@socketsecurity/lib 6.0.1 → 6.0.3

package/CHANGELOG.md

@@ -5,6 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.0.3](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.3) - 2026-05-26
+
+### Added
+
+- **`paths/walk` — `walkUp(from, { cwd, stopAt })`.** Lazy generator yielding a path then each ancestor up to (and including) the filesystem root or a `stopAt` boundary. `fs/find-up` now builds on it.
+- **`fs/access` — `canAccess` / `canRead` / `canWrite` / `canExecute`.** Sync boolean permission checks over `fs.accessSync` (F_OK / R_OK / W_OK / X_OK). For "I'm about to write" prefer attempting the write over a pre-check (TOCTOU); use these when the answer drives a branch.
+- **`fs/resolve-module` — `requireResolveFrom(fromDir, specifier)` / `requireResolveFromCwd(specifier)`.** `require.resolve` anchored at an arbitrary directory (e.g. "the `typescript` THIS project would load"). `nothrow: true` returns `undefined` instead of throwing.
+- **`releases/github-retry-config` — `GITHUB_RETRY_CONFIG`, `resolveBaseDelayMs()`, `DEFAULT_BASE_DELAY_MS`.** Shared backoff config for the GitHub release helpers. The base retry delay is overridable via the `SOCKET_GITHUB_RETRY_BASE_DELAY_MS` env var (default 5000ms; set `0` for near-instant retries) — useful in CI / tests to skip the exponential-backoff wait.
+- **`smol/path` — `getSmolPath()`.** Lazy accessor for socket-btm's `node:smol-path` native binding; `undefined` on stock Node. `walkUp`, `canAccess`, and `findUp` now prefer the native fast path (`dirname` / `access` / batched find-up) when running on a smol binary and fall back to the JS implementation otherwise — transparent to callers.
+
+### Changed (breaking)
+
+- **`ai/profiles` exports a single `AI_PROFILE` capability ladder** instead of the four standalone `*_PROFILE` constants. The tiers are `AI_PROFILE.read` ⊂ `.edit` ⊂ `.create` ⊂ `.full`, ordered least-to-most capable. Migration: `READ_ONLY_PROFILE` → `AI_PROFILE.read`; `EDIT_ONLY_PROFILE` → `AI_PROFILE.create` (the old `EDIT_ONLY` allowed `Write`/`MultiEdit`); `FULL_FIX_PROFILE` → `AI_PROFILE.full`. New `AI_PROFILE.edit` is the narrowest fix tier — `Edit` on existing files only, no `Write`/`MultiEdit` — for lint autofix and in-place codemods.
+
+### Changed
+
+- **Every `AI_PROFILE` tier now denies `Agent`.** Sub-agent spawning is blocked across all profiles, since a sub-agent can escape the parent's tool restrictions.
+
+## [6.0.2](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.2) - 2026-05-26
+
+### Added
+
+- **`./logger/logger` and `./http-request/http-request`** as the canonical class / function-surface entries, paired with the existing `./logger/{node,browser}` and `./http-request/{node,browser}` implementations. Bundlers that honor the `'browser'` export condition pick the right impl automatically: `import { Logger } from '@socketsecurity/lib/logger/logger'` and `import { httpJson } from '@socketsecurity/lib/http-request/http-request'` work on both platforms.
+- **`./logger/default`** holds the shared-singleton accessor: `getDefaultLogger()` returns one process-wide `Logger` instance (lazily constructed). Same on both platforms.
+- **`./http-request` top-level export.** New canonical entry mirroring `./http-request/http-request`.
+- **Package trust-status helpers in `./packages/provenance`.** `getTrustStatus(meta)` extracts `{ provenance, trustedPublisher, stagedPublish }` from an npm registry version document; `getTrustLevel(status)` maps to a 0..3 ladder and `getTrustLevelName(status)` to its name; `TRUST_LEVELS` is the single source-of-truth array (index = level); `compareTrust(a, b)` is an ascending-level comparator; `didTrustDecrease(prev, next)` flags a release that regressed its supply-chain posture.
+- **`primordials/map-set` Stage 4 surface.** `getOrInsert` / `getOrInsertComputed` on `Map` / `WeakMap` plus the Set-composition methods (`union`, `intersection`, `difference`, `symmetricDifference`, `isSubsetOf`, `isSupersetOf`, `isDisjointFrom`) are ambient-declared, so consumers get types for methods Node 22+ ships but TypeScript's lib doesn't yet surface.
