@socketsecurity/lib 6.0.1 → 6.0.2

package/CHANGELOG.md

@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.0.2](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.2) - 2026-05-26
+
+### Added
+
+- **`./logger/logger` and `./http-request/http-request`** as the canonical class / function-surface entries, paired with the existing `./logger/{node,browser}` and `./http-request/{node,browser}` implementations. Bundlers that honor the `'browser'` export condition pick the right impl automatically: `import { Logger } from '@socketsecurity/lib/logger/logger'` and `import { httpJson } from '@socketsecurity/lib/http-request/http-request'` work on both platforms.
+- **`./logger/default`** holds the shared-singleton accessor: `getDefaultLogger()` returns one process-wide `Logger` instance (lazily constructed). Same on both platforms.
+- **`./http-request` top-level export.** New canonical entry mirroring `./http-request/http-request`.
+- **Package trust-status helpers in `./packages/provenance`.** `getTrustStatus(meta)` extracts `{ provenance, trustedPublisher, stagedPublish }` from an npm registry version document; `getTrustLevel(status)` maps to a 0..3 ladder and `getTrustLevelName(status)` to its name; `TRUST_LEVELS` is the single source-of-truth array (index = level); `compareTrust(a, b)` is an ascending-level comparator; `didTrustDecrease(prev, next)` flags a release that regressed its supply-chain posture.
+- **`primordials/map-set` Stage 4 surface.** `getOrInsert` / `getOrInsertComputed` on `Map` / `WeakMap` plus the Set-composition methods (`union`, `intersection`, `difference`, `symmetricDifference`, `isSubsetOf`, `isSupersetOf`, `isDisjointFrom`) are ambient-declared, so consumers get types for methods Node 22+ ships but TypeScript's lib doesn't yet surface.
+
+### Changed (breaking)
+
+- **`getDefaultLogger` moved from `./logger` to `./logger/default`.** The bare `./logger` entry now exposes the `Logger` class only (matching `./logger/logger`). Migration: `import { getDefaultLogger } from '@socketsecurity/lib/logger'` → `from '@socketsecurity/lib/logger/default'`.
+- **`./logger/default` semantics shifted.** Previously `./logger/default` resolved to the Node logger source; that file is now `./logger/node`. The `./logger/default` path is the singleton accessor module.
+- **`./http-request/convenience` removed.** `httpJson` and `httpText` live on `./http-request/node` and `./http-request/browser` alongside `httpRequest` and `HttpResponseError`. Most consumers should import from `./http-request` (auto-routing) rather than the explicit leaf.
+
+### Fixed
+
+- **`./logger` auto-resolves to `./logger/browser` on browser platforms.** 6.0.1 announced this but shipped without the `'browser'` condition on the `./logger` entry, so bundlers fell through to the Node default and pulled in `node:*` builtins.
+
 ## [6.0.1](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.1) - 2026-05-25
 
 Five additive features plus public-surface polish on top of 6.0.0. The path renames drop doubled-name leaves (`spawn/spawn`, `ttl-cache/cache`, `globs/glob`, `links/link`, `promise-queue/queue`) and regroup three top-level directories whose contents were the same concept (process events) under a new `events/` umbrella. Renames are path-only; no symbol renames or behavior changes.

package/dist/constants/socket.js

@@ -77,7 +77,7 @@ const SOCKET_REGISTRY_APP_NAME = "registry";
 const SOCKET_WHEELHOUSE_APP_NAME = "wheelhouse";
 const SOCKET_APP_PREFIX = "_";
 const SOCKET_LIB_NAME = "@socketsecurity/lib";
-const SOCKET_LIB_VERSION = "6.0.1";
+const SOCKET_LIB_VERSION = "6.0.2";
 const SOCKET_IPC_HANDSHAKE = "SOCKET_IPC_HANDSHAKE";
 const CACHE_SOCKET_API_DIR = "socket-api";
 const REGISTRY = "registry";

package/dist/debug/_internal.d.ts

@@ -6,7 +6,7 @@
  *   override). Co-located so the namespace / output / caller-info leaves don't
  *   fragment ownership of this shared module state.
  */
-export declare const logger: import("../logger/default").Logger;
+export declare const logger: import("../logger/node").Logger;
 export declare const debugByNamespace: Map<any, any>;
 export { getNodeUtil as getUtil } from '../node/util';
 /**

package/dist/dlx/firewall.js

@@ -24,7 +24,7 @@ __export(firewall_exports, {
   npmPurl: () => npmPurl
 });
 module.exports = __toCommonJS(firewall_exports);
-var import_convenience = require("../http-request/convenience");
+var import_node = require("../http-request/node");
 var import_user_agent = require("../http-request/user-agent");
 var import_error = require("../primordials/error");
 var import_map_set = require("../primordials/map-set");
@@ -59,7 +59,7 @@ async function checkFirewallPurls(arb, requestedPackage) {
   await (0, import_promise.PromiseAllSettled)(
     purls.map(async ({ name, purl, version }) => {
       try {
-        const data = await (0, import_convenience.httpJson)(
+        const data = await (0, import_node.httpJson)(
           `${FIREWALL_API_URL}/${encodeURIComponent(purl)}`,
           {
             headers: { "User-Agent": (0, import_user_agent.getSocketCallerUserAgent)() },

