@socketsecurity/lib 6.0.3 → 6.0.5

package/dist/packages/provenance.js

@@ -1,273 +1,223 @@
 "use strict";
-/* Socket Lib - Built with esbuild */
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var provenance_exports = {};
-__export(provenance_exports, {
-  TRUST_LEVELS: () => TRUST_LEVELS,
-  compareTrust: () => compareTrust,
-  didTrustDecrease: () => didTrustDecrease,
-  fetchPackageProvenance: () => fetchPackageProvenance,
-  findProvenance: () => findProvenance,
-  getAttestations: () => getAttestations,
-  getFetcher: () => getFetcher,
-  getProvenanceDetails: () => getProvenanceDetails,
-  getTrustLevel: () => getTrustLevel,
-  getTrustLevelName: () => getTrustLevelName,
-  getTrustStatus: () => getTrustStatus,
-  isTrustedPublisher: () => isTrustedPublisher
-});
-module.exports = __toCommonJS(provenance_exports);
-var import_agents = require("../constants/agents");
-var import_packages = require("../constants/packages");
-var import_make_fetch_happen = __toESM(require("../external/make-fetch-happen"));
-var import_signal = require("../abort/signal");
-var import_parse = require("../url/parse");
-var import_predicates = require("../objects/predicates");
-var import_array = require("../primordials/array");
-var import_buffer = require("../primordials/buffer");
-var import_json = require("../primordials/json");
-var import_object = require("../primordials/object");
-var import_string = require("../primordials/string");
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
+const require_primordials_buffer = require('../primordials/buffer.js');
+const require_primordials_string = require('../primordials/string.js');
+const require_abort_signal = require('../abort/signal.js');
+const require_primordials_array = require('../primordials/array.js');
+const require_primordials_object = require('../primordials/object.js');
+const require_primordials_json = require('../primordials/json.js');
+const require_objects_predicates = require('../objects/predicates.js');
+const require_constants_agents = require('../constants/agents.js');
+const require_constants_packages = require('../constants/packages.js');
+const require_url_parse = require('../url/parse.js');
+let src_external_make_fetch_happen = require("../external/make-fetch-happen");
+src_external_make_fetch_happen = require_runtime.__toESM(src_external_make_fetch_happen);
+
+//#region src/packages/provenance.ts
+/**
+* @file Package provenance and attestation verification utilities.
+*/
 const SLSA_PROVENANCE_V0_2 = "https://slsa.dev/provenance/v0.2";
 const SLSA_PROVENANCE_V1_0 = "https://slsa.dev/provenance/v1";
 let _fetcher;
+/**
+* Comparator ordering two trust statuses by ascending trust level. Sorts an
+* array of statuses lowest-trust-first; negate for highest-first.
+*/
 function compareTrust(a, b) {
-  const levelA = getTrustLevel(a);
-  const levelB = getTrustLevel(b);
-  if (levelA < levelB) {
-    return -1;
-  }
-  if (levelA > levelB) {
-    return 1;
-  }
-  return 0;
+	const levelA = getTrustLevel(a);
+	const levelB = getTrustLevel(b);
+	if (levelA < levelB) return -1;
+	if (levelA > levelB) return 1;
+	return 0;
 }
+/**
+* Whether `next` sits at a lower trust level than `prev` — i.e. a release
+* regressed its supply-chain posture. Drives the post-publish provenance
+* reminder: a version that drops from trustedPublisher back to bare provenance
+* is a red flag worth surfacing.
+*/
 function didTrustDecrease(prev, next) {
-  return getTrustLevel(next) < getTrustLevel(prev);
+	return getTrustLevel(next) < getTrustLevel(prev);
 }
-// @__NO_SIDE_EFFECTS__
+/**
+* Fetch package provenance information from npm registry.
+*
+* @example
+*   ;```typescript
+*   const provenance = await fetchPackageProvenance('lodash', '4.17.21')
+*   ```
+*/
+/* @__NO_SIDE_EFFECTS__ */
 async function fetchPackageProvenance(pkgName, pkgVersion, options) {
-  const { signal, timeout = 1e4 } = {
-    __proto__: null,
-    ...options
-  };
-  if (signal?.aborted) {
-    return void 0;
-  }
-  const timeoutSignal = (0, import_signal.createTimeoutSignal)(timeout);
-  const compositeSignal = (0, import_signal.createCompositeAbortSignal)(signal, timeoutSignal);
-  const fetcher = /* @__PURE__ */ getFetcher();
-  try {
-    const response = await fetcher(
-      // The npm registry attestations API endpoint.