+
+### Changed (breaking)
+
+- **`getDefaultLogger` moved from `./logger` to `./logger/default`.** The bare `./logger` entry now exposes the `Logger` class only (matching `./logger/logger`). Migration: `import { getDefaultLogger } from '@socketsecurity/lib/logger'` → `from '@socketsecurity/lib/logger/default'`.
+- **`./logger/default` semantics shifted.** Previously `./logger/default` resolved to the Node logger source; that file is now `./logger/node`. The `./logger/default` path is the singleton accessor module.
+- **`./http-request/convenience` removed.** `httpJson` and `httpText` live on `./http-request/node` and `./http-request/browser` alongside `httpRequest` and `HttpResponseError`. Most consumers should import from `./http-request` (auto-routing) rather than the explicit leaf.
+
+### Fixed
+
+- **`./logger` auto-resolves to `./logger/browser` on browser platforms.** 6.0.1 announced this but shipped without the `'browser'` condition on the `./logger` entry, so bundlers fell through to the Node default and pulled in `node:*` builtins.
+
 ## [6.0.1](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.1) - 2026-05-25
 
 Five additive features plus public-surface polish on top of 6.0.0. The path renames drop doubled-name leaves (`spawn/spawn`, `ttl-cache/cache`, `globs/glob`, `links/link`, `promise-queue/queue`) and regroup three top-level directories whose contents were the same concept (process events) under a new `events/` umbrella. Renames are path-only; no symbol renames or behavior changes.

package/dist/ai/profiles.d.mts

@@ -2,38 +2,61 @@
  * @file Pre-built lockdown profiles for spawnAiAgent. Per CLAUDE.md
  *   "Programmatic Claude calls" rule: every spawn must set tools / disallow /
  *   permissionMode (and the helper always sets --no-session-persistence +
- *   --add-dir cwd). These profiles are canonical safe defaults that callers
- *   spread + override per call. Choose by capability:
+ *   --add-dir cwd). `AI_PROFILE` is a capability ladder — each tier permits
+ *   everything the tier above it does, plus one more capability. Spread a tier
+ *   and override per call (`tools`/`disallow` to tighten further, `model`,
+ *   `addDirs`). Choose the LEAST-capable tier that gets the job done:
  *
- *   - `READ_ONLY_PROFILE` — research / scanning. Read + Grep + Glob
- *   - WebFetch + WebSearch. No Edit, no Write, no Bash. Use for static analysis
- *     skills (scanning-quality, scanning-security).
- *   - `EDIT_ONLY_PROFILE` — fix-mode. Read + Edit + Grep + Glob. Bash explicitly
- *     denied. Use for skills that mutate source files but don't run arbitrary
- *     shell (ai-lint-fix, refactor passes).
- *   - `FULL_FIX_PROFILE` — fix-mode WITH Bash. Read + Edit + Write + Grep + Glob
- *   - Bash (allowlisted to git/pnpm/node by default). Use for skills that need to
- *     commit, run tests, install deps. No `WIDE_OPEN_PROFILE` exists by design
- *     — letting an agent run arbitrary tools is the lockdown rule's exact
- *     failure mode.
+ *   - `AI_PROFILE.read` — research / scanning. Read + Grep + Glob + WebFetch +
+ *     WebSearch. No Edit, no Write, no Bash. Static-analysis skills
+ *     (scanning-quality, scanning-security).
+ *   - `AI_PROFILE.edit` — in-place edits only. Read + Edit + Grep + Glob. NO
+ *     Write (can't create files), NO MultiEdit, NO Bash. Lint autofix /
+ *     codemods constrained to existing files.
+ *   - `AI_PROFILE.create` — edit AND create files. Adds MultiEdit + Write on top
+ *     of `.edit`. Still no Bash. Codegen, adding a test, refactors that split
+ *     modules.
+ *   - `AI_PROFILE.full` — `.create` plus Bash, allowlisted to git / pnpm / node.
+ *     Skills that commit, run tests, install deps. No "wide open" tier exists
+ *     by design — letting an agent run arbitrary tools is the lockdown rule's
+ *     exact failure mode. The ladder is read ⊂ edit ⊂ create ⊂ full: each
+ *     tier's tool set is a superset of the one above.
