@socketsecurity/lib 6.0.4 → 6.0.6

package/dist/node/path.js

@@ -4,9 +4,9 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 //#region src/node/path.ts
 let _path;
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getNodePath() {
-	return _path ??= /* @__PURE__ */ require("node:path");
+	return _path ??= /*@__PURE__*/ require("node:path");
 }
 
 //#endregion

package/dist/node/timers-promises.js

@@ -4,9 +4,9 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 //#region src/node/timers-promises.ts
 let _timersPromises;
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getNodeTimersPromises() {
-	return _timersPromises ??= /* @__PURE__ */ require("node:timers/promises");
+	return _timersPromises ??= /*@__PURE__*/ require("node:timers/promises");
 }
 
 //#endregion

package/dist/node/url.js

@@ -4,9 +4,9 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 //#region src/node/url.ts
 let _url;
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getNodeUrl() {
-	return _url ??= /* @__PURE__ */ require("node:url");
+	return _url ??= /*@__PURE__*/ require("node:url");
 }
 
 //#endregion

package/dist/node/util.js

@@ -4,9 +4,9 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 //#region src/node/util.ts
 let _util;
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getNodeUtil() {
-	return _util ??= /* @__PURE__ */ require("node:util");
+	return _util ??= /*@__PURE__*/ require("node:util");
 }
 
 //#endregion

package/dist/objects/getters.js

@@ -49,7 +49,7 @@ const require_objects_sort = require('./sort.js');
 *
 * @returns A frozen object with all specified properties
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function createConstantsObject(props, options_) {
 	const options = {
 		__proto__: null,
@@ -107,7 +107,7 @@ function createConstantsObject(props, options_) {
 *
 * @returns A memoized getter function
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function createLazyGetter(name, getter, stats) {
 	const UNCOMPUTED = {};
 	let lazyValue = UNCOMPUTED;

package/dist/objects/inspect.js

@@ -28,7 +28,7 @@ const require_objects_predicates = require('./predicates.js');
 *
 * @returns Array of enumerable string keys, or empty array for non-objects
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getKeys(obj) {
 	return /* @__PURE__ */ require_objects_predicates.isObject(obj) ? require_primordials_object.ObjectKeys(obj) : [];
 }
@@ -54,7 +54,7 @@ function getKeys(obj) {
 * @returns The property value, or `undefined` if not found or obj is
 *   null/undefined.
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getOwn(obj, propKey) {
 	if (obj === null || obj === void 0) return;
 	return require_primordials_object.ObjectHasOwn(obj, propKey) ? obj[propKey] : void 0;
@@ -76,7 +76,7 @@ function getOwn(obj, propKey) {
 *
 * @returns Array of all own property values, or empty array for null/undefined
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getOwnPropertyValues(obj) {
 	if (obj === null || obj === void 0) return [];
 	const keys = require_primordials_object.ObjectGetOwnPropertyNames(obj);

package/dist/objects/mutate.js

@@ -42,7 +42,7 @@ const require_objects_predicates = require('./predicates.js');
 *
 * @returns The modified target object
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function merge(target, source) {
 	if (!/* @__PURE__ */ require_objects_predicates.isObject(target) || !/* @__PURE__ */ require_objects_predicates.isObject(source)) return target;
 	const queue = [[target, source]];

package/dist/objects/predicates.js

@@ -31,7 +31,7 @@ const require_arrays_predicates = require('../arrays/predicates.js');
 *
 * @returns `true` if obj has enumerable own properties, `false` otherwise
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function hasKeys(obj) {
 	if (obj === null || obj === void 0) return false;
 	for (const key in obj) if (require_primordials_object.ObjectHasOwn(obj, key)) return true;
@@ -58,7 +58,7 @@ function hasKeys(obj) {
 *
 * @returns `true` if obj has the property as an own property, `false` otherwise
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function hasOwn(obj, propKey) {
 	if (obj === null || obj === void 0) return false;
 	return require_primordials_object.ObjectHasOwn(obj, propKey);
@@ -83,7 +83,7 @@ function hasOwn(obj, propKey) {
 *
 * @returns `true` if value is an object (including arrays), `false` otherwise
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isObject(value) {
 	return value !== null && typeof value === "object";
 }
@@ -107,7 +107,7 @@ function isObject(value) {
 *
 * @returns `true` if value is a plain object, `false` otherwise
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isPlainObject(value) {
 	if (value === null || typeof value !== "object" || require_arrays_predicates.isArray(value)) return false;
 	const proto = require_primordials_object.ObjectGetPrototypeOf(value);