-      `${import_agents.NPM_REGISTRY_URL}/-/npm/v1/attestations/${encodeURIComponent(pkgName)}@${encodeURIComponent(pkgVersion)}`,
-      {
-        method: "GET",
-        signal: compositeSignal,
-        headers: {
-          "User-Agent": "socket-registry"
-        }
-      }
-    );
-    if (response.ok) {
-      return getProvenanceDetails(await response.json());
-    }
-  } catch {
-  }
-  return void 0;
+	const { signal, timeout = 1e4 } = {
+		__proto__: null,
+		...options
+	};
+	if (signal?.aborted) return;
+	const compositeSignal = require_abort_signal.createCompositeAbortSignal(signal, require_abort_signal.createTimeoutSignal(timeout));
+	const fetcher = /* @__PURE__ */ getFetcher();
+	try {
+		const response = await fetcher(`${require_constants_agents.NPM_REGISTRY_URL}/-/npm/v1/attestations/${encodeURIComponent(pkgName)}@${encodeURIComponent(pkgVersion)}`, {
+			method: "GET",
+			signal: compositeSignal,
+			headers: { "User-Agent": "socket-registry" }
+		});
+		if (response.ok) return getProvenanceDetails(await response.json());
+	} catch {}
 }
+/**
+* Find the first attestation with valid provenance data.
+*/
 function findProvenance(attestations) {
-  for (const attestation of attestations) {
-    const att = attestation;
-    try {
-      let predicate = att.predicate;
-      if (!predicate && att.bundle?.dsseEnvelope?.payload) {
-        try {
-          const decodedPayload = (0, import_buffer.BufferFrom)(
-            att.bundle.dsseEnvelope.payload,
-            "base64"
-          ).toString("utf8");
-          const statement = (0, import_json.JSONParse)(decodedPayload);
-          predicate = statement.predicate;
-        } catch {
-          continue;
-        }
-      }
-      const predicateData = predicate;
-      if (predicateData?.buildDefinition?.externalParameters) {
-        return {
-          predicate,
-          externalParameters: predicateData.buildDefinition.externalParameters
-        };
-      }
-    } catch {
-    }
-  }
-  return void 0;
+	for (const attestation of attestations) {
+		const att = attestation;
+		try {
+			let predicate = att.predicate;
+			if (!predicate && att.bundle?.dsseEnvelope?.payload) try {
+				predicate = require_primordials_json.JSONParse(require_primordials_buffer.BufferFrom(att.bundle.dsseEnvelope.payload, "base64").toString("utf8")).predicate;
+			} catch {
+				continue;
+			}
+			const predicateData = predicate;
+			if (predicateData?.buildDefinition?.externalParameters) return {
+				predicate,
+				externalParameters: predicateData.buildDefinition.externalParameters
+			};
+		} catch {}
+	}
 }
+/**
+* Extract and filter SLSA provenance attestations from attestation data.
+*/
 function getAttestations(attestationData) {
-  const data = attestationData;
-  if (!data.attestations || !(0, import_array.ArrayIsArray)(data.attestations)) {
-    return [];
-  }
-  return data.attestations.filter((attestation) => {
-    const att = attestation;
-    return att.predicateType === SLSA_PROVENANCE_V0_2 || att.predicateType === SLSA_PROVENANCE_V1_0;
-  });
+	const data = attestationData;
+	if (!data.attestations || !require_primordials_array.ArrayIsArray(data.attestations)) return [];
+	return data.attestations.filter((attestation) => {
+		const att = attestation;
+		return att.predicateType === SLSA_PROVENANCE_V0_2 || att.predicateType === SLSA_PROVENANCE_V1_0;
+	});
 }
-// @__NO_SIDE_EFFECTS__
+/* @__NO_SIDE_EFFECTS__ */
 function getFetcher() {
-  if (_fetcher === void 0) {
-    _fetcher = import_make_fetch_happen.default.defaults({
-      cachePath: (0, import_packages.getPacoteCachePath)(),
-      // Prefer-offline: Staleness checks for cached data will be bypassed, but
-      // missing data will be requested from the server.
-      // https://github.com/npm/make-fetch-happen?tab=readme-ov-file#--optscache
-      cache: "force-cache"
-    });
-  }
-  return _fetcher;
+	if (_fetcher === void 0) _fetcher = src_external_make_fetch_happen.default.defaults({
+		cachePath: /* @__PURE__ */ require_constants_packages.getPacoteCachePath(),
+		cache: "force-cache"
+	});
+	return _fetcher;
 }
+/**
+* Convert raw attestation data to user-friendly provenance details.