package/dist/http-request/download-types.d.ts

@@ -6,7 +6,7 @@
  *   - `Checksums` / `FetchChecksumsOptions` — checksum-file helpers
  */
 import type { IncomingHttpHeaders } from 'node:http';
-import type { Logger } from '../logger/default';
+import type { Logger } from '../logger/node';
 /**
  * Configuration options for file downloads.
  */
@@ -55,7 +55,7 @@ export interface HttpDownloadOptions {
      *
      * @example
      *   ;```ts
-     *   import { getDefaultLogger } from '@socketsecurity/lib/logger/default'
+     *   import { getDefaultLogger } from '@socketsecurity/lib/logger/node'
      *
      *   const logger = getDefaultLogger()
      *   await httpDownload('https://example.com/file.zip', '/tmp/file.zip', {

package/dist/http-request/http-request.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @file Public HTTP-request entry — re-exports the platform-correct
+ *   implementation. Bundlers that honor the package.json `'browser'` condition
+ *   (rolldown, vite, esbuild on browser platform) swap this entry to
+ *   `./browser`; Node consumers get `./node`. Same named exports (`httpJson`,
+ *   `httpText`, `httpRequest`, `HttpResponseError`) on both platforms so
+ *   callers can write `import { httpJson } from
+ *   '@socketsecurity/lib/http-request/http-request'` without caring about
+ *   platform.
+ */
+export { httpJson, httpRequest, httpText, HttpResponseError } from './node';
+export type { HttpResponse, HttpRequestOptions } from './node';

package/dist/http-request/http-request.js

@@ -0,0 +1,36 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var http_request_exports = {};
+__export(http_request_exports, {
+  HttpResponseError: () => import_node.HttpResponseError,
+  httpJson: () => import_node.httpJson,
+  httpRequest: () => import_node.httpRequest,
+  httpText: () => import_node.httpText
+});
+module.exports = __toCommonJS(http_request_exports);
+var import_node = require("./node");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  HttpResponseError,
+  httpJson,
+  httpRequest,
+  httpText
+});

package/dist/http-request/node.d.ts

@@ -0,0 +1,29 @@
+/**
+ * @file Node-side HTTP request layer — the public surface (`httpJson`,
+ *   `httpText`, `httpRequest`, `HttpResponseError`) for consumers on Node.
+ *   Pairs with `./browser` (browser-safe variant via `fetch`); both files
+ *   expose the same named exports so the package.json `'browser'` condition can
+ *   swap them by platform without consumers changing their imports. `httpJson`
+ *   and `httpText` live here directly; `httpRequest` and the shared types are
+ *   re-exported from their dedicated leaves so the sub-imports
+ *   (`./http-request/request`, `./http-request/response-types`) stay loadable
+ *   individually for callers that don't want the convenience wrappers in their
+ *   bundle.
+ */
+import type { HttpRequestOptions } from './request-types';
+export { httpRequest } from './request';
+export { HttpResponseError } from './response-types';
+export type { HttpResponse } from './response-types';
+export type { HttpRequestOptions } from './request-types';
+/**
+ * GET / POST a JSON endpoint. Automatically sets `Accept: application/json` and
+ * `Content-Type: application/json` (when a body is present); user-supplied
+ * headers always win. Throws `HttpResponseError` on non-2xx.
+ */
+export declare function httpJson<T = unknown>(url: string, options?: HttpRequestOptions | undefined): Promise<T>;
+/**
+ * GET / POST a text endpoint. Sets `Accept: text/plain` (and `Content-Type:
+ * text/plain` on bodies); user headers override. Throws `HttpResponseError` on
+ * non-2xx.
+ */
+export declare function httpText(url: string, options?: HttpRequestOptions | undefined): Promise<string>;

package/dist/http-request/{convenience.js → node.js}

@@ -18,15 +18,19 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var convenience_exports = {};
-__export(convenience_exports, {
+var node_exports = {};
+__export(node_exports, {
+  HttpResponseError: () => import_response_types2.HttpResponseError,
   httpJson: () => httpJson,
+  httpRequest: () => import_request2.httpRequest,
   httpText: () => httpText
 });
-module.exports = __toCommonJS(convenience_exports);
+module.exports = __toCommonJS(node_exports);
 var import_error = require("../primordials/error");
 var import_request = require("./request");
 var import_response_types = require("./response-types");
+var import_request2 = require("./request");
+var import_response_types2 = require("./response-types");
 async function httpJson(url, options) {
   const {
     body,
@@ -91,6 +95,8 @@ async function httpText(url, options) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  HttpResponseError,
   httpJson,
+  httpRequest,
   httpText
 });