package/dist/objects/sort.js

@@ -35,7 +35,7 @@ const require_sorts_natural = require('../sorts/natural.js');
 *
 * @returns Negative if a < b, positive if a > b, zero if equal
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function entryKeyComparator(a, b) {
 	const keyA = a[0];
 	const keyB = b[0];
@@ -58,7 +58,7 @@ function entryKeyComparator(a, b) {
 *
 * @returns Array of [key, value] tuples, or empty array for null/undefined
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function objectEntries(obj) {
 	if (obj === null || obj === void 0) return [];
 	const keys = require_primordials_reflect.ReflectOwnKeys(obj);
@@ -87,7 +87,7 @@ function objectEntries(obj) {
 *
 * @returns A new object with sorted keys
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function toSortedObject(obj) {
 	return /* @__PURE__ */ toSortedObjectFromEntries(/* @__PURE__ */ objectEntries(obj));
 }
@@ -112,7 +112,7 @@ function toSortedObject(obj) {
 *
 * @returns A new object with sorted keys
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function toSortedObjectFromEntries(entries) {
 	const otherEntries = [];
 	const symbolEntries = [];

package/dist/packages/edit-class.js

@@ -35,7 +35,7 @@ let _EditablePackageJsonClass;
 *   console.log(pkg.content.name)
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getEditablePackageJsonClass() {
 	if (_EditablePackageJsonClass === void 0) _EditablePackageJsonClass = class EditablePackageJson extends src_external__npmcli_package_json.default {
 		static fixSteps = src_external__npmcli_package_json.default.fixSteps;

package/dist/packages/edit.js

@@ -35,7 +35,7 @@ const require_packages_edit_class = require('./edit-class.js');
 *   )
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function toEditablePackageJson(pkgJson, options) {
 	const { path: filepath, ...restOptions } = {
 		__proto__: null,
@@ -62,7 +62,7 @@ async function toEditablePackageJson(pkgJson, options) {
 *   )
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function toEditablePackageJsonSync(pkgJson, options) {
 	const { path: filepath, ...restOptions } = {
 		__proto__: null,

package/dist/packages/exports.js

@@ -26,7 +26,7 @@ const require_objects_predicates = require('../objects/predicates.js');
 *   // types === './dist/index.d.ts'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function findTypesForSubpath(entryExports, subpath) {
 	const queue = [entryExports];
 	let pos = 0;
@@ -57,7 +57,7 @@ function findTypesForSubpath(entryExports, subpath) {
 *   getExportFilePaths(exports) // ['./dist/index.js', './dist/utils.js']
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getExportFilePaths(entryExports) {
 	if (!/* @__PURE__ */ require_objects_predicates.isObject(entryExports)) return [];
 	const paths = [];
@@ -88,7 +88,7 @@ function getExportFilePaths(entryExports) {
 *   getSubpaths(exports) // ['.', './utils']
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getSubpaths(entryExports) {
 	if (!/* @__PURE__ */ require_objects_predicates.isObject(entryExports)) return [];
 	return require_primordials_object.ObjectGetOwnPropertyNames(entryExports).filter((key) => require_primordials_string.StringPrototypeStartsWith(key, "."));
@@ -102,7 +102,7 @@ function getSubpaths(entryExports) {
 *   isConditionalExports({ '.': './index.js' }) // false
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isConditionalExports(entryExports) {
 	if (!/* @__PURE__ */ require_objects_predicates.isPlainObject(entryExports)) return false;
 	const keys = require_primordials_object.ObjectGetOwnPropertyNames(entryExports);
@@ -123,7 +123,7 @@ function isConditionalExports(entryExports) {
 *   isSubpathExports({ import: './index.mjs' }) // false
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isSubpathExports(entryExports) {
 	if (/* @__PURE__ */ require_objects_predicates.isPlainObject(entryExports)) {
 		const keys = require_primordials_object.ObjectGetOwnPropertyNames(entryExports);
@@ -143,7 +143,7 @@ function isSubpathExports(entryExports) {
 *   // { '.': './index.js' }
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolvePackageJsonEntryExports(entryExports) {
 	if (typeof entryExports === "string" || require_arrays_predicates.isArray(entryExports)) return { ".": entryExports };
 	if (/* @__PURE__ */ isConditionalExports(entryExports)) return entryExports;