+*
+* @example
+*   ;```typescript
+*   const details = getProvenanceDetails(attestationData)
+*   // { level: 'trusted', repository: '...', commitSha: '...' }
+*   ```
+*/
 function getProvenanceDetails(attestationData) {
-  const attestations = getAttestations(attestationData);
-  if (!attestations.length) {
-    return void 0;
-  }
-  const provenance = findProvenance(attestations);
-  if (!provenance) {
-    return { level: "attested" };
-  }
-  const provenanceData = provenance;
-  const { externalParameters, predicate } = provenanceData;
-  const def = predicate?.buildDefinition;
-  const workflow = externalParameters?.workflow;
-  const workflowRef = workflow?.ref || externalParameters?.workflow_ref;
-  const workflowUrl = externalParameters?.context;
-  const workflowPlatform = def?.buildType;
-  const repository = workflow?.repository || externalParameters?.repository;
-  const gitRef = externalParameters?.ref || workflow?.ref;
-  const commitSha = externalParameters?.sha;
-  const workflowRunId = externalParameters?.run_id;
-  const trusted = isTrustedPublisher(workflowRef) || isTrustedPublisher(workflowUrl) || isTrustedPublisher(workflowPlatform) || isTrustedPublisher(repository);
-  return {
-    commitSha,
-    gitRef,
-    level: trusted ? "trusted" : "attested",
-    repository,
-    workflowRef,
-    workflowUrl,
-    workflowPlatform,
-    workflowRunId
-  };
+	const attestations = getAttestations(attestationData);
+	if (!attestations.length) return;
+	const provenance = findProvenance(attestations);
+	if (!provenance) return { level: "attested" };
+	const { externalParameters, predicate } = provenance;
+	const def = predicate?.buildDefinition;
+	const workflow = externalParameters?.workflow;
+	const workflowRef = workflow?.ref || externalParameters?.workflow_ref;
+	const workflowUrl = externalParameters?.context;
+	const workflowPlatform = def?.buildType;
+	const repository = workflow?.repository || externalParameters?.repository;
+	const gitRef = externalParameters?.ref || workflow?.ref;
+	const commitSha = externalParameters?.sha;
+	const workflowRunId = externalParameters?.run_id;
+	return {
+		commitSha,
+		gitRef,
+		level: isTrustedPublisher(workflowRef) || isTrustedPublisher(workflowUrl) || isTrustedPublisher(workflowPlatform) || isTrustedPublisher(repository) ? "trusted" : "attested",
+		repository,
+		workflowRef,
+		workflowUrl,
+		workflowPlatform,
+		workflowRunId
+	};
 }
+/**
+* Map a trust status to its 0..3 ladder level.
+*/
 function getTrustLevel(status) {
-  if (status.stagedPublish) {
-    return 3;
-  }
-  if (status.trustedPublisher && status.provenance) {
-    return 2;
-  }
-  if (status.provenance) {
-    return 1;
-  }
-  return 0;
+	if (status.stagedPublish) return 3;
+	if (status.trustedPublisher && status.provenance) return 2;
+	if (status.provenance) return 1;
+	return 0;
 }
+/**
+* Map a trust status to its human-readable level name.
+*/
 function getTrustLevelName(status) {
-  return TRUST_LEVELS[getTrustLevel(status)];
+	return TRUST_LEVELS[getTrustLevel(status)];
 }
+/**
+* Extract provenance / trusted-publisher / staged-publish flags from a registry
+* version document.
+*/
 function getTrustStatus(meta) {
-  const status = {
-    provenance: false,
-    trustedPublisher: false,
-    // Reserved: the npm registry does not yet expose a staged-publish flag, so
-    // this stays false until a registry signal exists to set it.
-    stagedPublish: false
-  };
-  if (!(0, import_predicates.isObject)(meta)) {
-    return status;
-  }
-  const npmUser = (0, import_object.ObjectHasOwn)(meta, "_npmUser") ? meta["_npmUser"] : void 0;
-  if ((0, import_predicates.isObject)(npmUser) && (0, import_object.ObjectHasOwn)(npmUser, "trustedPublisher") && npmUser["trustedPublisher"]) {
-    status.trustedPublisher = true;
-  }
-  const dist = (0, import_object.ObjectHasOwn)(meta, "dist") ? meta["dist"] : void 0;
-  const attestations = (0, import_predicates.isObject)(dist) && (0, import_object.ObjectHasOwn)(dist, "attestations") ? dist["attestations"] : void 0;
-  if ((0, import_predicates.isObject)(attestations) && (0, import_object.ObjectHasOwn)(attestations, "provenance") && attestations["provenance"]) {
-    status.provenance = true;
-  }
-  return status;
+	const status = {
+		provenance: false,
+		trustedPublisher: false,
+		stagedPublish: false
+	};
+	if (!/* @__PURE__ */ require_objects_predicates.isObject(meta)) return status;
+	const npmUser = require_primordials_object.ObjectHasOwn(meta, "_npmUser") ? meta["_npmUser"] : void 0;
+	if (/* @__PURE__ */ require_objects_predicates.isObject(npmUser) && require_primordials_object.ObjectHasOwn(npmUser, "trustedPublisher") && npmUser["trustedPublisher"]) status.trustedPublisher = true;
+	const dist = require_primordials_object.ObjectHasOwn(meta, "dist") ? meta["dist"] : void 0;
+	const attestations = /* @__PURE__ */ require_objects_predicates.isObject(dist) && require_primordials_object.ObjectHasOwn(dist, "attestations") ? dist["attestations"] : void 0;
+	if (/* @__PURE__ */ require_objects_predicates.isObject(attestations) && require_primordials_object.ObjectHasOwn(attestations, "provenance") && attestations["provenance"]) status.provenance = true;
+	return status;
 }
+/**
+* Check if a value indicates a trusted publisher (GitHub or GitLab).
+*/
 function isTrustedPublisher(value) {
-  if (typeof value !== "string" || !value) {
-    return false;
-  }
-  let url = (0, import_parse.parseUrl)(value);
-  let hostname = url?.hostname;
-  if (!url && (0, import_string.StringPrototypeIncludes)(value, "@")) {
-    const firstPart = (0, import_string.StringPrototypeSplit)(value, "@")[0];
-    if (firstPart) {
-      url = (0, import_parse.parseUrl)(firstPart);
-    }
-    if (url) {
-      hostname = url.hostname;
-    }
-  }
-  if (!url) {
-    const httpsUrl = (0, import_parse.parseUrl)(`https://${value}`);
-    if (httpsUrl) {
-      hostname = httpsUrl.hostname;
-    }
-  }
-  if (hostname) {
-    return hostname === "github.com" || (0, import_string.StringPrototypeEndsWith)(hostname, ".github.com") || hostname === "gitlab.com" || (0, import_string.StringPrototypeEndsWith)(hostname, ".gitlab.com");
-  }
-  return (0, import_string.StringPrototypeIncludes)(value, "github") || (0, import_string.StringPrototypeIncludes)(value, "gitlab");
+	if (typeof value !== "string" || !value) return false;
+	let url = /* @__PURE__ */ require_url_parse.parseUrl(value);
+	let hostname = url?.hostname;
+	if (!url && require_primordials_string.StringPrototypeIncludes(value, "@")) {
+		const firstPart = require_primordials_string.StringPrototypeSplit(value, "@")[0];
+		if (firstPart) url = /* @__PURE__ */ require_url_parse.parseUrl(firstPart);
+		if (url) hostname = url.hostname;
+	}
+	if (!url) {
+		const httpsUrl = /* @__PURE__ */ require_url_parse.parseUrl(`https://${value}`);
+		if (httpsUrl) hostname = httpsUrl.hostname;
+	}
+	if (hostname) return hostname === "github.com" || require_primordials_string.StringPrototypeEndsWith(hostname, ".github.com") || hostname === "gitlab.com" || require_primordials_string.StringPrototypeEndsWith(hostname, ".gitlab.com");
+	return require_primordials_string.StringPrototypeIncludes(value, "github") || require_primordials_string.StringPrototypeIncludes(value, "gitlab");
 }
+/**
+* Trust ladder, low → high. The index IS the level (0..3), so a single array
+* maps both directions: `TRUST_LEVELS[level]` → name, and
+* `TRUST_LEVELS.indexOf(name)` → level. One source of truth, no parallel Record
+* to keep in sync.
+*/
 const TRUST_LEVELS = [
-  "none",
-  "provenance",
-  "trustedPublisher",
-  "stagedPublish"
+	"none",
+	"provenance",
+	"trustedPublisher",
+	"stagedPublish"
 ];
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  TRUST_LEVELS,
-  compareTrust,
-  didTrustDecrease,
-  fetchPackageProvenance,
-  findProvenance,
-  getAttestations,
-  getFetcher,
-  getProvenanceDetails,
-  getTrustLevel,
-  getTrustLevelName,
-  getTrustStatus,
-  isTrustedPublisher
-});
+
+//#endregion
+exports.TRUST_LEVELS = TRUST_LEVELS;
+exports.compareTrust = compareTrust;
+exports.didTrustDecrease = didTrustDecrease;
+exports.fetchPackageProvenance = fetchPackageProvenance;
+exports.findProvenance = findProvenance;
+exports.getAttestations = getAttestations;
+exports.getFetcher = getFetcher;
+exports.getProvenanceDetails = getProvenanceDetails;
+exports.getTrustLevel = getTrustLevel;
+exports.getTrustLevelName = getTrustLevelName;
+exports.getTrustStatus = getTrustStatus;
+exports.isTrustedPublisher = isTrustedPublisher;