  */
 import type { PermissionMode } from './types.mts';
-interface Profile {
+export interface AiProfile {
     readonly allow: readonly string[];
     readonly disallow: readonly string[];
     readonly permissionMode: PermissionMode;
     readonly tools: readonly string[];
 }
 /**
- * Read-only research / scanning. No mutation.
+ * Capability ladder of lockdown profiles, ordered least → most capable. Key
+ * order documents the ladder; each tier is a strict superset of the previous
+ * tier's tool surface.
  */
-export declare const READ_ONLY_PROFILE: Profile;
-/**
- * Edit-mode without Bash. Mutates source but can't run shell.
- */
-export declare const EDIT_ONLY_PROFILE: Profile;
-/**
- * Fix-mode with Bash, allowlisted to git / pnpm / node.
- */
-export declare const FULL_FIX_PROFILE: Profile;
-export {};
+export declare const AI_PROFILE: {
+    readonly read: {
+        readonly allow: readonly [];
+        readonly disallow: readonly ["Agent", "Bash", "Edit", "MultiEdit", "Write"];
+        readonly permissionMode: 'dontAsk';
+        readonly tools: readonly ["Glob", "Grep", "Read", "WebFetch", "WebSearch"];
+    };
+    readonly edit: {
+        readonly allow: readonly [];
+        readonly disallow: readonly ["Agent", "Bash", "MultiEdit", "WebFetch", "WebSearch", "Write"];
+        readonly permissionMode: 'acceptEdits';
+        readonly tools: readonly ["Edit", "Glob", "Grep", "Read"];
+    };
+    readonly create: {
+        readonly allow: readonly [];
+        readonly disallow: readonly ["Agent", "Bash", "WebFetch", "WebSearch"];
+        readonly permissionMode: 'acceptEdits';
+        readonly tools: readonly ["Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"];
+    };
+    readonly full: {
+        readonly allow: readonly ["Bash(git status:*)", "Bash(git diff:*)", "Bash(git log:*)", "Bash(git add:*)", "Bash(git commit:*)", "Bash(node:*)", "Bash(pnpm exec:*)", "Bash(pnpm run:*)", "Bash(pnpm test:*)"];
+        readonly disallow: readonly ["Agent", "WebFetch", "WebSearch"];
+        readonly permissionMode: 'acceptEdits';
+        readonly tools: readonly ["Bash", "Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"];
+    };
+};

package/dist/ai/profiles.js

@@ -20,42 +20,49 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var profiles_exports = {};
 __export(profiles_exports, {
-  EDIT_ONLY_PROFILE: () => EDIT_ONLY_PROFILE,
-  FULL_FIX_PROFILE: () => FULL_FIX_PROFILE,
-  READ_ONLY_PROFILE: () => READ_ONLY_PROFILE
+  AI_PROFILE: () => AI_PROFILE
 });
 module.exports = __toCommonJS(profiles_exports);
-const READ_ONLY_PROFILE = {
-  allow: [],
-  disallow: ["Bash", "Edit", "MultiEdit", "Write"],
-  permissionMode: "dontAsk",
-  tools: ["Glob", "Grep", "Read", "WebFetch", "WebSearch"]
-};
-const EDIT_ONLY_PROFILE = {
-  allow: [],
-  disallow: ["Bash", "WebFetch", "WebSearch"],
-  permissionMode: "acceptEdits",
-  tools: ["Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"]
-};
-const FULL_FIX_PROFILE = {
-  allow: [
-    "Bash(git status:*)",
-    "Bash(git diff:*)",
-    "Bash(git log:*)",
-    "Bash(git add:*)",
-    "Bash(git commit:*)",
-    "Bash(node:*)",
-    "Bash(pnpm exec:*)",
-    "Bash(pnpm run:*)",
-    "Bash(pnpm test:*)"
-  ],
-  disallow: ["WebFetch", "WebSearch"],
-  permissionMode: "acceptEdits",
-  tools: ["Bash", "Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"]
+const AI_PROFILE = {
+  read: {
+    allow: [],
+    disallow: ["Agent", "Bash", "Edit", "MultiEdit", "Write"],
+    permissionMode: "dontAsk",
+    tools: ["Glob", "Grep", "Read", "WebFetch", "WebSearch"]
+  },
+  // No Write / MultiEdit: edits land in existing files, never create new ones.
+  edit: {
+    allow: [],
+    disallow: ["Agent", "Bash", "MultiEdit", "WebFetch", "WebSearch", "Write"],
+    permissionMode: "acceptEdits",
+    tools: ["Edit", "Glob", "Grep", "Read"]
+  },
+  // MultiEdit + Write added: may create files. Bash still denied.
+  create: {
+    allow: [],
+    disallow: ["Agent", "Bash", "WebFetch", "WebSearch"],
+    permissionMode: "acceptEdits",
+    tools: ["Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"]
+  },
+  // Bash allowlisted to git / pnpm / node only; anything else is denied.
+  full: {
+    allow: [
+      "Bash(git status:*)",
+      "Bash(git diff:*)",
+      "Bash(git log:*)",
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "Bash(node:*)",
+      "Bash(pnpm exec:*)",
+      "Bash(pnpm run:*)",
+      "Bash(pnpm test:*)"
+    ],
+    disallow: ["Agent", "WebFetch", "WebSearch"],
+    permissionMode: "acceptEdits",
+    tools: ["Bash", "Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"]
+  }
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  EDIT_ONLY_PROFILE,
-  FULL_FIX_PROFILE,
-  READ_ONLY_PROFILE
+  AI_PROFILE
 });

package/dist/ai/spawn.d.mts

@@ -30,11 +30,11 @@ export declare function pickAgent(requested: AiAgentName | undefined, cwd: strin
  *
  * @example
  *   ```ts
- *   import { EDIT_ONLY_PROFILE } from '@socketsecurity/lib/ai/profiles'
+ *   import { AI_PROFILE } from '@socketsecurity/lib/ai/profiles'
  *   import { spawnAiAgent } from '@socketsecurity/lib/ai/spawn'
  *
  *   const result = await spawnAiAgent({
- *   ...EDIT_ONLY_PROFILE,
+ *   ...AI_PROFILE.edit,
  *   prompt: 'Fix the lint findings in src/foo.ts',
  *   cwd: process.cwd(),
  *   model: 'claude-sonnet-4-6',

package/dist/ai/types.d.mts

@@ -42,9 +42,9 @@ export interface AgentSpawnResult {
  *
  * Required: `prompt`, `cwd`, `tools`, `disallow`, `permissionMode`.
  *
- * Pre-built profiles in `profiles.ts` cover the common shapes
- * (READ_ONLY_PROFILE, EDIT_ONLY_PROFILE) — callers spread the profile and
- * override per-call (model, timeout, addDirs).
+ * Pre-built profiles in `profiles.ts` cover the common shapes (the `AI_PROFILE`
+ * capability ladder) — callers spread a tier and override per-call (model,
+ * timeout, addDirs).
  *
  * Why the lockdown fields are required (not defaulted to a permissive shape):
  * the CLAUDE.md rule says "all four lockdown flags MUST be set on every spawn."

package/dist/ai/worktree.d.mts

@@ -77,14 +77,14 @@ export declare function runOne<I, T>(item: I, index: number, worktreeBranch: str
  *   ;```ts
  *   import { spawnAiAgentsInWorktrees } from '@socketsecurity/lib/ai/worktree'
  *   import { spawnAiAgent } from '@socketsecurity/lib/ai/spawn'
- *   import { EDIT_ONLY_PROFILE } from '@socketsecurity/lib/ai/profiles'
+ *   import { AI_PROFILE } from '@socketsecurity/lib/ai/profiles'
  *
  *   const repos = ['socket-addon', 'socket-btm', 'socket-lib']
  *   const settled = await spawnAiAgentsInWorktrees(
  *     repos,
  *     async ({ cwd }) => {
  *       return await spawnAiAgent({
- *         ...EDIT_ONLY_PROFILE,
+ *         ...AI_PROFILE.create,
  *         prompt: 'Run the cleanup task',
  *         cwd,
  *       })

package/dist/constants/socket.js

@@ -77,7 +77,7 @@ const SOCKET_REGISTRY_APP_NAME = "registry";
 const SOCKET_WHEELHOUSE_APP_NAME = "wheelhouse";
 const SOCKET_APP_PREFIX = "_";
 const SOCKET_LIB_NAME = "@socketsecurity/lib";
-const SOCKET_LIB_VERSION = "6.0.1";
+const SOCKET_LIB_VERSION = "6.0.3";
 const SOCKET_IPC_HANDSHAKE = "SOCKET_IPC_HANDSHAKE";
 const CACHE_SOCKET_API_DIR = "socket-api";
 const REGISTRY = "registry";

package/dist/debug/_internal.d.ts

@@ -6,7 +6,7 @@
  *   override). Co-located so the namespace / output / caller-info leaves don't
  *   fragment ownership of this shared module state.