package/dist/packages/licenses.js

@@ -33,7 +33,7 @@ const fileReferenceRegExp = /^SEE LICEN[CS]E IN (.+)$/;
 *   // incompatible contains only the GPL-3.0 node
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function collectIncompatibleLicenses(licenseNodes) {
 	const result = [];
 	for (let i = 0, { length } = licenseNodes; i < length; i += 1) {
@@ -51,7 +51,7 @@ function collectIncompatibleLicenses(licenseNodes) {
 *   collectLicenseWarnings(nodes) // ['Package is unlicensed']
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function collectLicenseWarnings(licenseNodes) {
 	const warnings = new require_primordials_map_set.MapCtor();
 	for (let i = 0, { length } = licenseNodes; i < length; i += 1) {
@@ -73,7 +73,7 @@ function collectLicenseWarnings(licenseNodes) {
 *   // node.type === 'License'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function createAstNode(rawNode) {
 	return /* @__PURE__ */ require_objects_predicates.hasOwn(rawNode, "license") ? /* @__PURE__ */ createLicenseNode(rawNode) : /* @__PURE__ */ createBinaryOperationNode(rawNode);
 }
@@ -91,7 +91,7 @@ function createAstNode(rawNode) {
 *   // node.type === 'BinaryOperation'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function createBinaryOperationNode(rawNodeParam) {
 	let left;
 	let right;
@@ -127,7 +127,7 @@ function createBinaryOperationNode(rawNodeParam) {
 *   // node.type === 'License' && node.license === 'MIT'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function createLicenseNode(rawNode) {
 	return {
 		__proto__: null,
@@ -144,7 +144,7 @@ function createLicenseNode(rawNode) {
 *   // ast is a BinaryOperation node with MIT and Apache-2.0 leaves
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function parseSpdxExp(spdxExp) {
 	try {
 		return (0, src_external_spdx_expression_parse.default)(spdxExp);
@@ -161,7 +161,7 @@ function parseSpdxExp(spdxExp) {
 *   // [{ license: 'MIT' }]
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolvePackageLicenses(licenseFieldValue, where) {
 	if (licenseFieldValue === "UNLICENSED" || licenseFieldValue === "UNLICENCED") return [{ license: "UNLICENSED" }];
 	const match = require_primordials_regexp.RegExpPrototypeExec(fileReferenceRegExp, licenseFieldValue);
@@ -190,7 +190,7 @@ function resolvePackageLicenses(licenseFieldValue, where) {
 *   // licenses === ['MIT', 'Apache-2.0']
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function visitLicenses(ast, visitor) {
 	const queue = [[/* @__PURE__ */ createAstNode(ast), void 0]];
 	let pos = 0;

package/dist/packages/manifest.js

@@ -38,7 +38,7 @@ const pkgScopePrefixRegExp = /^@socketregistry\//;
 *   })
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function createPackageJson(sockRegPkgName, directory, options) {
 	const { dependencies, description, engines, exports: entryExportsRaw, files, keywords, main, overrides, resolutions, sideEffects, socket, type, version } = {
 		__proto__: null,
@@ -91,7 +91,7 @@ function createPackageJson(sockRegPkgName, directory, options) {
 *   const manifest = await fetchPackageManifest('lodash@4.17.21')
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function fetchPackageManifest(pkgNameOrId, options) {
 	const pacoteOptions = {
 		__proto__: null,
@@ -123,7 +123,7 @@ async function fetchPackageManifest(pkgNameOrId, options) {
 *   const packument = await fetchPackagePackument('lodash')
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function fetchPackagePackument(pkgNameOrId, options) {
 	try {
 		return await src_external_pacote.default.packument(pkgNameOrId, {

package/dist/packages/normalize.js

@@ -30,7 +30,7 @@ function getEscapedScopeRegExp() {
 *   const normalized = normalizePackageJson(pkgJson)
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function normalizePackageJson(pkgJson, options) {
 	const { preserve } = {
 		__proto__: null,
@@ -62,7 +62,7 @@ function normalizePackageJson(pkgJson, options) {
 *   resolveEscapedScope('lodash') // undefined
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolveEscapedScope(sockRegPkgName) {
 	return require_primordials_regexp.RegExpPrototypeExec(getEscapedScopeRegExp(), sockRegPkgName)?.[0] || void 0;
 }
@@ -74,7 +74,7 @@ function resolveEscapedScope(sockRegPkgName) {
 *   resolveOriginalPackageName('@socketregistry/is-number') // 'is-number'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolveOriginalPackageName(sockRegPkgName) {
 	const name = require_primordials_string.StringPrototypeStartsWith(sockRegPkgName, `${"@socketregistry"}/`) ? sockRegPkgName.slice(require_constants_socket.SOCKET_REGISTRY_SCOPE.length + 1) : sockRegPkgName;
 	const escapedScope = /* @__PURE__ */ resolveEscapedScope(name);
@@ -88,7 +88,7 @@ function resolveOriginalPackageName(sockRegPkgName) {
 *   unescapeScope('babel__') // '@babel'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function unescapeScope(escapedScope) {
 	if (escapedScope.length < "__".length) return `@${escapedScope}`;
 	return `@${escapedScope.slice(0, -"__".length)}`;

