT") {
-            const parentDir = lockPath.slice(0, lockPath.lastIndexOf("/"));
+            const lastSlashIndex = lockPath.lastIndexOf("/");
+            const parentDir = lastSlashIndex === -1 ? "." : lockPath.slice(0, lastSlashIndex);
             throw new Error(
               `Cannot create lock directory: ${lockPath}
 Parent directory does not exist: ${parentDir}

package/dist/releases/github.d.ts

@@ -1,3 +1,4 @@
+import { type ArchiveFormat } from '../archives.js';
 /**
  * Pattern for matching release assets.
  * Can be either:
@@ -133,3 +134,42 @@ export declare function getLatestRelease(toolPrefix: string, repoConfig: RepoCon
 export declare function getReleaseAssetUrl(tag: string, assetPattern: string | AssetPattern, repoConfig: RepoConfig, options?: {
     quiet?: boolean;
 }): Promise<string | null>;
+/**
+ * Download and extract a zip file from a GitHub release.
+ * Automatically handles downloading, extracting, and cleanup.
+ *
+ * @param tag - Release tag name
+ * @param assetPattern - Asset name or pattern (glob string, prefix/suffix object, or RegExp)
+ * @param outputDir - Directory to extract the zip contents to
+ * @param repoConfig - Repository configuration (owner/repo)
+ * @param options - Additional options
+ * @param options.quiet - Suppress log messages
+ * @param options.cleanup - Remove downloaded zip file after extraction (default: true)
+ * @returns Path to the extraction directory
+ */
+export declare function downloadAndExtractZip(tag: string, assetPattern: string | AssetPattern, outputDir: string, repoConfig: RepoConfig, options?: {
+    cleanup?: boolean;
+    quiet?: boolean;
+}): Promise<string>;
+/**
+ * Download and extract an archive from a GitHub release.
+ * Supports zip, tar, tar.gz, and tgz formats.
+ * Automatically handles downloading, extracting, and cleanup.
+ *
+ * @param tag - Release tag name
+ * @param assetPattern - Asset name or pattern (glob string, prefix/suffix object, or RegExp)
+ * @param outputDir - Directory to extract the archive contents to
+ * @param repoConfig - Repository configuration (owner/repo)
+ * @param options - Additional options
+ * @param options.quiet - Suppress log messages
+ * @param options.cleanup - Remove downloaded archive after extraction (default: true)
+ * @param options.strip - Strip leading path components (like tar --strip-components)
+ * @param options.format - Archive format (auto-detected if not specified)
+ * @returns Path to the extraction directory
+ */
+export declare function downloadAndExtractArchive(tag: string, assetPattern: string | AssetPattern, outputDir: string, repoConfig: RepoConfig, options?: {
+    cleanup?: boolean;
+    format?: ArchiveFormat;
+    quiet?: boolean;
+    strip?: number;
+}): Promise<string>;

