@socketsecurity/lib 6.0.1 → 6.0.3

package/dist/logger/symbols-builder.d.ts

@@ -1,6 +1,6 @@
 /**
  * @file Free-function helpers for per-instance log-symbol construction + symbol
- *   stripping. Extracted from `logger/default.ts` (the `Logger` class) so the
+ *   stripping. Extracted from `logger/node.ts` (the `Logger` class) so the
  *   class stays under the 1000-line hard cap and so other callers (alt loggers,
  *   format helpers) can reuse the same logic without instantiating a `Logger`.
  *

package/dist/logger/types.d.ts

@@ -4,7 +4,7 @@
  *   interface returned by `Logger.createTask`. Pure types; no runtime side
  *   effects so this module stays cheap to import everywhere.
  */
-import type { Logger } from './default';
+import type { Logger } from './node';
 /**
  * Log symbols for terminal output with colored indicators.
  *

package/dist/packages/provenance.d.ts

@@ -2,6 +2,18 @@
  * @file Package provenance and attestation verification utilities.
  */
 import type { ProvenanceOptions } from './types';
+/**
+ * Comparator ordering two trust statuses by ascending trust level. Sorts an
+ * array of statuses lowest-trust-first; negate for highest-first.
+ */
+export declare function compareTrust(a: TrustStatus, b: TrustStatus): -1 | 0 | 1;
+/**
+ * Whether `next` sits at a lower trust level than `prev` — i.e. a release
+ * regressed its supply-chain posture. Drives the post-publish provenance
+ * reminder: a version that drops from trustedPublisher back to bare provenance
+ * is a red flag worth surfacing.
+ */
+export declare function didTrustDecrease(prev: TrustStatus, next: TrustStatus): boolean;
 /**
  * Fetch package provenance information from npm registry.
  *
@@ -30,7 +42,37 @@ export declare function getFetcher(): import("../external/make-fetch-happen").Ma
  *   ```
  */
 export declare function getProvenanceDetails(attestationData: unknown): unknown;
+/**
+ * Map a trust status to its 0..3 ladder level.
+ */
+export declare function getTrustLevel(status: TrustStatus): TrustLevel;
+/**
+ * Map a trust status to its human-readable level name.
+ */
+export declare function getTrustLevelName(status: TrustStatus): TrustLevelName;
+/**
+ * Extract provenance / trusted-publisher / staged-publish flags from a registry
+ * version document.
+ */
+export declare function getTrustStatus(meta: unknown): TrustStatus;
 /**
  * Check if a value indicates a trusted publisher (GitHub or GitLab).
  */
 export declare function isTrustedPublisher(value: unknown): boolean;
+/**
+ * Trust signals derived from a registry version document.
+ */
+export interface TrustStatus {
+    provenance: boolean;
+    trustedPublisher: boolean;
+    stagedPublish: boolean;
+}
+/**
+ * Trust ladder, low → high. The index IS the level (0..3), so a single array
+ * maps both directions: `TRUST_LEVELS[level]` → name, and
+ * `TRUST_LEVELS.indexOf(name)` → level. One source of truth, no parallel Record
+ * to keep in sync.