package/dist/packages/operations.js

@@ -45,7 +45,7 @@ let _fetcher;
 *   await extractPackage('lodash@4.17.21', { dest: '/tmp/lodash' })
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function extractPackage(pkgNameOrId, options, callback) {
 	let actualCallback = callback;
 	let actualOptions = options;
@@ -80,7 +80,7 @@ async function extractPackage(pkgNameOrId, options, callback) {
 *   const extensions = findPackageExtensions('my-pkg', '1.0.0')
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function findPackageExtensions(pkgName, pkgVer) {
 	let result;
 	for (const entry of packageExtensions) {
@@ -114,7 +114,7 @@ function getFetcher() {
 *   getReleaseTag('lodash') // ''
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getReleaseTag(spec) {
 	if (!spec) return "";
 	let atIndex = -1;
@@ -131,7 +131,7 @@ function getReleaseTag(spec) {
 *   const tarball = await packPackage('lodash@4.17.21')
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function packPackage(spec, options) {
 	/* c8 ignore start - External package registry packing */
 	return await (0, src_external_libnpmpack.default)(spec, {
@@ -155,9 +155,9 @@ async function packPackage(spec, options) {
 *   pkgNameToSlug('lodash') // 'lodash'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function pkgNameToSlug(pkgName) {
-	return pkgName.charCodeAt(0) === 64 ? `${pkgName.slice(1).replace("/", "-")}` : pkgName;
+	return require_primordials_string.StringPrototypeCharCodeAt(pkgName, 0) === 64 ? `${pkgName.slice(1).replace("/", "-")}` : pkgName;
 }
 /**
 * Read and parse a package.json file asynchronously.
@@ -168,7 +168,7 @@ function pkgNameToSlug(pkgName) {
 *   console.log(pkgJson?.name)
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function readPackageJson(filepath, options) {
 	const { editable, normalize, throws, ...normalizeOptions } = {
 		__proto__: null,
@@ -193,7 +193,7 @@ async function readPackageJson(filepath, options) {
 *   console.log(pkgJson?.name)
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function readPackageJsonSync(filepath, options) {
 	const { editable, normalize, throws, ...normalizeOptions } = {
 		__proto__: null,
@@ -217,7 +217,7 @@ function readPackageJsonSync(filepath, options) {
 *   const url = await resolveGitHubTgzUrl('my-pkg@1.0.0', '/tmp/my-project')
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function resolveGitHubTgzUrl(pkgNameOrId, where) {
 	const whereIsPkgJson = /* @__PURE__ */ require_objects_predicates.isPlainObject(where);
 	const pkgJson = whereIsPkgJson ? where : await /* @__PURE__ */ readPackageJson(where, { normalize: true });
@@ -268,7 +268,7 @@ async function resolveGitHubTgzUrl(pkgNameOrId, where) {
 *   resolvePackageName({ name: 'lodash' }) // 'lodash'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolvePackageName(purlObj, delimiter = "/") {
 	const { name, namespace } = purlObj;
 	return `${namespace ? `${namespace}${delimiter}` : ""}${name}`;
@@ -282,7 +282,7 @@ function resolvePackageName(purlObj, delimiter = "/") {
 *   resolveRegistryPackageName('lodash') // 'lodash'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolveRegistryPackageName(pkgName) {
 	const input = `pkg:npm/${pkgName}`;
 	const smolPurl = /* @__PURE__ */ require_smol_purl.getSmolPurl();

package/dist/packages/provenance.d.ts

@@ -53,6 +53,12 @@ export declare function getTrustLevelName(status: TrustStatus): TrustLevelName;
 /**
  * Extract provenance / trusted-publisher / staged-publish flags from a registry
  * version document.
+ *
+ * Staged-publish detection follows pnpm/pnpm#12056: `_npmUser.approver` is set
+ * by the registry when a package version was promoted out of staging via a
+ * 2FA-gated approve step. That signal ranks ABOVE both `trustedPublisher` and
+ * `provenance` in pnpm's trust-evidence ladder, because it adds a human
+ * approval gate on top of the OIDC publisher identity.
  */
 export declare function getTrustStatus(meta: unknown): TrustStatus;
 /**

