@socketsecurity/lib 6.0.3 → 6.0.4

package/dist/dlx/_internal.js

@@ -1,47 +1,28 @@
 "use strict";
-/* Socket Lib - Built with esbuild */
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var internal_exports = {};
-__export(internal_exports, {
-  BINARY_PATH_CACHE_MAX_SIZE: () => BINARY_PATH_CACHE_MAX_SIZE,
-  binaryPathCache: () => binaryPathCache,
-  binaryPathCacheSet: () => binaryPathCacheSet
-});
-module.exports = __toCommonJS(internal_exports);
-var import_map_set = require("../primordials/map-set");
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_map_set = require('../primordials/map-set.js');
+
+//#region src/dlx/_internal.ts
+/**
+* @file Shared internals for the `dlx/*` module — the bounded LRU cache used by
+*   `resolveBinaryPath` on Windows. Webpack-safe lazy `node:fs` / `node:path` /
+*   `node:crypto` loaders live in the canonical
+*   `@socketsecurity/lib/node/{fs,path,crypto}` helpers — import `getNodeFs` /
+*   `getNodePath` / `getNodeCrypto` directly from there.
+*/
 const BINARY_PATH_CACHE_MAX_SIZE = 200;
-const binaryPathCache = new import_map_set.MapCtor();
+const binaryPathCache = new require_primordials_map_set.MapCtor();
 function binaryPathCacheSet(key, value) {
-  if (binaryPathCache.has(key)) {
-    binaryPathCache.delete(key);
-  } else if (binaryPathCache.size >= BINARY_PATH_CACHE_MAX_SIZE) {
-    const oldest = binaryPathCache.keys().next().value;
-    if (oldest !== void 0) {
-      binaryPathCache.delete(oldest);
-    }
-  }
-  binaryPathCache.set(key, value);
+	if (binaryPathCache.has(key)) binaryPathCache.delete(key);
+	else if (binaryPathCache.size >= 200) {
+		const oldest = binaryPathCache.keys().next().value;
+		if (oldest !== void 0) binaryPathCache.delete(oldest);
+	}
+	binaryPathCache.set(key, value);
 }
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  BINARY_PATH_CACHE_MAX_SIZE,
-  binaryPathCache,
-  binaryPathCacheSet
-});
+
+//#endregion
+exports.BINARY_PATH_CACHE_MAX_SIZE = BINARY_PATH_CACHE_MAX_SIZE;
+exports.binaryPathCache = binaryPathCache;
+exports.binaryPathCacheSet = binaryPathCacheSet;

package/dist/dlx/arborist.js

@@ -1,173 +1,175 @@
 "use strict";
-/* Socket Lib - Built with esbuild */
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var arborist_exports = {};
-__export(arborist_exports, {
-  getBaseArboristOptions: () => getBaseArboristOptions,
-  readSingleDependency: () => readSingleDependency,
-  readTopLevelFromIdealTree: () => readTopLevelFromIdealTree,
-  safeIdealTree: () => safeIdealTree,
-  safeReify: () => safeReify,
-  writeSafeNpmrc: () => writeSafeNpmrc
-});
-module.exports = __toCommonJS(arborist_exports);
-var import_arborist = __toESM(require("../external/@npmcli/arborist"));
-var import_socket = require("../paths/socket");
-var import_array = require("../primordials/array");
-var import_error = require("../primordials/error");
-var import_json = require("../primordials/json");
-var import_object = require("../primordials/object");
-var import_fs = require("../node/fs");
-var import_path = require("../node/path");
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
+const require_primordials_error = require('../primordials/error.js');
+const require_primordials_array = require('../primordials/array.js');
+const require_node_fs = require('../node/fs.js');
+const require_node_path = require('../node/path.js');
+const require_primordials_object = require('../primordials/object.js');
+const require_primordials_json = require('../primordials/json.js');
+const require_paths_socket = require('../paths/socket.js');
+let src_external__npmcli_arborist = require("../external/@npmcli/arborist");
+src_external__npmcli_arborist = require_runtime.__toESM(src_external__npmcli_arborist);
+
+//#region src/dlx/arborist.ts
+/**
+* @file Safe Arborist wrapper for dlx installs and lockfile-only resolution.