+ */
+export declare const TRUST_LEVELS: readonly ['none', 'provenance', 'trustedPublisher', 'stagedPublish'];
+export type TrustLevel = 0 | 1 | 2 | 3;
+export type TrustLevelName = (typeof TRUST_LEVELS)[number];

package/dist/packages/provenance.js

@@ -30,11 +30,17 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var provenance_exports = {};
 __export(provenance_exports, {
+  TRUST_LEVELS: () => TRUST_LEVELS,
+  compareTrust: () => compareTrust,
+  didTrustDecrease: () => didTrustDecrease,
   fetchPackageProvenance: () => fetchPackageProvenance,
   findProvenance: () => findProvenance,
   getAttestations: () => getAttestations,
   getFetcher: () => getFetcher,
   getProvenanceDetails: () => getProvenanceDetails,
+  getTrustLevel: () => getTrustLevel,
+  getTrustLevelName: () => getTrustLevelName,
+  getTrustStatus: () => getTrustStatus,
   isTrustedPublisher: () => isTrustedPublisher
 });
 module.exports = __toCommonJS(provenance_exports);
@@ -43,13 +49,29 @@ var import_packages = require("../constants/packages");
 var import_make_fetch_happen = __toESM(require("../external/make-fetch-happen"));
 var import_signal = require("../abort/signal");
 var import_parse = require("../url/parse");
+var import_predicates = require("../objects/predicates");
 var import_array = require("../primordials/array");
 var import_buffer = require("../primordials/buffer");
 var import_json = require("../primordials/json");
+var import_object = require("../primordials/object");
 var import_string = require("../primordials/string");
 const SLSA_PROVENANCE_V0_2 = "https://slsa.dev/provenance/v0.2";
 const SLSA_PROVENANCE_V1_0 = "https://slsa.dev/provenance/v1";
 let _fetcher;
+function compareTrust(a, b) {
+  const levelA = getTrustLevel(a);
+  const levelB = getTrustLevel(b);
+  if (levelA < levelB) {
+    return -1;
+  }
+  if (levelA > levelB) {
+    return 1;
+  }
+  return 0;
+}
+function didTrustDecrease(prev, next) {
+  return getTrustLevel(next) < getTrustLevel(prev);
+}
 // @__NO_SIDE_EFFECTS__
 async function fetchPackageProvenance(pkgName, pkgVersion, options) {
   const { signal, timeout = 1e4 } = {
@@ -165,6 +187,43 @@ function getProvenanceDetails(attestationData) {
     workflowRunId
   };
 }
+function getTrustLevel(status) {
+  if (status.stagedPublish) {
+    return 3;
+  }
+  if (status.trustedPublisher && status.provenance) {
+    return 2;
+  }
+  if (status.provenance) {
+    return 1;
+  }
+  return 0;
+}
+function getTrustLevelName(status) {
+  return TRUST_LEVELS[getTrustLevel(status)];
+}
+function getTrustStatus(meta) {
+  const status = {
+    provenance: false,
+    trustedPublisher: false,
+    // Reserved: the npm registry does not yet expose a staged-publish flag, so
+    // this stays false until a registry signal exists to set it.
+    stagedPublish: false
+  };
+  if (!(0, import_predicates.isObject)(meta)) {
+    return status;
+  }
+  const npmUser = (0, import_object.ObjectHasOwn)(meta, "_npmUser") ? meta["_npmUser"] : void 0;
+  if ((0, import_predicates.isObject)(npmUser) && (0, import_object.ObjectHasOwn)(npmUser, "trustedPublisher") && npmUser["trustedPublisher"]) {
+    status.trustedPublisher = true;
+  }
+  const dist = (0, import_object.ObjectHasOwn)(meta, "dist") ? meta["dist"] : void 0;
+  const attestations = (0, import_predicates.isObject)(dist) && (0, import_object.ObjectHasOwn)(dist, "attestations") ? dist["attestations"] : void 0;
+  if ((0, import_predicates.isObject)(attestations) && (0, import_object.ObjectHasOwn)(attestations, "provenance") && attestations["provenance"]) {
+    status.provenance = true;
+  }
+  return status;
+}
 function isTrustedPublisher(value) {
   if (typeof value !== "string" || !value) {
     return false;
@@ -191,12 +250,24 @@ function isTrustedPublisher(value) {
   }
   return (0, import_string.StringPrototypeIncludes)(value, "github") || (0, import_string.StringPrototypeIncludes)(value, "gitlab");
 }
+const TRUST_LEVELS = [
+  "none",
+  "provenance",
+  "trustedPublisher",
+  "stagedPublish"
+];
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  TRUST_LEVELS,
+  compareTrust,
+  didTrustDecrease,
   fetchPackageProvenance,
   findProvenance,
   getAttestations,
   getFetcher,
   getProvenanceDetails,
+  getTrustLevel,
+  getTrustLevelName,
+  getTrustStatus,
   isTrustedPublisher
 });

package/dist/paths/walk.d.ts

@@ -0,0 +1,40 @@
+/**
+ * @file Walk parent directories. `walkUp` is the lazy ancestor generator that
+ *   `fs/find-up` and package-root lookups build on: given a starting path it
+ *   yields that path, then each parent, up to and INCLUDING the filesystem root
+ *   (or a caller-supplied `stopAt` boundary). Lazy so a caller can stop early
+ *   without computing the whole chain.