  */
-export declare const logger: import("../logger/default").Logger;
+export declare const logger: import("../logger/node").Logger;
 export declare const debugByNamespace: Map<any, any>;
 export { getNodeUtil as getUtil } from '../node/util';
 /**

package/dist/dlx/detect.js

@@ -32,6 +32,7 @@ __export(detect_exports, {
 });
 module.exports = __toCommonJS(detect_exports);
 var import_paths = require("./paths");
+var import_find_up = require("../fs/find-up");
 var import_socket = require("../paths/socket");
 var import_date = require("../primordials/date");
 var import_json = require("../primordials/json");
@@ -72,18 +73,9 @@ function findPackageJson(filePath) {
       packageJsonPathCache.delete(startDir);
     }
   }
-  let currentDir = startDir;
-  const root = path.parse(currentDir).root;
-  while (currentDir !== root) {
-    const packageJsonPath = path.join(currentDir, "package.json");
-    if (fs.existsSync(packageJsonPath)) {
-      packageJsonPathCacheSet(startDir, packageJsonPath);
-      return packageJsonPath;
-    }
-    currentDir = path.dirname(currentDir);
-  }
-  packageJsonPathCacheSet(startDir, void 0);
-  return void 0;
+  const packageJsonPath = (0, import_find_up.findUpSync)("package.json", { cwd: startDir });
+  packageJsonPathCacheSet(startDir, packageJsonPath);
+  return packageJsonPath;
 }
 function readPackageJson(packageJsonPath) {
   const fs = (0, import_fs.getNodeFs)();

package/dist/dlx/firewall.js

@@ -24,7 +24,7 @@ __export(firewall_exports, {
   npmPurl: () => npmPurl
 });
 module.exports = __toCommonJS(firewall_exports);
-var import_convenience = require("../http-request/convenience");
+var import_node = require("../http-request/node");
 var import_user_agent = require("../http-request/user-agent");
 var import_error = require("../primordials/error");
 var import_map_set = require("../primordials/map-set");
@@ -59,7 +59,7 @@ async function checkFirewallPurls(arb, requestedPackage) {
   await (0, import_promise.PromiseAllSettled)(
     purls.map(async ({ name, purl, version }) => {
       try {
-        const data = await (0, import_convenience.httpJson)(
+        const data = await (0, import_node.httpJson)(
           `${FIREWALL_API_URL}/${encodeURIComponent(purl)}`,
           {
             headers: { "User-Agent": (0, import_user_agent.getSocketCallerUserAgent)() },

package/dist/fs/access.d.ts

@@ -0,0 +1,32 @@
+/**
+ * @file Synchronous file-access predicates — boolean "can this process do X to
+ *   this path?" checks over `fs.accessSync`. Prefer these only where the answer
+ *   drives a user-facing decision (e.g. "is the cache dir writable, so I can
+ *   pick a fallback?"). For "I'm about to write, can I?" do NOT pre-check —
+ *   just attempt the write and handle the error; a check-then-act gap is a
+ *   TOCTOU race. `canAccess` (F_OK) overlaps `existsSync`; use `existsSync` for
+ *   plain existence, these for permission bits.
+ */
+import type { PathLike } from 'node:fs';
+/**
+ * Does the process have `mode` access to `path`? Wraps `fs.accessSync`,
+ * returning a boolean instead of throwing. Default mode is `F_OK` (existence).
+ *
+ * @param path - Path to check.
+ * @param mode - `fs.constants` bit (`F_OK` / `R_OK` / `W_OK` / `X_OK`).
+ *
+ * @returns True if the access check succeeds.