package/dist/logger/_internal.d.ts

@@ -1,5 +1,5 @@
 /**
- * @file Private state shared between the `logger/default` class (which owns the
+ * @file Private state shared between the `logger/node` class (which owns the
  *   public `Logger` surface) and `logger/console-init` (which mutates
  *   `Logger.prototype` to mirror `globalConsole`). The `_` prefix keeps this
  *   module out of the generated package.json `exports` map (the `dist/**\/_*`

package/dist/logger/browser.d.ts

@@ -1,16 +1,18 @@
 /**
- * @file Browser-safe Logger surface — minimal shim mirroring the public
- *   `success`/`fail`/`warn`/`error`/`info`/`log` methods of the full Node
- *   Logger, but backed by the global `console` so it works in Chrome MV3
+ * @file Browser-safe `Logger` implementation — mirrors the public `success` /
+ *   `fail` / `warn` / `error` / `info` / `log` surface of the Node `Logger`
+ *   (see `./node`) but backed by the global `console` so it works in Chrome MV3
  *   service workers, content scripts, popups, and any other browser context
- *   that doesn't have `node:process` / `node:console` / fs.
+ *   without `node:process` / `node:console` / fs. Consumers should import
+ *   `Logger` from `./logger` (auto-routed by the package.json `browser`
+ *   condition) or `./default` for the singleton. `./browser` is the
+ *   explicit-platform name; useful for tests pinning to one implementation.
  */
-export interface BrowserLogger {
-    log(message: unknown, ...args: unknown[]): BrowserLogger;
-    info(message: unknown, ...args: unknown[]): BrowserLogger;
-    warn(message: unknown, ...args: unknown[]): BrowserLogger;
-    error(message: unknown, ...args: unknown[]): BrowserLogger;
-    success(message: unknown, ...args: unknown[]): BrowserLogger;
-    fail(message: unknown, ...args: unknown[]): BrowserLogger;
+export declare class Logger {
+    log(message: unknown, ...args: unknown[]): this;
+    info(message: unknown, ...args: unknown[]): this;
+    warn(message: unknown, ...args: unknown[]): this;
+    error(message: unknown, ...args: unknown[]): this;
+    success(message: unknown, ...args: unknown[]): this;
+    fail(message: unknown, ...args: unknown[]): this;
 }
-export declare function getDefaultLogger(): BrowserLogger;

package/dist/logger/browser.js

@@ -20,14 +20,14 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var browser_exports = {};
 __export(browser_exports, {
-  getDefaultLogger: () => getDefaultLogger
+  Logger: () => Logger
 });
 module.exports = __toCommonJS(browser_exports);
 const SYM_SUCCESS = "\u2713";
 const SYM_FAIL = "\u2715";
 const SYM_WARN = "\u26A0";
 const SYM_INFO = "\u2139";
-class ConsoleBrowserLogger {
+class Logger {
   log(message, ...args) {
     console.log(message, ...args);
     return this;
@@ -52,14 +52,7 @@ class ConsoleBrowserLogger {
     return this.error(message, ...args);
   }
 }
-let sharedLogger;
-function getDefaultLogger() {
-  if (!sharedLogger) {
-    sharedLogger = new ConsoleBrowserLogger();
-  }
-  return sharedLogger;
-}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  getDefaultLogger
+  Logger
 });

package/dist/logger/console.js

@@ -38,7 +38,7 @@ var import_node_process = __toESM(require("node:process"));
 var import_object = require("../primordials/object");
 var import_reflect = require("../primordials/reflect");
 var import_internal = require("./_internal");
-var import_default = require("./default");
+var import_node = require("./node");
 var import_symbols = require("./symbols");
 let _Console;
 let _prototypeInitialized = false;
@@ -77,7 +77,7 @@ function ensurePrototypeInitialized() {
     ]
   ];
   for (const { 0: key, 1: value } of (0, import_object.ObjectEntries)(import_internal.globalConsole)) {
-    if (!import_default.Logger.prototype[key] && typeof value === "function") {
+    if (!import_node.Logger.prototype[key] && typeof value === "function") {
       const { [key]: func } = {
         [key](...args) {
           let con = import_internal.privateConsole.get(this);
@@ -110,7 +110,7 @@ function ensurePrototypeInitialized() {
       ]);
     }
   }
-  (0, import_object.ObjectDefineProperties)(import_default.Logger.prototype, (0, import_object.ObjectFromEntries)(entries));
+  (0, import_object.ObjectDefineProperties)(import_node.Logger.prototype, (0, import_object.ObjectFromEntries)(entries));
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {