@socketsecurity/lib 5.8.0 → 5.8.2

package/CHANGELOG.md

@@ -5,6 +5,35 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.8.2](https://github.com/SocketDev/socket-lib/releases/tag/v5.8.2) - 2026-03-13
+
+### Fixed
+
+- **http-request**: Download to temp file then atomically rename to prevent corruption
+  - Downloads now write to `{destPath}.download` temp file first
+  - On success, atomically renames to the destination path
+  - On failure, cleans up temp file and preserves any existing file at destination
+  - Prevents partial/corrupted files from CI caching causing extraction failures
+
+## [5.8.1](https://github.com/SocketDev/socket-lib/releases/tag/v5.8.1) - 2026-03-11
+
+### Performance
+
+- **windows**: Add comprehensive caching for expensive PATH resolution operations
+  - `getBinPath()`, `getBinPathSync()`: Cache binary path lookups
+  - `findRealBin()`: Cache `all:true` lookups and use single `whichSync({ all: true })` call
+  - `getVoltaBinPath()`: Cache Volta binary resolution
+  - `spawn()`: Cache binary path resolution before spawning
+  - `getGitPath()`: Cache git binary path
+  - `getCachedRealpath()`: New helper caching `realpathSync()` calls for git operations
+  - `findGitRoot()`: Cache git root directory lookups
+  - `findPackageJson()`: Cache package.json path lookups
+  - `readPackageJson()`: Cache parsed package.json content
+  - `resolveBinaryPath()`: Cache binary path resolution with Windows extension handling
+  - `NPM_BIN_PATH`, `NPM_REAL_EXEC_PATH`: Share npm path resolution to avoid duplicate `which.sync()` calls
+  - `ProcessLockManager.isStale()`: Use single `statSync({ throwIfNoEntry: false })` instead of `existsSync()` + `statSync()`
+  - All caches validate entries with `existsSync()` and remove stale entries automatically
+
 ## [5.8.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.8.0) - 2026-03-10
 