+ */
+export declare function canAccess(path: PathLike, mode?: number | undefined): boolean;
+/**
+ * Can the process execute `path`? (`X_OK`)
+ */
+export declare function canExecute(path: PathLike): boolean;
+/**
+ * Can the process read `path`? (`R_OK`)
+ */
+export declare function canRead(path: PathLike): boolean;
+/**
+ * Can the process write `path`? (`W_OK`)
+ */
+export declare function canWrite(path: PathLike): boolean;

package/dist/fs/access.js

@@ -0,0 +1,63 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var access_exports = {};
+__export(access_exports, {
+  canAccess: () => canAccess,
+  canExecute: () => canExecute,
+  canRead: () => canRead,
+  canWrite: () => canWrite
+});
+module.exports = __toCommonJS(access_exports);
+var import_fs = require("../node/fs");
+var import_path = require("../smol/path");
+// @__NO_SIDE_EFFECTS__
+function canAccess(path, mode) {
+  const smolAccess = (0, import_path.getSmolPath)()?.access;
+  if (smolAccess) {
+    return smolAccess(path, mode);
+  }
+  const fs = (0, import_fs.getNodeFs)();
+  try {
+    fs.accessSync(path, mode);
+    return true;
+  } catch {
+    return false;
+  }
+}
+// @__NO_SIDE_EFFECTS__
+function canExecute(path) {
+  return /* @__PURE__ */ canAccess(path, (0, import_fs.getNodeFs)().constants.X_OK);
+}
+// @__NO_SIDE_EFFECTS__
+function canRead(path) {
+  return /* @__PURE__ */ canAccess(path, (0, import_fs.getNodeFs)().constants.R_OK);
+}
+// @__NO_SIDE_EFFECTS__
+function canWrite(path) {
+  return /* @__PURE__ */ canAccess(path, (0, import_fs.getNodeFs)().constants.W_OK);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  canAccess,
+  canExecute,
+  canRead,
+  canWrite
+});

package/dist/fs/find-up.js

@@ -40,6 +40,8 @@ var import_abort = require("../process/abort");
 var import_fs = require("../node/fs");
 var import_path = require("../node/path");
 var import_normalize = require("../paths/normalize");
+var import_walk = require("../paths/walk");
+var import_path2 = require("../smol/path");
 const abortSignal = (0, import_abort.getAbortSignal)();
 // @__NO_SIDE_EFFECTS__
 async function findUp(name, options) {
@@ -59,10 +61,8 @@ async function findUp(name, options) {
   }
   const fs = (0, import_fs.getNodeFs)();
   const path = (0, import_path.getNodePath)();
-  let dir = path.resolve(cwd);
-  const { root } = path.parse(dir);
   const names = (0, import_predicates.isArray)(name) ? name : [name];
-  while (dir) {
+  for (const dir of (0, import_walk.walkUp)(cwd)) {
     for (const n of names) {
       if (signal?.aborted) {
         return void 0;
@@ -79,10 +79,6 @@ async function findUp(name, options) {
       } catch {
       }
     }
-    if (dir === root) {
-      break;
-    }
-    dir = path.dirname(dir);
   }
   return void 0;
 }
@@ -104,27 +100,13 @@ function findUpSync(name, options) {
   }
   const fs = (0, import_fs.getNodeFs)();
   const path = (0, import_path.getNodePath)();
-  let dir = path.resolve(cwd);
-  const { root } = path.parse(dir);
-  const stopDir = stopAt ? path.resolve(stopAt) : void 0;
   const names = (0, import_predicates.isArray)(name) ? name : [name];
-  while (dir) {
-    if (stopDir && dir === stopDir) {
-      for (const n of names) {
-        const thePath = path.join(dir, n);
-        try {
-          const stats = fs.statSync(thePath);
-          if (!onlyDirectories && stats.isFile()) {
-            return (0, import_normalize.normalizePath)(thePath);
-          }
-          if (!onlyFiles && stats.isDirectory()) {
-            return (0, import_normalize.normalizePath)(thePath);
-          }
-        } catch {
-        }
-      }
-      return void 0;
-    }
+  const smolFindUp = (0, import_path2.getSmolPath)()?.findUp;
+  if (smolFindUp && stopAt === void 0) {
+    const found = smolFindUp(path.resolve(cwd), names, { onlyDirectories });
+    return found === void 0 ? void 0 : (0, import_normalize.normalizePath)(found);
+  }
+  for (const dir of (0, import_walk.walkUp)(cwd, { stopAt })) {
     for (const n of names) {
       const thePath = path.join(dir, n);
       try {
@@ -138,10 +120,6 @@ function findUpSync(name, options) {
       } catch {
       }
     }
-    if (dir === root) {
-      break;
-    }
-    dir = path.dirname(dir);
   }
   return void 0;
 }

package/dist/fs/resolve-module.d.ts

@@ -0,0 +1,57 @@
+/**
+ * @file `require.resolve`-from-an-arbitrary-base. Node's bare
+ *   `require.resolve(spec)` resolves relative to the calling module; these
+ *   helpers resolve a specifier as if required from a DIFFERENT directory —
+ *   useful for "find the copy of `typescript` that THIS project would load,"
+ *   not the copy socket-lib itself loads. Returns the resolved absolute file
+ *   path, or (in `nothrow` form) `undefined` when the specifier can't be
+ *   resolved.