package/dist/releases/github.js

@@ -31,6 +31,8 @@ var github_exports = {};
 __export(github_exports, {
   SOCKET_BTM_REPO: () => SOCKET_BTM_REPO,
   createAssetMatcher: () => createAssetMatcher,
+  downloadAndExtractArchive: () => downloadAndExtractArchive,
+  downloadAndExtractZip: () => downloadAndExtractZip,
   downloadGitHubRelease: () => downloadGitHubRelease,
   downloadReleaseAsset: () => downloadReleaseAsset,
   getAuthHeaders: () => getAuthHeaders,
@@ -39,6 +41,7 @@ __export(github_exports, {
 });
 module.exports = __toCommonJS(github_exports);
 var import_picomatch = __toESM(require("../external/picomatch.js"));
+var import_archives = require("../archives.js");
 var import_fs = require("../fs.js");
 var import_http_request = require("../http-request.js");
 var import_logger = require("../logger.js");
@@ -207,27 +210,33 @@ async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
       if (!response.ok) {
         throw new Error(`Failed to fetch releases: ${response.status}`);
       }
-      const releases = JSON.parse(response.body.toString("utf8"));
-      const matchingReleases = releases.filter(
-        (release) => {
-          const { assets, tag_name: tag2 } = release;
-          if (!tag2.startsWith(toolPrefix)) {
-            return false;
-          }
-          if (!assets || assets.length === 0) {
+      let releases;
+      try {
+        releases = JSON.parse(response.body.toString("utf8"));
+      } catch (cause) {
+        throw new Error(
+          `Failed to parse GitHub releases response from https://api.github.com/repos/${owner}/${repo}/releases`,
+          { cause }
+        );
+      }
+      const matchingReleases = releases.filter((release) => {
+        const { assets, tag_name: tag2 } = release;
+        if (!tag2.startsWith(toolPrefix)) {
+          return false;
+        }
+        if (!assets || assets.length === 0) {
+          return false;
+        }
+        if (isMatch) {
+          const hasMatchingAsset = assets.some(
+            (a) => isMatch(a.name)
+          );
+          if (!hasMatchingAsset) {
             return false;
           }
-          if (isMatch) {
-            const hasMatchingAsset = assets.some(
-              (a) => isMatch(a.name)
-            );
-            if (!hasMatchingAsset) {
-              return false;
-            }
-          }
-          return true;
         }
-      );
+        return true;
+      });
       if (matchingReleases.length === 0) {
         if (!quiet) {
           logger.info(`No ${toolPrefix} release found in latest 100 releases`);
@@ -275,10 +284,16 @@ async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
       if (!response.ok) {
         throw new Error(`Failed to fetch release ${tag}: ${response.status}`);
       }
-      const release = JSON.parse(response.body.toString("utf8"));
-      const asset = release.assets.find(
-        (a) => isMatch(a.name)
-      );
+      let release;
+      try {
+        release = JSON.parse(response.body.toString("utf8"));
+      } catch (cause) {
+        throw new Error(
+          `Failed to parse GitHub release response for tag ${tag}`,
+          { cause }
+        );
+      }
+      const asset = release.assets.find((a) => isMatch(a.name));
       if (!asset) {
         const patternDesc = typeof assetPattern === "string" ? assetPattern : "matching pattern";
         throw new Error(`Asset ${patternDesc} not found in release ${tag}`);
@@ -304,10 +319,95 @@ async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
     }
   );
 }
+async function downloadAndExtractZip(tag, assetPattern, outputDir, repoConfig, options = {}) {
+  const { cleanup = true, quiet = false } = options;
+  const path = /* @__PURE__ */ getPath();
+  const fs = /* @__PURE__ */ getFs();
+  await (0, import_fs.safeMkdir)(outputDir);
+  const zipPath = path.join(outputDir, "__temp_download__.zip");
+  if (!quiet) {
+    logger.info(`Downloading zip asset from release ${tag}...`);
+  }
+  await downloadReleaseAsset(tag, assetPattern, zipPath, repoConfig, { quiet });
+  if (!quiet) {
+    logger.info(`Extracting zip to ${outputDir}...`);
+  }
+  try {
+    await (0, import_archives.extractArchive)(zipPath, outputDir, { quiet });
+    if (!quiet) {
+      logger.info(`Extracted zip contents to ${outputDir}`);
+    }
+  } catch (cause) {
+    throw new Error(`Failed to extract zip file: ${zipPath}`, { cause });
+  } finally {
+    if (cleanup) {
+      try {
+        await fs.promises.unlink(zipPath);
+        if (!quiet) {
+          logger.info("Cleaned up temporary zip file");
+        }
+      } catch (error) {
+        if (!quiet) {
+          logger.warn(`Failed to cleanup zip file: ${error}`);
+        }
+      }
+    }
+  }
+  return outputDir;
+}
+async function downloadAndExtractArchive(tag, assetPattern, outputDir, repoConfig, options = {}) {
+  const { cleanup = true, format, quiet = false, strip } = options;
+  const path = /* @__PURE__ */ getPath();
+  const fs = /* @__PURE__ */ getFs();
+  await (0, import_fs.safeMkdir)(outputDir);
+  let ext = ".archive";
+  if (format) {
+    ext = format === "tar.gz" ? ".tar.gz" : `.${format}`;
+  } else if (typeof assetPattern === "string") {
+    const detectedFormat = (0, import_archives.detectArchiveFormat)(assetPattern);
+    if (detectedFormat) {
+      ext = detectedFormat === "tar.gz" ? ".tar.gz" : `.${detectedFormat}`;
+    }
+  }
+  const archivePath = path.join(outputDir, `__temp_download__${ext}`);
+  if (!quiet) {
+    logger.info(`Downloading archive from release ${tag}...`);
+  }
+  await downloadReleaseAsset(tag, assetPattern, archivePath, repoConfig, {
+    quiet
+  });
+  if (!quiet) {
+    logger.info(`Extracting archive to ${outputDir}...`);
+  }
+  try {
+    await (0, import_archives.extractArchive)(archivePath, outputDir, { quiet, strip });
+    if (!quiet) {
+      logger.info(`Extracted archive contents to ${outputDir}`);
+    }
+  } catch (cause) {
+    throw new Error(`Failed to extract archive: ${archivePath}`, { cause });
+  } finally {
+    if (cleanup) {
+      try {
+        await fs.promises.unlink(archivePath);
+        if (!quiet) {
+          logger.info("Cleaned up temporary archive file");
+        }
+      } catch (error) {
+        if (!quiet) {
+          logger.warn(`Failed to cleanup archive file: ${error}`);
+        }
+      }
+    }
+  }
+  return outputDir;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   SOCKET_BTM_REPO,
   createAssetMatcher,
+  downloadAndExtractArchive,
+  downloadAndExtractZip,
   downloadGitHubRelease,
   downloadReleaseAsset,
   getAuthHeaders,

package/dist/spawn.js

@@ -92,7 +92,7 @@ function enhanceSpawnError(error) {
   }
   const trimmedStderr = stderrText.trim();
   if (trimmedStderr) {
-    const firstLine = trimmedStderr.split("\n")[0];
+    const firstLine = trimmedStderr.split("\n")[0] ?? "";
     if (firstLine.length < 200) {
       enhancedMessage += `
 ${firstLine}`;

package/dist/spinner.js

@@ -66,7 +66,7 @@ function desc(value) {
 }
 function formatProgress(progress) {
   const { current, total, unit } = progress;
-  const percentage = Math.round(current / total * 100);
+  const percentage = total === 0 ? 0 : Math.round(current / total * 100);
   const bar = renderProgressBar(percentage);
   const count = unit ? `${current}/${total} ${unit}` : `${current}/${total}`;
   return `${bar} ${percentage}% (${count})`;

package/dist/stdio/progress.js

@@ -128,11 +128,11 @@ class ProgressBar {
    */
   render(tokens) {
     const colorFn = import_yoctocolors_cjs.default[this.options.color] || ((s) => s);
-    const percent = Math.floor(this.current / this.total * 100);
+    const percent = this.total === 0 ? 0 : Math.floor(this.current / this.total * 100);
     const elapsed = Date.now() - this.startTime;
     const eta = this.current === 0 ? 0 : elapsed / this.current * (this.total - this.current);
     const availableWidth = this.options.width;
-    const filledWidth = Math.floor(this.current / this.total * availableWidth);
+    const filledWidth = this.total === 0 ? 0 : Math.floor(this.current / this.total * availableWidth);
     const emptyWidth = availableWidth - filledWidth;
     const filled = (0, import_strings.repeatString)(this.options.complete, filledWidth);
     const empty = (0, import_strings.repeatString)(this.options.incomplete, emptyWidth);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.7.0",
-  "packageManager": "pnpm@10.29.1",
+  "version": "5.8.0",
+  "packageManager": "pnpm@10.32.0",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
   "keywords": [
@@ -103,6 +103,10 @@
       "types": "./dist/ansi.d.ts",
       "default": "./dist/ansi.js"
     },
+    "./archives": {
+      "types": "./dist/archives.d.ts",
+      "default": "./dist/archives.js"
+    },
     "./argv/flags": {
       "types": "./dist/argv/flags.d.ts",
       "default": "./dist/argv/flags.js"
@@ -679,7 +683,6 @@
       "types": "./dist/zod.d.ts",
       "default": "./dist/zod.js"
     },
-    "./biome.json": "./biome.json",
     "./data/extensions.json": "./data/extensions.json",
     "./package.json": "./package.json",
     "./tsconfig.dts.json": "./tsconfig.dts.json",
@@ -703,7 +706,11 @@
     "cover": "node scripts/test/cover.mjs",
     "dev": "node scripts/build/main.mjs --watch",
     "fix": "node scripts/lint.mjs --fix",
+    "format": "oxfmt",
+    "format:check": "oxfmt --check",
     "lint": "node scripts/lint.mjs",
+    "lint:oxlint": "oxlint .",
+    "lint:oxfmt": "oxfmt --check .",
     "prepare": "husky",
     "prepublishOnly": "pnpm run build",
     "test": "node scripts/test/main.mjs",
@@ -714,10 +721,7 @@
     "@babel/parser": "7.28.4",
     "@babel/traverse": "7.28.4",
     "@babel/types": "7.28.4",
-    "@biomejs/biome": "2.2.4",
     "@dotenvx/dotenvx": "1.49.0",
-    "@eslint/compat": "1.4.0",
-    "@eslint/js": "9.38.0",
     "@inquirer/checkbox": "4.3.1",
     "@inquirer/confirm": "5.1.16",
     "@inquirer/input": "4.2.2",