+ */
+export interface WalkUpOptions {
+    /**
+     * Starting directory. Relative `from` values are resolved against this.
+     * Defaults to `process.cwd()`.
+     */
+    cwd?: string | undefined;
+    /**
+     * Last directory to yield (INCLUSIVE). Traversal stops after this path is
+     * emitted. Defaults to the filesystem root.
+     */
+    stopAt?: string | undefined;
+}
+/**
+ * Lazily yield `from` and each of its ancestor directories, up to and including
+ * the filesystem root (or `stopAt`). Each yielded path is normalized to forward
+ * slashes.
+ *
+ * @example
+ *   ;```ts
+ *   for (const dir of walkUp('/a/b/c')) {
+ *     // '/a/b/c', '/a/b', '/a', '/'
+ *   }
+ *
+ *   // Stop at a boundary (inclusive):
+ *   [...walkUp('/a/b/c', { stopAt: '/a' })] // ['/a/b/c', '/a/b', '/a']
+ *   ```
+ *
+ * @param from - Path to start from. Relative values resolve against `cwd`.
+ * @param options - `cwd` and `stopAt` boundary.
+ *
+ * @returns Generator of normalized absolute directory paths.
+ */
+export declare function walkUp(from: string, options?: WalkUpOptions | undefined): Generator<string>;

package/dist/paths/walk.js

@@ -0,0 +1,63 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var walk_exports = {};
+__export(walk_exports, {
+  walkUp: () => walkUp
+});
+module.exports = __toCommonJS(walk_exports);
+var import_node_process = __toESM(require("node:process"));
+var import_path = require("../node/path");
+var import_path2 = require("../smol/path");
+var import_normalize = require("./normalize");
+function* walkUp(from, options) {
+  const { cwd = import_node_process.default.cwd(), stopAt } = {
+    __proto__: null,
+    ...options
+  };
+  const path = (0, import_path.getNodePath)();
+  const smol = (0, import_path2.getSmolPath)();
+  const dirname = smol?.dirname ?? path.dirname;
+  let dir = path.resolve(cwd, from);
+  const stopDir = stopAt ? path.resolve(cwd, stopAt) : void 0;
+  let prev;
+  while (dir !== prev) {
+    yield (0, import_normalize.normalizePath)(dir);
+    if (stopDir !== void 0 && dir === stopDir) {
+      return;
+    }
+    prev = dir;
+    dir = dirname(dir);
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  walkUp
+});

package/dist/primordials/map-set.d.ts

@@ -4,6 +4,30 @@
  *   constructor — there's a separate `weakRefSafe` wrapper in `./uncurry` for
  *   the throws-on-non-Object case.