 ### Added

package/dist/bin.js

@@ -50,6 +50,9 @@ var import_which = __toESM(require("./external/which"));
 var import_fs = require("./fs");
 var import_normalize = require("./paths/normalize");
 var import_spawn = require("./spawn");
+const binPathCache = /* @__PURE__ */ new Map();
+const binPathAllCache = /* @__PURE__ */ new Map();
+const voltaBinCache = /* @__PURE__ */ new Map();
 let _fs;
 // @__NO_SIDE_EFFECTS__
 function getFs() {
@@ -68,7 +71,25 @@ function getPath() {
 }
 // @__NO_SIDE_EFFECTS__
 async function execBin(binPath, args, options) {
-  const resolvedPath = (0, import_normalize.isPath)(binPath) ? /* @__PURE__ */ resolveRealBinSync(binPath) : await whichReal(binPath);
+  let resolvedPath;
+  if ((0, import_normalize.isPath)(binPath)) {
+    resolvedPath = /* @__PURE__ */ resolveRealBinSync(binPath);
+  } else {
+    const cached = binPathCache.get(binPath);
+    if (cached) {
+      if ((/* @__PURE__ */ getFs()).existsSync(cached)) {
+        resolvedPath = cached;
+      } else {
+        binPathCache.delete(binPath);
+      }
+    }
+    if (!resolvedPath) {
+      resolvedPath = await whichReal(binPath);
+      if (typeof resolvedPath === "string") {
+        binPathCache.set(binPath, resolvedPath);
+      }
+    }
+  }
   if (!resolvedPath) {
     const error = new Error(
       `Binary not found: ${binPath}
@@ -93,27 +114,23 @@ To resolve:
 function findRealBin(binName, commonPaths = []) {
   const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  for (const binPath2 of commonPaths) {
-    if (fs.existsSync(binPath2)) {
-      return binPath2;
+  for (const binPath of commonPaths) {
+    if (fs.existsSync(binPath)) {
+      return binPath;
     }
   }
-  const binPath = import_which.default.sync(binName, { nothrow: true });
-  if (binPath) {
+  const allPaths = import_which.default.sync(binName, { all: true, nothrow: true }) || [];
+  const pathsArray = Array.isArray(allPaths) ? allPaths : typeof allPaths === "string" ? [allPaths] : [];
+  if (pathsArray.length === 0) {
+    return void 0;
+  }
+  for (const binPath of pathsArray) {
     const binDir = path.dirname(binPath);
-    if (isShadowBinPath(binDir)) {
-      const allPaths = import_which.default.sync(binName, { all: true, nothrow: true }) || [];
-      const pathsArray = Array.isArray(allPaths) ? allPaths : typeof allPaths === "string" ? [allPaths] : [];
-      for (const altPath of pathsArray) {
-        const altDir = path.dirname(altPath);
-        if (!isShadowBinPath(altDir)) {
-          return altPath;
-        }
-      }
+    if (!isShadowBinPath(binDir)) {
+      return binPath;
     }
-    return binPath;
   }
-  return void 0;
+  return pathsArray[0];
 }
 function findRealNpm() {
   const fs = /* @__PURE__ */ getFs();
@@ -199,6 +216,14 @@ function resolveRealBinSync(binPath) {
   const voltaIndex = basename === "node" ? -1 : /(?<=\/)\.volta\//i.exec(binPath)?.index ?? -1;
   if (voltaIndex !== -1) {
     const voltaPath = binPath.slice(0, voltaIndex);
+    const voltaCacheKey = `${voltaPath}:${basename}`;
+    const cachedVolta = voltaBinCache.get(voltaCacheKey);
+    if (cachedVolta) {
+      if (fs.existsSync(cachedVolta)) {
+        return cachedVolta;
+      }
+      voltaBinCache.delete(voltaCacheKey);
+    }
     const voltaToolsPath = path.join(voltaPath, "tools");
     const voltaImagePath = path.join(voltaToolsPath, "image");
     const voltaUserPath = path.join(voltaToolsPath, "user");
@@ -247,11 +272,13 @@ function resolveRealBinSync(binPath) {
       }
     }
     if (voltaBinPath) {
+      let resolvedVoltaPath = voltaBinPath;
       try {
-        return (0, import_normalize.normalizePath)(fs.realpathSync.native(voltaBinPath));
+        resolvedVoltaPath = (0, import_normalize.normalizePath)(fs.realpathSync.native(voltaBinPath));
       } catch {
       }
-      return voltaBinPath;
+      voltaBinCache.set(voltaCacheKey, resolvedVoltaPath);
+      return resolvedVoltaPath;
     }
   }
   if (import_platform.WIN32) {
@@ -392,28 +419,78 @@ async function which(binName, options) {
   }
 }
 async function whichReal(binName, options) {
+  const fs = /* @__PURE__ */ getFs();
   const opts = { nothrow: true, ...options };
+  if (opts.all) {
+    const cachedAll = binPathAllCache.get(binName);
+    if (cachedAll && cachedAll.length > 0) {
+      if (fs.existsSync(cachedAll[0])) {
+        return cachedAll;
+      }
+      binPathAllCache.delete(binName);
+    }
+  } else {
+    const cached = binPathCache.get(binName);
+    if (cached) {
+      if (fs.existsSync(cached)) {
+        return cached;
+      }
+      binPathCache.delete(binName);
+    }
+  }
   const result = await (0, import_which.default)(binName, opts);
   if (opts?.all) {
     const paths = Array.isArray(result) ? result : typeof result === "string" ? [result] : void 0;
-    return paths?.length ? paths.map((p) => /* @__PURE__ */ resolveRealBinSync(p)) : paths;
+    if (paths?.length) {
+      const resolved2 = paths.map((p) => /* @__PURE__ */ resolveRealBinSync(p));
+      binPathAllCache.set(binName, resolved2);
+      return resolved2;
+    }
+    return paths;
   }
   if (!result) {
     return void 0;
   }
-  return /* @__PURE__ */ resolveRealBinSync(result);
+  const resolved = /* @__PURE__ */ resolveRealBinSync(result);
+  binPathCache.set(binName, resolved);
+  return resolved;
 }
 function whichRealSync(binName, options) {
+  const fs = /* @__PURE__ */ getFs();
   const opts = { nothrow: true, ...options };
+  if (opts.all) {
+    const cachedAll = binPathAllCache.get(binName);
+    if (cachedAll && cachedAll.length > 0) {
+      if (fs.existsSync(cachedAll[0])) {
+        return cachedAll;
+      }
+      binPathAllCache.delete(binName);
+    }
+  } else {
+    const cached = binPathCache.get(binName);
+    if (cached) {
+      if (fs.existsSync(cached)) {
+        return cached;
+      }
+      binPathCache.delete(binName);
+    }
+  }
   const result = whichSync(binName, opts);
   if (opts.all) {
     const paths = Array.isArray(result) ? result : typeof result === "string" ? [result] : void 0;
-    return paths?.length ? paths.map((p) => /* @__PURE__ */ resolveRealBinSync(p)) : paths;
+    if (paths?.length) {
+      const resolved2 = paths.map((p) => /* @__PURE__ */ resolveRealBinSync(p));
+      binPathAllCache.set(binName, resolved2);
+      return resolved2;
+    }
+    return paths;
   }
   if (!result) {
     return void 0;
   }
-  return /* @__PURE__ */ resolveRealBinSync(result);
+  const resolved = /* @__PURE__ */ resolveRealBinSync(result);
+  binPathCache.set(binName, resolved);
+  return resolved;
 }
 function whichSync(binName, options) {
   if ((0, import_normalize.isPath)(binName)) {