+*   Every Arborist invocation in this module is configured with a fixed set of
+*   security-hardening options mirroring socket-cli v1.1.79 SafeArborist:
+*
+*   - audit: false — no network call to the npm audit endpoint
+*   - fund: false — no collection/display of funding URLs
+*   - ignoreScripts: true — no preinstall/install/postinstall scripts
+*   - progress: false — no progress bar on stdout
+*   - saveBundle: false — never update bundledDependencies
+*   - silent: true — suppress Arborist's default log output `save` varies by
+*     operation: {@link safeIdealTree} uses `save: true` so Arborist writes
+*     `package-lock.json`; {@link safeReify} uses `save: false` so the caller's
+*     `package.json` is never rewritten. A `.npmrc` with the equivalent
+*     settings is also written into the install directory as a
+*     belt-and-suspenders defense for any downstream tool that reads it.
+*/
+/**
+* Fixed Arborist options that must not be overridden by callers. Mirrors
+* socket-cli v1.1.79's SafeArborist overrides: audit: false, fund: false,
+* ignoreScripts: true, save: false, saveBundle: false, silent: true, progress:
+* false.
+*/
 function getBaseArboristOptions(installPath, options) {
-  return {
-    __proto__: null,
-    path: installPath,
-    cache: (0, import_socket.getSocketCacacheDir)(),
-    audit: false,
-    fund: false,
-    ignoreScripts: true,
-    progress: false,
-    save: false,
-    saveBundle: false,
-    silent: options.quiet
-  };
+	return {
+		__proto__: null,
+		path: installPath,
+		cache: require_paths_socket.getSocketCacacheDir(),
+		audit: false,
+		fund: false,
+		ignoreScripts: true,
+		progress: false,
+		save: false,
+		saveBundle: false,
+		silent: options.quiet
+	};
 }
+/**
+* Read the single declared dependency from a package.json. We only support one
+* top-level dep per snapshot, which keeps the result unambiguous (no "which of
+* N deps did we pin?").
+*/
 function readSingleDependency(packageJsonPath) {
-  const fs = (0, import_fs.getNodeFs)();
-  const raw = fs.readFileSync(packageJsonPath, "utf8");
-  const pkg = (0, import_json.JSONParse)(raw);
-  const deps = pkg.dependencies ?? {};
-  const names = (0, import_object.ObjectKeys)(deps);
-  if (names.length !== 1) {
-    throw new import_error.ErrorCtor(
-      `safeIdealTree expects exactly one top-level dependency in ${packageJsonPath}, found ${names.length}`
-    );
-  }
-  return names[0];
+	const names = require_primordials_object.ObjectKeys(require_primordials_json.JSONParse((/* @__PURE__ */ require_node_fs.getNodeFs()).readFileSync(packageJsonPath, "utf8")).dependencies ?? {});
+	if (names.length !== 1) throw new require_primordials_error.ErrorCtor(`safeIdealTree expects exactly one top-level dependency in ${packageJsonPath}, found ${names.length}`);
+	return names[0];
 }
+/**
+* Read the top-level package from an Arborist idealTree's inventory. Arborist's
+* `Inventory` extends `Map`, so iteration yields `[key, node]` pairs — use
+* `.values()` to get nodes directly.