  */
+declare global {
+    interface Map<K, V> {
+        getOrInsert(key: K, value: V): V;
+        getOrInsertComputed(key: K, callbackfn: (key: K) => V): V;
+    }
+    interface WeakMap<K extends WeakKey, V> {
+        getOrInsert(key: K, value: V): V;
+        getOrInsertComputed(key: K, callbackfn: (key: K) => V): V;
+    }
+    interface ReadonlySetLike<T> {
+        has(value: T): boolean;
+        keys(): IterableIterator<T>;
+        readonly size: number;
+    }
+    interface Set<T> {
+        difference<U>(other: ReadonlySetLike<U>): Set<T>;
+        intersection<U>(other: ReadonlySetLike<U>): Set<T & U>;
+        isDisjointFrom(other: ReadonlySetLike<unknown>): boolean;
+        isSubsetOf(other: ReadonlySetLike<unknown>): boolean;
+        isSupersetOf(other: ReadonlySetLike<unknown>): boolean;
+        symmetricDifference<U>(other: ReadonlySetLike<U>): Set<T | U>;
+        union<U>(other: ReadonlySetLike<U>): Set<T | U>;
+    }
+}
 export declare const MapCtor: MapConstructor;
 export declare const SetCtor: SetConstructor;
 export declare const WeakMapCtor: WeakMapConstructor;
@@ -14,6 +38,8 @@ export declare const MapPrototypeDelete: (self: unknown, key: any) => boolean;
 export declare const MapPrototypeEntries: (self: unknown) => MapIterator<[any, any]>;
 export declare const MapPrototypeForEach: (self: unknown, callbackfn: (value: any, key: any, map: Map<any, any>) => void, thisArg?: any) => void;
 export declare const MapPrototypeGet: (self: unknown, key: any) => any;
+export declare const MapPrototypeGetOrInsert: (self: unknown, key: any, value: any) => any;
+export declare const MapPrototypeGetOrInsertComputed: (self: unknown, key: any, callbackfn: (key: any) => any) => any;
 export declare const MapPrototypeHas: (self: unknown, key: any) => boolean;
 export declare const MapPrototypeKeys: (self: unknown) => MapIterator<any>;
 export declare const MapPrototypeSet: (self: unknown, key: any, value: any) => Map<any, any>;
@@ -21,13 +47,22 @@ export declare const MapPrototypeValues: (self: unknown) => MapIterator<any>;
 export declare const SetPrototypeAdd: (self: unknown, value: any) => Set<any>;
 export declare const SetPrototypeClear: (self: unknown) => void;
 export declare const SetPrototypeDelete: (self: unknown, value: any) => boolean;
+export declare const SetPrototypeDifference: <U>(self: unknown, other: ReadonlySetLike<U>) => Set<any>;
 export declare const SetPrototypeEntries: (self: unknown) => SetIterator<[any, any]>;
 export declare const SetPrototypeForEach: (self: unknown, callbackfn: (value: any, value2: any, set: Set<any>) => void, thisArg?: any) => void;
 export declare const SetPrototypeHas: (self: unknown, value: any) => boolean;
+export declare const SetPrototypeIntersection: <U>(self: unknown, other: ReadonlySetLike<U>) => Set<any>;
+export declare const SetPrototypeIsDisjointFrom: (self: unknown, other: ReadonlySetLike<unknown>) => boolean;
+export declare const SetPrototypeIsSubsetOf: (self: unknown, other: ReadonlySetLike<unknown>) => boolean;
+export declare const SetPrototypeIsSupersetOf: (self: unknown, other: ReadonlySetLike<unknown>) => boolean;
 export declare const SetPrototypeKeys: (self: unknown) => SetIterator<any>;
+export declare const SetPrototypeSymmetricDifference: <U>(self: unknown, other: ReadonlySetLike<U>) => Set<any>;