package/dist/constants/agents.d.ts

@@ -5,7 +5,6 @@ export declare const YARN = "yarn";
 export declare const BUN = "bun";
 export declare const VLT = "vlt";
 export declare const NPX = "npx";
-// NPM binary path - resolved at runtime using which.
 export declare const NPM_BIN_PATH: string;
 // NPM CLI entry point - resolved at runtime from npm bin location.
 // NOTE: This is kept for backward compatibility but NPM_BIN_PATH should be used instead

package/dist/constants/agents.js

@@ -61,22 +61,22 @@ const YARN = "yarn";
 const BUN = "bun";
 const VLT = "vlt";
 const NPX = "npx";
-const NPM_BIN_PATH = /* @__PURE__ */ (() => {
+const _npmBinPath = /* @__PURE__ */ (() => {
   try {
-    return import_which.default.sync("npm", { nothrow: true }) || "npm";
+    return import_which.default.sync("npm", { nothrow: true }) || null;
   } catch {
-    return "npm";
+    return null;
   }
 })();
+const NPM_BIN_PATH = _npmBinPath || "npm";
 const NPM_REAL_EXEC_PATH = /* @__PURE__ */ (() => {
   try {
-    const { existsSync } = require("fs");
-    const path = require("path");
-    const npmBin = import_which.default.sync("npm", { nothrow: true });
-    if (!npmBin) {
+    if (!_npmBinPath) {
       return void 0;
     }
-    const npmDir = path.dirname(npmBin);
+    const { existsSync } = require("fs");
+    const path = require("path");
+    const npmDir = path.dirname(_npmBinPath);
     const nodeModulesPath = path.join(
       npmDir,
       "..",

package/dist/dlx/detect.js

@@ -46,20 +46,50 @@ function getPath() {
   return _path;
 }
 const NODE_JS_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".mjs", ".cjs"]);
+const packageJsonPathCache = /* @__PURE__ */ new Map();
+const packageJsonContentCache = /* @__PURE__ */ new Map();
 function findPackageJson(filePath) {
   const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  let currentDir = path.dirname(path.resolve(filePath));
+  const startDir = path.dirname(path.resolve(filePath));
+  const cached = packageJsonPathCache.get(startDir);
+  if (cached !== void 0) {
+    if (cached === null) {
+      return void 0;
+    }
+    if (fs.existsSync(cached)) {
+      return cached;
+    }
+    packageJsonPathCache.delete(startDir);
+  }
+  let currentDir = startDir;
   const root = path.parse(currentDir).root;
   while (currentDir !== root) {
     const packageJsonPath = path.join(currentDir, "package.json");
     if (fs.existsSync(packageJsonPath)) {
+      packageJsonPathCache.set(startDir, packageJsonPath);
       return packageJsonPath;
     }
     currentDir = path.dirname(currentDir);
   }
+  packageJsonPathCache.set(startDir, null);
   return void 0;
 }
+function readPackageJson(packageJsonPath) {
+  const fs = /* @__PURE__ */ getFs();
+  const cached = packageJsonContentCache.get(packageJsonPath);
+  if (cached !== void 0) {
+    return cached;
+  }
+  try {
+    const content = JSON.parse(fs.readFileSync(packageJsonPath, "utf8"));
+    packageJsonContentCache.set(packageJsonPath, content);
+    return content;
+  } catch {
+    packageJsonContentCache.set(packageJsonPath, null);
+    return null;
+  }
+}
 function detectDlxExecutableType(filePath) {
   const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
@@ -88,20 +118,16 @@ function detectExecutableType(filePath) {
   return detectLocalExecutableType(filePath);
 }
 function detectLocalExecutableType(filePath) {
-  const fs = /* @__PURE__ */ getFs();
   const packageJsonPath = findPackageJson(filePath);
   if (packageJsonPath !== void 0) {
-    try {
-      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8"));
-      if (packageJson.bin) {
-        return {
-          type: "package",
-          method: "package-json",
-          packageJsonPath,
-          inDlxCache: false
-        };
-      }
-    } catch {
+    const packageJson = readPackageJson(packageJsonPath);
+    if (packageJson?.bin) {
+      return {
+        type: "package",
+        method: "package-json",
+        packageJsonPath,
+        inDlxCache: false
+      };
     }
   }
   if (isJsFilePath(filePath)) {