+*/
 function readTopLevelFromIdealTree(tree, targetName) {
-  const root = tree;
-  const inventory = root?.inventory;
-  if (!inventory || typeof inventory.values !== "function") {
-    throw new import_error.ErrorCtor("Arborist idealTree missing inventory");
-  }
-  for (const node of inventory.values()) {
-    if (node.isProjectRoot) {
-      continue;
-    }
-    if (node.name === targetName && node.depth === 1) {
-      if (!node.version || !node.integrity) {
-        throw new import_error.ErrorCtor(
-          `Arborist idealTree node for ${targetName} missing version/integrity`
-        );
-      }
-      return {
-        name: node.name,
-        version: node.version,
-        integrity: node.integrity
-      };
-    }
-  }
-  throw new import_error.ErrorCtor(
-    `Arborist idealTree inventory has no top-level node for ${targetName}`
-  );
+	const inventory = tree?.inventory;
+	if (!inventory || typeof inventory.values !== "function") throw new require_primordials_error.ErrorCtor("Arborist idealTree missing inventory");
+	for (const node of inventory.values()) {
+		if (node.isProjectRoot) continue;
+		if (node.name === targetName && node.depth === 1) {
+			if (!node.version || !node.integrity) throw new require_primordials_error.ErrorCtor(`Arborist idealTree node for ${targetName} missing version/integrity`);
+			return {
+				name: node.name,
+				version: node.version,
+				integrity: node.integrity
+			};
+		}
+	}
+	throw new require_primordials_error.ErrorCtor(`Arborist idealTree inventory has no top-level node for ${targetName}`);
 }
+/**
+* Run Arborist in `packageLockOnly` mode against a directory that already
+* contains a `package.json` with a single dependency. Resolves the graph
+* against the registry and writes `package-lock.json` into `path`, but does NOT
+* install into `node_modules`.
+*
+* Used by snapshot/bootstrap flows to obtain a lockfile + top-level integrity
+* without paying for a full install.
+*
+* Uses `save: true` (rather than our usual `save: false`) so Arborist actually
+* writes the lockfile — without that flag, `reify()` in `packageLockOnly` mode
+* with no `add` list skips the write.
+*/
 async function safeIdealTree(options) {
-  const fs = (0, import_fs.getNodeFs)();
-  const path = (0, import_path.getNodePath)();
-  const { before, path: installPath, quiet = true } = options;
-  const targetName = readSingleDependency(
-    path.join(installPath, "package.json")
-  );
-  const arb = new import_arborist.default({
-    ...getBaseArboristOptions(installPath, { quiet }),
-    ...before !== void 0 ? { before } : {},
-    packageLockOnly: true,
-    save: true
-  });
-  const tree = await arb.buildIdealTree();
-  await arb.reify();
-  const top = readTopLevelFromIdealTree(tree, targetName);
-  const lockfile = await fs.promises.readFile(
-    path.join(installPath, "package-lock.json"),
-    "utf8"
-  );
-  return { ...top, lockfile };
+	const fs = /* @__PURE__ */ require_node_fs.getNodeFs();
+	const path = /* @__PURE__ */ require_node_path.getNodePath();
+	const { before, path: installPath, quiet = true } = options;
+	const targetName = readSingleDependency(path.join(installPath, "package.json"));
+	const arb = new src_external__npmcli_arborist.default({
+		...getBaseArboristOptions(installPath, { quiet }),
+		...before !== void 0 ? { before } : {},
+		packageLockOnly: true,
+		save: true
+	});
+	/* c8 ignore next - External Arborist call */
+	const tree = await arb.buildIdealTree();
+	/* c8 ignore next - External Arborist call */
+	await arb.reify();
+	const top = readTopLevelFromIdealTree(tree, targetName);
+	const lockfile = await fs.promises.readFile(path.join(installPath, "package-lock.json"), "utf8");
+	return {
+		...top,
+		lockfile
+	};
 }
+/**
+* Install into `node_modules` using Arborist's reify operation. Honors the
+* committed `package-lock.json` in `path` when `packageLock: true`.
+*
+* Does not fetch registry metadata for versions already pinned by the lockfile
+* — arborist uses the lockfile's `integrity` strings to fetch tarballs by ssri.
+* This is the strongest form of pinning pnpm/npm offer.
+*/
 async function safeReify(options) {
-  const { packageLock = true, path: installPath, quiet = true } = options;
-  const arb = new import_arborist.default({
-    ...getBaseArboristOptions(installPath, { quiet }),
-    packageLock
-  });
-  await arb.reify();
+	const { packageLock = true, path: installPath, quiet = true } = options;
+	/* c8 ignore next - External Arborist call */
+	await new src_external__npmcli_arborist.default({
+		...getBaseArboristOptions(installPath, { quiet }),
+		packageLock
+	}).reify();
 }
+/**
+* Write a hardened `.npmrc` into `path`. Used by both preview and pin flows as
+* a second layer of protection alongside the Arborist options.
+*
+* Content written (always): ignore-scripts=true audit=false fund=false
+* save=false save-bundle=false progress=false.
+*
+* When {@link WriteSafeNpmrcOptions.minReleaseDays} is set, also writes:
+* min-release-age=<days>
+*
+* When {@link WriteSafeNpmrcOptions.minReleaseMins} is set, also writes the
+* pnpm-style equivalent: minimum-release-age=<minutes>
+*/
 async function writeSafeNpmrc(installPath, options) {
-  const fs = (0, import_fs.getNodeFs)();
-  const path = (0, import_path.getNodePath)();
-  const { minReleaseDays, minReleaseMins } = {
-    __proto__: null,
-    ...options
-  };
-  if (minReleaseDays !== void 0 && minReleaseMins !== void 0) {
-    throw new import_error.ErrorCtor(
-      "writeSafeNpmrc: minReleaseDays and minReleaseMins are mutually exclusive"
-    );
-  }
-  const lines = [
-    "ignore-scripts=true",
-    "audit=false",
-    "fund=false",
-    "save=false",
-    "save-bundle=false",
-    "progress=false"
-  ];
-  if (minReleaseDays !== void 0) {
-    (0, import_array.ArrayPrototypePush)(lines, `min-release-age=${minReleaseDays}`);
-  }
-  if (minReleaseMins !== void 0) {
-    (0, import_array.ArrayPrototypePush)(lines, `minimum-release-age=${minReleaseMins}`);
-  }
-  await fs.promises.writeFile(
-    path.join(installPath, ".npmrc"),
-    lines.join("\n") + "\n",
-    "utf8"
-  );
+	const fs = /* @__PURE__ */ require_node_fs.getNodeFs();
+	const path = /* @__PURE__ */ require_node_path.getNodePath();
+	const { minReleaseDays, minReleaseMins } = {
+		__proto__: null,
+		...options
+	};
+	if (minReleaseDays !== void 0 && minReleaseMins !== void 0) throw new require_primordials_error.ErrorCtor("writeSafeNpmrc: minReleaseDays and minReleaseMins are mutually exclusive");
+	const lines = [
+		"ignore-scripts=true",
+		"audit=false",
+		"fund=false",
+		"save=false",
+		"save-bundle=false",
+		"progress=false"
+	];
+	if (minReleaseDays !== void 0) require_primordials_array.ArrayPrototypePush(lines, `min-release-age=${minReleaseDays}`);
+	if (minReleaseMins !== void 0) require_primordials_array.ArrayPrototypePush(lines, `minimum-release-age=${minReleaseMins}`);
+	await fs.promises.writeFile(path.join(installPath, ".npmrc"), lines.join("\n") + "\n", "utf8");
 }
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  getBaseArboristOptions,
-  readSingleDependency,
-  readTopLevelFromIdealTree,
-  safeIdealTree,
-  safeReify,
-  writeSafeNpmrc
-});
+
+//#endregion
+exports.getBaseArboristOptions = getBaseArboristOptions;
+exports.readSingleDependency = readSingleDependency;
+exports.readTopLevelFromIdealTree = readTopLevelFromIdealTree;
+exports.safeIdealTree = safeIdealTree;
+exports.safeReify = safeReify;
+exports.writeSafeNpmrc = writeSafeNpmrc;