+export declare const SetPrototypeUnion: <U>(self: unknown, other: ReadonlySetLike<U>) => Set<any>;
 export declare const SetPrototypeValues: (self: unknown) => SetIterator<any>;
 export declare const WeakMapPrototypeDelete: (self: unknown, key: WeakKey) => boolean;
 export declare const WeakMapPrototypeGet: (self: unknown, key: WeakKey) => any;
+export declare const WeakMapPrototypeGetOrInsert: (self: unknown, key: WeakKey, value: any) => any;
+export declare const WeakMapPrototypeGetOrInsertComputed: (self: unknown, key: WeakKey, callbackfn: (key: WeakKey) => any) => any;
 export declare const WeakMapPrototypeHas: (self: unknown, key: WeakKey) => boolean;
 export declare const WeakMapPrototypeSet: (self: unknown, key: WeakKey, value: any) => WeakMap<WeakKey, any>;
 export declare const WeakSetPrototypeAdd: (self: unknown, value: WeakKey) => WeakSet<WeakKey>;

package/dist/primordials/map-set.js

@@ -26,6 +26,8 @@ __export(map_set_exports, {
   MapPrototypeEntries: () => MapPrototypeEntries,
   MapPrototypeForEach: () => MapPrototypeForEach,
   MapPrototypeGet: () => MapPrototypeGet,
+  MapPrototypeGetOrInsert: () => MapPrototypeGetOrInsert,
+  MapPrototypeGetOrInsertComputed: () => MapPrototypeGetOrInsertComputed,
   MapPrototypeHas: () => MapPrototypeHas,
   MapPrototypeKeys: () => MapPrototypeKeys,
   MapPrototypeSet: () => MapPrototypeSet,
@@ -34,14 +36,23 @@ __export(map_set_exports, {
   SetPrototypeAdd: () => SetPrototypeAdd,
   SetPrototypeClear: () => SetPrototypeClear,
   SetPrototypeDelete: () => SetPrototypeDelete,
+  SetPrototypeDifference: () => SetPrototypeDifference,
   SetPrototypeEntries: () => SetPrototypeEntries,
   SetPrototypeForEach: () => SetPrototypeForEach,
   SetPrototypeHas: () => SetPrototypeHas,
+  SetPrototypeIntersection: () => SetPrototypeIntersection,
+  SetPrototypeIsDisjointFrom: () => SetPrototypeIsDisjointFrom,
+  SetPrototypeIsSubsetOf: () => SetPrototypeIsSubsetOf,
+  SetPrototypeIsSupersetOf: () => SetPrototypeIsSupersetOf,
   SetPrototypeKeys: () => SetPrototypeKeys,
+  SetPrototypeSymmetricDifference: () => SetPrototypeSymmetricDifference,
+  SetPrototypeUnion: () => SetPrototypeUnion,
   SetPrototypeValues: () => SetPrototypeValues,
   WeakMapCtor: () => WeakMapCtor,
   WeakMapPrototypeDelete: () => WeakMapPrototypeDelete,
   WeakMapPrototypeGet: () => WeakMapPrototypeGet,
+  WeakMapPrototypeGetOrInsert: () => WeakMapPrototypeGetOrInsert,
+  WeakMapPrototypeGetOrInsertComputed: () => WeakMapPrototypeGetOrInsertComputed,
   WeakMapPrototypeHas: () => WeakMapPrototypeHas,
   WeakMapPrototypeSet: () => WeakMapPrototypeSet,
   WeakRefCtor: () => WeakRefCtor,
@@ -62,6 +73,10 @@ const MapPrototypeDelete = (0, import_uncurry.uncurryThis)(Map.prototype.delete)
 const MapPrototypeEntries = (0, import_uncurry.uncurryThis)(Map.prototype.entries);
 const MapPrototypeForEach = (0, import_uncurry.uncurryThis)(Map.prototype.forEach);
 const MapPrototypeGet = (0, import_uncurry.uncurryThis)(Map.prototype.get);
+const MapPrototypeGetOrInsert = (0, import_uncurry.uncurryThis)(Map.prototype.getOrInsert);
+const MapPrototypeGetOrInsertComputed = (0, import_uncurry.uncurryThis)(
+  Map.prototype.getOrInsertComputed
+);
 const MapPrototypeHas = (0, import_uncurry.uncurryThis)(Map.prototype.has);
 const MapPrototypeKeys = (0, import_uncurry.uncurryThis)(Map.prototype.keys);