package/dist/dlx/package.js

@@ -314,15 +314,24 @@ function parsePackageSpec(spec) {
     };
   }
 }
+const binaryPathCache = /* @__PURE__ */ new Map();
 function resolveBinaryPath(basePath) {
   if (!import_platform.WIN32) {
     return basePath;
   }
   const fs = /* @__PURE__ */ getFs();
+  const cached = binaryPathCache.get(basePath);
+  if (cached) {
+    if (fs.existsSync(cached)) {
+      return cached;
+    }
+    binaryPathCache.delete(basePath);
+  }
   const extensions = [".cmd", ".bat", ".ps1", ".exe", ""];
   for (const ext of extensions) {
     const testPath = basePath + ext;
     if (fs.existsSync(testPath)) {
+      binaryPathCache.set(basePath, testPath);
       return testPath;
     }
   }

package/dist/git.js

@@ -34,6 +34,7 @@ __export(git_exports, {
   isUnstagedSync: () => isUnstagedSync
 });
 module.exports = __toCommonJS(git_exports);
+var import_bin = require("./bin");
 var import_debug = require("./debug");
 var import_globs = require("./globs");
 var import_normalize = require("./paths/normalize");
@@ -66,8 +67,28 @@ function evictLRUGitCache() {
     }
   }
 }
+let _gitPath;
+const realpathCache = /* @__PURE__ */ new Map();
+const gitRootCache = /* @__PURE__ */ new Map();
+function getCachedRealpath(pathname) {
+  const fs = /* @__PURE__ */ getFs();
+  const cached = realpathCache.get(pathname);
+  if (cached) {
+    if (fs.existsSync(cached)) {
+      return cached;
+    }
+    realpathCache.delete(pathname);
+  }
+  const resolved = fs.realpathSync(pathname);
+  realpathCache.set(pathname, resolved);
+  return resolved;
+}
 function getGitPath() {
-  return "git";
+  if (_gitPath === void 0) {
+    const resolved = (0, import_bin.whichSync)("git", { nothrow: true });
+    _gitPath = typeof resolved === "string" ? resolved : "git";
+  }
+  return _gitPath;
 }
 function getCwd() {
   return (/* @__PURE__ */ getFs()).realpathSync(process.cwd());
@@ -165,11 +186,19 @@ function innerDiffSync(args, options) {
 function findGitRoot(startPath) {
   const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
+  const cached = gitRootCache.get(startPath);
+  if (cached) {
+    if (fs.existsSync(path.join(cached, ".git"))) {
+      return cached;
+    }
+    gitRootCache.delete(startPath);
+  }
   let currentPath = startPath;
   while (true) {
     try {
       const gitPath = path.join(currentPath, ".git");
       if (fs.existsSync(gitPath)) {
+        gitRootCache.set(startPath, currentPath);
         return currentPath;
       }
     } catch {
@@ -189,9 +218,8 @@ function parseGitDiffStdout(stdout, options, spawnCwd) {
     porcelain = false,
     ...matcherOptions
   } = { __proto__: null, ...options };
-  const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  const cwd = cwdOption === defaultRoot ? defaultRoot : fs.realpathSync(cwdOption);
+  const cwd = cwdOption === defaultRoot ? defaultRoot : getCachedRealpath(cwdOption);
   const rootPath = defaultRoot;
   let rawFiles = stdout ? (0, import_strings.stripAnsi)(stdout).split("\n").map((line) => line.trimEnd()).filter((line) => line) : [];
   if (porcelain) {
@@ -255,10 +283,9 @@ async function isChanged(pathname, options) {
     ...options,
     absolute: false
   });
-  const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  const resolvedPathname = fs.realpathSync(pathname);
-  const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
+  const resolvedPathname = getCachedRealpath(pathname);
+  const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
   return files.includes(relativePath);
 }
@@ -268,11 +295,10 @@ function isChangedSync(pathname, options) {
     ...options,
     absolute: false
   });
-  const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
   try {
-    const resolvedPathname = fs.realpathSync(pathname);
-    const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
+    const resolvedPathname = getCachedRealpath(pathname);
+    const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
     const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
     return files.includes(relativePath);
   } catch {
@@ -285,10 +311,9 @@ async function isUnstaged(pathname, options) {
     ...options,
     absolute: false
   });
-  const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  const resolvedPathname = fs.realpathSync(pathname);
-  const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
+  const resolvedPathname = getCachedRealpath(pathname);
+  const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
   return files.includes(relativePath);
 }
@@ -298,10 +323,9 @@ function isUnstagedSync(pathname, options) {
     ...options,
     absolute: false
   });
-  const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  const resolvedPathname = fs.realpathSync(pathname);
-  const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
+  const resolvedPathname = getCachedRealpath(pathname);
+  const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
   return files.includes(relativePath);
 }
@@ -311,10 +335,9 @@ async function isStaged(pathname, options) {
     ...options,
     absolute: false
   });
-  const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  const resolvedPathname = fs.realpathSync(pathname);
-  const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
+  const resolvedPathname = getCachedRealpath(pathname);
+  const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
   return files.includes(relativePath);
 }
@@ -324,10 +347,9 @@ function isStagedSync(pathname, options) {
     ...options,
     absolute: false
   });
-  const fs = /* @__PURE__ */ getFs();
   const path = /* @__PURE__ */ getPath();
-  const resolvedPathname = fs.realpathSync(pathname);
-  const baseCwd = options?.cwd ? fs.realpathSync(options["cwd"]) : getCwd();
+  const resolvedPathname = getCachedRealpath(pathname);
+  const baseCwd = options?.cwd ? getCachedRealpath(options["cwd"]) : getCwd();
   const relativePath = (0, import_normalize.normalizePath)(path.relative(baseCwd, resolvedPathname));
   return files.includes(relativePath);
 }