@@ -730,31 +734,27 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.3.5",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.5.3",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.7.0",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20250920.1",
     "@vitest/coverage-v8": "4.0.3",
     "@vitest/ui": "4.0.3",
     "@yarnpkg/core": "4.5.0",
     "@yarnpkg/extensions": "2.0.6",
+    "adm-zip": "0.5.16",
     "cacache": "20.0.1",
     "debug": "4.4.3",
     "del": "8.0.1",
     "del-cli": "6.0.0",
     "esbuild": "0.25.11",
-    "eslint": "9.35.0",
-    "eslint-import-resolver-typescript": "4.4.4",
-    "eslint-plugin-import-x": "4.16.1",
-    "eslint-plugin-n": "17.23.1",
     "eslint-plugin-sort-destructure-keys": "2.0.0",
-    "eslint-plugin-unicorn": "61.0.2",
     "fast-glob": "3.3.3",
     "fast-sort": "3.4.1",
     "get-east-asian-width": "1.3.0",
     "globals": "16.4.0",
     "has-flag": "5.0.1",
     "husky": "9.1.7",
-    "libnpmexec": "^10.2.0",
+    "libnpmexec": "10.2.3",
     "libnpmpack": "9.0.9",
     "lint-staged": "15.2.11",
     "magic-string": "0.30.17",
@@ -762,6 +762,8 @@
     "nock": "14.0.10",
     "normalize-package-data": "8.0.0",
     "npm-package-arg": "13.0.0",
+    "oxfmt": "^0.37.0",
+    "oxlint": "^1.52.0",
     "pacote": "21.0.1",
     "picomatch": "2.3.1",
     "pony-cause": "2.1.11",
@@ -771,11 +773,12 @@
     "spdx-expression-parse": "4.0.0",
     "streaming-iterables": "8.0.1",
     "supports-color": "10.0.0",
+    "tar-fs": "3.1.2",
+    "tar-stream": "3.1.8",
     "taze": "19.9.2",
     "trash": "10.0.0",
     "type-coverage": "2.29.7",
     "typescript": "5.9.2",
-    "typescript-eslint": "8.44.1",
     "validate-npm-package-name": "6.0.2",
     "vite-tsconfig-paths": "5.1.4",
     "vitest": "4.0.3",
@@ -794,23 +797,40 @@
   },
   "pnpm": {
     "overrides": {
+      "@inquirer/ansi": "1.0.2",
+      "@inquirer/core": "10.3.1",
+      "@inquirer/figures": "1.0.15",
       "@npmcli/arborist": "9.1.6",
+      "@npmcli/git": "6.0.3",
       "@npmcli/run-script": "10.0.0",
       "@sigstore/core": "3.1.0",
       "@sigstore/sign": "4.1.0",
       "ansi-regex": "6.2.2",
+      "chownr": "3.0.0",
       "debug": "4.4.3",
       "execa": "5.1.1",
       "has-flag": "5.0.1",
+      "hosted-git-info": "8.1.0",
       "isexe": "3.1.1",
       "lru-cache": "11.2.2",
+      "minimatch": "9.0.5",
+      "minipass": "7.1.3",
+      "minipass@7": "7.1.3",
+      "minipass-fetch": "4.0.1",
+      "minipass-sized": "1.0.3",
+      "minizlib": "3.1.0",
+      "npm-package-arg": "12.0.2",
+      "npm-pick-manifest": "10.0.0",
       "picomatch": "4.0.3",
       "proc-log": "6.1.0",
       "semver": "7.7.2",
       "signal-exit": "4.1.0",
+      "spdx-expression-parse": "4.0.0",
+      "ssri": "12.0.0",
       "string-width": "8.1.0",
       "strip-ansi": "7.1.2",
       "supports-color": "10.0.0",
+      "tar": "7.5.11",
       "which": "5.0.0",
       "wrap-ansi": "9.0.2",
       "yoctocolors-cjs": "2.1.3"
@@ -819,7 +839,10 @@
       "@npmcli/run-script@10.0.0": "patches/@npmcli__run-script@10.0.0.patch",
       "@sigstore/sign@4.1.0": "patches/@sigstore__sign@4.1.0.patch",
       "execa@5.1.1": "patches/execa@5.1.1.patch",
-      "node-gyp@11.5.0": "patches/node-gyp@11.5.0.patch"
+      "minipass-flush@1.0.5": "patches/minipass-flush@1.0.5.patch",
+      "minipass-pipeline@1.2.4": "patches/minipass-pipeline@1.2.4.patch",
+      "node-gyp@11.5.0": "patches/node-gyp@11.5.0.patch",
+      "minipass-sized@1.0.3": "patches/minipass-sized@1.0.3.patch"
     }
   }
 }