 const MapPrototypeSet = (0, import_uncurry.uncurryThis)(Map.prototype.set);
@@ -69,13 +84,30 @@ const MapPrototypeValues = (0, import_uncurry.uncurryThis)(Map.prototype.values)
 const SetPrototypeAdd = (0, import_uncurry.uncurryThis)(Set.prototype.add);
 const SetPrototypeClear = (0, import_uncurry.uncurryThis)(Set.prototype.clear);
 const SetPrototypeDelete = (0, import_uncurry.uncurryThis)(Set.prototype.delete);
+const SetPrototypeDifference = (0, import_uncurry.uncurryThis)(Set.prototype.difference);
 const SetPrototypeEntries = (0, import_uncurry.uncurryThis)(Set.prototype.entries);
 const SetPrototypeForEach = (0, import_uncurry.uncurryThis)(Set.prototype.forEach);
 const SetPrototypeHas = (0, import_uncurry.uncurryThis)(Set.prototype.has);
+const SetPrototypeIntersection = (0, import_uncurry.uncurryThis)(Set.prototype.intersection);
+const SetPrototypeIsDisjointFrom = (0, import_uncurry.uncurryThis)(
+  Set.prototype.isDisjointFrom
+);
+const SetPrototypeIsSubsetOf = (0, import_uncurry.uncurryThis)(Set.prototype.isSubsetOf);
+const SetPrototypeIsSupersetOf = (0, import_uncurry.uncurryThis)(Set.prototype.isSupersetOf);
 const SetPrototypeKeys = (0, import_uncurry.uncurryThis)(Set.prototype.keys);
+const SetPrototypeSymmetricDifference = (0, import_uncurry.uncurryThis)(
+  Set.prototype.symmetricDifference
+);
+const SetPrototypeUnion = (0, import_uncurry.uncurryThis)(Set.prototype.union);
 const SetPrototypeValues = (0, import_uncurry.uncurryThis)(Set.prototype.values);
 const WeakMapPrototypeDelete = (0, import_uncurry.uncurryThis)(WeakMap.prototype.delete);
 const WeakMapPrototypeGet = (0, import_uncurry.uncurryThis)(WeakMap.prototype.get);
+const WeakMapPrototypeGetOrInsert = (0, import_uncurry.uncurryThis)(
+  WeakMap.prototype.getOrInsert
+);
+const WeakMapPrototypeGetOrInsertComputed = (0, import_uncurry.uncurryThis)(
+  WeakMap.prototype.getOrInsertComputed
+);
 const WeakMapPrototypeHas = (0, import_uncurry.uncurryThis)(WeakMap.prototype.has);
 const WeakMapPrototypeSet = (0, import_uncurry.uncurryThis)(WeakMap.prototype.set);
 const WeakSetPrototypeAdd = (0, import_uncurry.uncurryThis)(WeakSet.prototype.add);
@@ -89,6 +121,8 @@ const WeakSetPrototypeHas = (0, import_uncurry.uncurryThis)(WeakSet.prototype.ha
   MapPrototypeEntries,
   MapPrototypeForEach,
   MapPrototypeGet,
+  MapPrototypeGetOrInsert,
+  MapPrototypeGetOrInsertComputed,
   MapPrototypeHas,
   MapPrototypeKeys,
   MapPrototypeSet,
@@ -97,14 +131,23 @@ const WeakSetPrototypeHas = (0, import_uncurry.uncurryThis)(WeakSet.prototype.ha
   SetPrototypeAdd,
   SetPrototypeClear,
   SetPrototypeDelete,
+  SetPrototypeDifference,
   SetPrototypeEntries,
   SetPrototypeForEach,
   SetPrototypeHas,
+  SetPrototypeIntersection,
+  SetPrototypeIsDisjointFrom,
+  SetPrototypeIsSubsetOf,
+  SetPrototypeIsSupersetOf,
   SetPrototypeKeys,
+  SetPrototypeSymmetricDifference,
+  SetPrototypeUnion,
   SetPrototypeValues,
   WeakMapCtor,
   WeakMapPrototypeDelete,
   WeakMapPrototypeGet,
+  WeakMapPrototypeGetOrInsert,
+  WeakMapPrototypeGetOrInsertComputed,
   WeakMapPrototypeHas,
   WeakMapPrototypeSet,
   WeakRefCtor,

package/dist/promises/_internal.d.ts

@@ -5,8 +5,14 @@
  */
 export declare const abortSignal: AbortSignal;
 /**
- * Get the timers/promises module. Uses lazy loading to avoid Webpack bundling
- * issues.
+ * Get the timers/promises module. Lazy `require` (not a top-level import) to
+ * avoid Webpack bundling issues.
+ *
+ * Intentionally NOT memoized: Node's module cache already makes the repeat
+ * `require` effectively free, and caching the reference breaks fake timers
+ * (`vi.useFakeTimers()` swaps the clock after this module loads; a cached
+ * reference would hold the pre-fake real `setTimeout`, burning real wallclock
+ * on retry backoff and starving the test worker pool).
  *
  * @private
  *

package/dist/promises/_internal.js

@@ -26,13 +26,9 @@ __export(internal_exports, {
 module.exports = __toCommonJS(internal_exports);
 var import_abort = require("../process/abort");
 const abortSignal = (0, import_abort.getAbortSignal)();
-let _timers;
 // @__NO_SIDE_EFFECTS__
 function getTimers() {
-  if (_timers === void 0) {
-    _timers = require("node:timers/promises");
-  }
-  return _timers;
+  return require("node:timers/promises");
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/releases/github-asset-url.js

@@ -29,18 +29,9 @@ var import_retry = require("../promises/retry");
 var import_array = require("../primordials/array");
 var import_error = require("../primordials/error");
 var import_json = require("../primordials/json");
-var import_object = require("../primordials/object");
 var import_github_assets = require("./github-assets");
 var import_github_auth = require("./github-auth");
-const RETRY_CONFIG = (0, import_object.ObjectFreeze)({
-  __proto__: null,
-  // Exponential backoff: delay doubles with each retry (5s, 10s, 20s).
-  backoffFactor: 2,
-  // Initial delay before first retry.
-  baseDelayMs: 5e3,
-  // Maximum number of retry attempts (excluding initial request).
-  retries: 2
-});
+var import_github_retry_config = require("./github-retry-config");
 async function fetchReleaseAssetsViaGraphQL(owner, repo, tag) {
   const response = await (0, import_request.httpRequest)("https://api.github.com/graphql", {
     body: (0, import_json.JSONStringify)({
@@ -143,7 +134,7 @@ async function getReleaseAssetUrl(tag, assetPattern, repoConfig, options = {}) {
       assets2 = release.assets;
     }
     return assets2;
-  }, RETRY_CONFIG);
+  }, import_github_retry_config.GITHUB_RETRY_CONFIG);
   if (!assets) {
     if (nothrow) {
       return void 0;

package/dist/releases/github-listing.js

@@ -31,19 +31,10 @@ var import_array = require("../primordials/array");
 var import_date = require("../primordials/date");
 var import_error = require("../primordials/error");
 var import_json = require("../primordials/json");
-var import_object = require("../primordials/object");
 var import_string = require("../primordials/string");
 var import_github_assets = require("./github-assets");
 var import_github_auth = require("./github-auth");
-const RETRY_CONFIG = (0, import_object.ObjectFreeze)({
-  __proto__: null,
-  // Exponential backoff: delay doubles with each retry (5s, 10s, 20s).
-  backoffFactor: 2,
-  // Initial delay before first retry.
-  baseDelayMs: 5e3,
-  // Maximum number of retry attempts (excluding initial request).
-  retries: 2
-});
+var import_github_retry_config = require("./github-retry-config");
 async function fetchReleasesViaGraphQL(owner, repo) {
   const response = await (0, import_request.httpRequest)("https://api.github.com/graphql", {
     body: (0, import_json.JSONStringify)({
@@ -161,7 +152,7 @@ async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
     );
     const latestRelease = matchingReleases[0];
     return latestRelease.tag_name;
-  }, RETRY_CONFIG) ?? void 0;
+  }, import_github_retry_config.GITHUB_RETRY_CONFIG) ?? void 0;
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/releases/github-retry-config.d.ts

@@ -0,0 +1,31 @@
+/**
+ * @file Shared retry configuration for the GitHub release helpers
+ *   (`github-listing`, `github-asset-url`). Exponential backoff over the
+ *   transient-failure / rate-limit surface. `baseDelayMs` is overridable via
+ *   `SOCKET_GITHUB_RETRY_BASE_DELAY_MS` — set it to `0` for near-instant
+ *   retries. Tests set it so the backoff sleep (5s + 10s of real wallclock)
+ *   doesn't run: pRetry's delay goes through `node:timers/promises`, which
+ *   `vi.useFakeTimers()` doesn't reliably intercept, so a zero base delay is
+ *   the robust, fake-timer-independent way to keep these tests fast. CI can
+ *   also dial it down. Default stays 5000ms for production resilience.
+ */
+/**
+ * Default base delay (ms) before the first retry when the env override is unset
+ * or non-numeric.
+ */
+export declare const DEFAULT_BASE_DELAY_MS = 5000;
+/**
+ * Resolve the retry base delay from `SOCKET_GITHUB_RETRY_BASE_DELAY_MS`,
+ * falling back to {@link DEFAULT_BASE_DELAY_MS}. Read live (not memoized) so
+ * it's unit-testable by mutating the env — and so a long-lived process that has
+ * the env changed under it picks up the new value on next read.
+ *
+ * @returns The configured base delay in milliseconds.
+ */
+export declare function resolveBaseDelayMs(): number;
+export declare const GITHUB_RETRY_CONFIG: Readonly<{
+    __proto__: null;
+    backoffFactor: 2;
+    baseDelayMs: number;
+    retries: 2;
+}>;

package/dist/releases/github-retry-config.js

@@ -0,0 +1,52 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var github_retry_config_exports = {};
+__export(github_retry_config_exports, {
+  DEFAULT_BASE_DELAY_MS: () => DEFAULT_BASE_DELAY_MS,
+  GITHUB_RETRY_CONFIG: () => GITHUB_RETRY_CONFIG,
+  resolveBaseDelayMs: () => resolveBaseDelayMs
+});
+module.exports = __toCommonJS(github_retry_config_exports);
+var import_number = require("../env/number");
+var import_rewire = require("../env/rewire");
+var import_object = require("../primordials/object");
+const DEFAULT_BASE_DELAY_MS = 5e3;
+function resolveBaseDelayMs() {
+  return (0, import_number.envAsNumber)(
+    (0, import_rewire.getEnvValue)("SOCKET_GITHUB_RETRY_BASE_DELAY_MS"),
+    DEFAULT_BASE_DELAY_MS
+  );
+}
+const GITHUB_RETRY_CONFIG = (0, import_object.ObjectFreeze)({
+  __proto__: null,
+  // Exponential backoff: delay doubles with each retry (5s, 10s, 20s).
+  backoffFactor: 2,
+  // Initial delay before first retry. Overridable for tests / CI.
+  baseDelayMs: resolveBaseDelayMs(),
+  // Maximum number of retry attempts (excluding initial request).
+  retries: 2
+});
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DEFAULT_BASE_DELAY_MS,
+  GITHUB_RETRY_CONFIG,
+  resolveBaseDelayMs
+});