package/dist/http-request.js

@@ -25,6 +25,7 @@ __export(http_request_exports, {
   httpText: () => httpText
 });
 module.exports = __toCommonJS(http_request_exports);
+var import_fs = require("./fs.js");
 let _fs;
 // @__NO_SIDE_EFFECTS__
 function getFs() {
@@ -308,18 +309,31 @@ async function httpDownload(url, destPath, options) {
       }
     };
   }
+  const fs = /* @__PURE__ */ getFs();
+  const tempPath = `${destPath}.download`;
+  if (fs.existsSync(tempPath)) {
+    await (0, import_fs.safeDelete)(tempPath);
+  }
   let lastError;
   for (let attempt = 0; attempt <= retries; attempt++) {
     try {
-      return await httpDownloadAttempt(url, destPath, {
+      const result = await httpDownloadAttempt(url, tempPath, {
         followRedirects,
         headers,
         maxRedirects,
         onProgress: progressCallback,
         timeout
       });
+      await fs.promises.rename(tempPath, destPath);
+      return {
+        path: destPath,
+        size: result.size
+      };
     } catch (e) {
       lastError = e;
+      if (fs.existsSync(tempPath)) {
+        await (0, import_fs.safeDelete)(tempPath);
+      }
       if (attempt === retries) {
         break;
       }

package/dist/process-lock.js

@@ -123,10 +123,10 @@ class ProcessLockManager {
    */
   isStale(lockPath, staleMs) {
     try {
-      if (!existsSync(lockPath)) {
+      const stats = statSync(lockPath, { throwIfNoEntry: false });
+      if (!stats) {
         return false;
       }
-      const stats = statSync(lockPath);
       const ageSeconds = Math.floor((Date.now() - stats.mtime.getTime()) / 1e3);
       const staleSeconds = Math.floor(staleMs / 1e3);
       return ageSeconds > staleSeconds;
@@ -169,7 +169,7 @@ class ProcessLockManager {
     return await (0, import_promises.pRetry)(
       async () => {
         try {
-          if (existsSync(lockPath) && this.isStale(lockPath, staleMs)) {
+          if (this.isStale(lockPath, staleMs)) {
             logger.log(`Removing stale lock: ${lockPath}`);
             try {
               (0, import_fs.safeDeleteSync)(lockPath, { recursive: true });