+ */
+/**
+ * Resolve a module specifier as if `require`'d from `fromDir`.
+ *
+ * Equivalent to running `require.resolve(specifier)` inside a module located at
+ * `fromDir`. Accepts package specifiers (`'typescript'`, `'pkg/sub/path'`) and
+ * relative paths (`'./foo'`).
+ *
+ * @example
+ *   ;```ts
+ *   // The `typescript` the project at /repo would load:
+ *   requireResolveFrom('/repo', 'typescript')
+ *   //=> '/repo/node_modules/typescript/lib/typescript.js'
+ *
+ *   requireResolveFrom('/repo', './missing', { nothrow: true })
+ *   //=> undefined
+ *   ```
+ *
+ * @param fromDir - Directory to resolve as if the require originated there.
+ * @param specifier - Module specifier or relative path to resolve.
+ * @param options - `nothrow: true` returns `undefined` instead of throwing.
+ *
+ * @returns Absolute resolved path (or `undefined` when `nothrow` and
+ *   unresolved).
+ *
+ * @throws When the specifier can't be resolved and `nothrow` is not set.
+ */
+export declare function requireResolveFrom(fromDir: string, specifier: string, options: {
+    nothrow: true;
+}): string | undefined;
+export declare function requireResolveFrom(fromDir: string, specifier: string, options?: {
+    nothrow?: false | undefined;
+} | undefined): string;
+/**
+ * Resolve a module specifier as if `require`'d from `process.cwd()`. Alias for
+ * {@link requireResolveFrom} anchored at the current directory.
+ *
+ * @param specifier - Module specifier or relative path to resolve.
+ * @param options - `nothrow: true` returns `undefined` instead of throwing.
+ *
+ * @returns Absolute resolved path (or `undefined` when `nothrow` and
+ *   unresolved).
+ */
+export declare function requireResolveFromCwd(specifier: string, options: {
+    nothrow: true;
+}): string | undefined;
+export declare function requireResolveFromCwd(specifier: string, options?: {
+    nothrow?: false | undefined;
+} | undefined): string;

package/dist/fs/resolve-module.js

@@ -0,0 +1,63 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var resolve_module_exports = {};
+__export(resolve_module_exports, {
+  requireResolveFrom: () => requireResolveFrom,
+  requireResolveFromCwd: () => requireResolveFromCwd
+});
+module.exports = __toCommonJS(resolve_module_exports);
+var import_node_module = require("node:module");
+var import_node_process = __toESM(require("node:process"));
+var import_path = require("../node/path");
+function requireResolveFrom(fromDir, specifier, options) {
+  const { nothrow = false } = {
+    __proto__: null,
+    ...options
+  };
+  const path = (0, import_path.getNodePath)();
+  const anchor = path.join(path.resolve(fromDir), "noop.js");
+  try {
+    return (0, import_node_module.createRequire)(anchor).resolve(specifier);
+  } catch (e) {
+    if (nothrow) {
+      return void 0;
+    }
+    throw e;
+  }
+}
+function requireResolveFromCwd(specifier, options) {
+  return options && options.nothrow ? requireResolveFrom(import_node_process.default.cwd(), specifier, { nothrow: true }) : requireResolveFrom(import_node_process.default.cwd(), specifier);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  requireResolveFrom,
+  requireResolveFromCwd
+});