package/dist/spawn.js

@@ -53,9 +53,18 @@ function getPath() {
   }
   return _path;
 }
+let _fs;
+// @__NO_SIDE_EFFECTS__
+function getFs() {
+  if (_fs === void 0) {
+    _fs = require("fs");
+  }
+  return _fs;
+}
 const abortSignal = (0, import_process.getAbortSignal)();
 const spinner = (0, import_spinner.getDefaultSpinner)();
 const stackCache = /* @__PURE__ */ new WeakMap();
+const spawnBinPathCache = /* @__PURE__ */ new Map();
 const windowsScriptExtRegExp = /\.(?:cmd|bat|ps1)$/i;
 let _child_process;
 // @__NO_SIDE_EFFECTS__
@@ -178,14 +187,28 @@ function spawn(cmd, args, options, extra) {
   const cwd = spawnOptions.cwd ? String(spawnOptions.cwd) : void 0;
   let actualCmd = cmd;
   if (!(0, import_normalize.isPath)(cmd)) {
-    const resolved = (0, import_bin.whichSync)(cmd, { cwd, nothrow: true });
-    if (resolved && typeof resolved === "string") {
-      actualCmd = resolved;
+    const fs = /* @__PURE__ */ getFs();
+    const cached = spawnBinPathCache.get(cmd);
+    if (cached) {
+      if (fs.existsSync(cached)) {
+        actualCmd = cached;
+      } else {
+        spawnBinPathCache.delete(cmd);
+      }
+    }
+    if (actualCmd === cmd) {
+      const resolved = (0, import_bin.whichSync)(cmd, { cwd, nothrow: true });
+      if (resolved && typeof resolved === "string") {
+        actualCmd = resolved;
+        spawnBinPathCache.set(cmd, resolved);
+      }
     }
   }
   const WIN32 = process.platform === "win32";
   if (WIN32 && shell && windowsScriptExtRegExp.test(actualCmd)) {
-    actualCmd = (/* @__PURE__ */ getPath()).basename(actualCmd, (/* @__PURE__ */ getPath()).extname(actualCmd));
+    if (!(0, import_normalize.isPath)(actualCmd)) {
+      actualCmd = (/* @__PURE__ */ getPath()).basename(actualCmd, (/* @__PURE__ */ getPath()).extname(actualCmd));
+    }
   }
   const wasSpinning = !!spinnerInstance?.isSpinning;
   const shouldStopSpinner = wasSpinning && !/* @__PURE__ */ isStdioType(stdio, "ignore") && !/* @__PURE__ */ isStdioType(stdio, "pipe");
@@ -269,7 +292,9 @@ function spawnSync(cmd, args, options) {
   const shell = (0, import_objects.getOwn)(options, "shell");
   const WIN32 = process.platform === "win32";
   if (WIN32 && shell && windowsScriptExtRegExp.test(actualCmd)) {
-    actualCmd = (/* @__PURE__ */ getPath()).basename(actualCmd, (/* @__PURE__ */ getPath()).extname(actualCmd));
+    if (!(0, import_normalize.isPath)(actualCmd)) {
+      actualCmd = (/* @__PURE__ */ getPath()).basename(actualCmd, (/* @__PURE__ */ getPath()).extname(actualCmd));
+    }
   }
   const { stripAnsi: shouldStripAnsi = true, ...rawSpawnOptions } = {
     __proto__: null,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.8.0",
-  "packageManager": "pnpm@10.32.0",
+  "version": "5.8.2",
+  "packageManager": "pnpm@10.32.1",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
   "keywords": [
@@ -734,7 +734,7 @@
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.3.5",
     "@socketregistry/yocto-spinner": "1.0.25",
-    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.7.0",
+    "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.8.1",
     "@types/node": "24.9.2",
     "@typescript/native-preview": "7.0.0-dev.20250920.1",
     "@vitest/coverage-v8": "4.0.3",
@@ -763,7 +763,7 @@
     "normalize-package-data": "8.0.0",
     "npm-package-arg": "13.0.0",
     "oxfmt": "^0.37.0",
-    "oxlint": "^1.52.0",
+    "oxlint": "1.53.0",
     "pacote": "21.0.1",
     "picomatch": "2.3.1",
     "pony-cause": "2.1.11",
@@ -815,9 +815,9 @@
       "lru-cache": "11.2.2",
       "minimatch": "9.0.5",
       "minipass": "7.1.3",
-      "minipass@7": "7.1.3",
       "minipass-fetch": "4.0.1",
       "minipass-sized": "1.0.3",
+      "minipass@7": "7.1.3",
       "minizlib": "3.1.0",
       "npm-package-arg": "12.0.2",
       "npm-pick-manifest": "10.0.0",