package/dist/packages/provenance.js

@@ -50,7 +50,7 @@ function didTrustDecrease(prev, next) {
 *   const provenance = await fetchPackageProvenance('lodash', '4.17.21')
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function fetchPackageProvenance(pkgName, pkgVersion, options) {
 	const { signal, timeout = 1e4 } = {
 		__proto__: null,
@@ -100,7 +100,7 @@ function getAttestations(attestationData) {
 		return att.predicateType === SLSA_PROVENANCE_V0_2 || att.predicateType === SLSA_PROVENANCE_V1_0;
 	});
 }
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getFetcher() {
 	if (_fetcher === void 0) _fetcher = src_external_make_fetch_happen.default.defaults({
 		cachePath: /* @__PURE__ */ require_constants_packages.getPacoteCachePath(),
@@ -161,6 +161,12 @@ function getTrustLevelName(status) {
 /**
 * Extract provenance / trusted-publisher / staged-publish flags from a registry
 * version document.
+*
+* Staged-publish detection follows pnpm/pnpm#12056: `_npmUser.approver` is set
+* by the registry when a package version was promoted out of staging via a
+* 2FA-gated approve step. That signal ranks ABOVE both `trustedPublisher` and
+* `provenance` in pnpm's trust-evidence ladder, because it adds a human
+* approval gate on top of the OIDC publisher identity.
 */
 function getTrustStatus(meta) {
 	const status = {
@@ -170,7 +176,10 @@ function getTrustStatus(meta) {
 	};
 	if (!/* @__PURE__ */ require_objects_predicates.isObject(meta)) return status;
 	const npmUser = require_primordials_object.ObjectHasOwn(meta, "_npmUser") ? meta["_npmUser"] : void 0;
-	if (/* @__PURE__ */ require_objects_predicates.isObject(npmUser) && require_primordials_object.ObjectHasOwn(npmUser, "trustedPublisher") && npmUser["trustedPublisher"]) status.trustedPublisher = true;
+	if (/* @__PURE__ */ require_objects_predicates.isObject(npmUser)) {
+		if (require_primordials_object.ObjectHasOwn(npmUser, "approver") && npmUser["approver"]) status.stagedPublish = true;
+		if (require_primordials_object.ObjectHasOwn(npmUser, "trustedPublisher") && npmUser["trustedPublisher"]) status.trustedPublisher = true;
+	}
 	const dist = require_primordials_object.ObjectHasOwn(meta, "dist") ? meta["dist"] : void 0;
 	const attestations = /* @__PURE__ */ require_objects_predicates.isObject(dist) && require_primordials_object.ObjectHasOwn(dist, "attestations") ? dist["attestations"] : void 0;
 	if (/* @__PURE__ */ require_objects_predicates.isObject(attestations) && require_primordials_object.ObjectHasOwn(attestations, "provenance") && attestations["provenance"]) status.provenance = true;

package/dist/packages/specs.js

@@ -21,7 +21,7 @@ src_external_npm_package_arg = require_runtime.__toESM(src_external_npm_package_
 *   // { user: 'lodash', project: 'lodash' }
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getRepoUrlDetails(repoUrl = "") {
 	const match = /^(?:[a-z][a-z+]*:\/\/)(?:[^/@]+@)?github\.com\/([^?#]+)(?:[?#]|$)/i.exec(repoUrl);
 	if (!match || !match[1]) return {
@@ -45,7 +45,7 @@ function getRepoUrlDetails(repoUrl = "") {
 *   // 'https://api.github.com/repos/lodash/lodash/git/ref/tags/v4.17.21'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function gitHubTagRefUrl(user, project, tag) {
 	return `https://api.github.com/repos/${user}/${project}/git/ref/tags/${tag}`;
 }
@@ -58,7 +58,7 @@ function gitHubTagRefUrl(user, project, tag) {
 *   // 'https://github.com/lodash/lodash/archive/abc123.tar.gz'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function gitHubTgzUrl(user, project, sha) {
 	return `https://github.com/${user}/${project}/archive/${sha}.tar.gz`;
 }
@@ -71,7 +71,7 @@ function gitHubTgzUrl(user, project, sha) {
 *   isGitHubTgzSpec('lodash@4.17.21') // false
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isGitHubTgzSpec(spec, where) {
 	let parsedSpec;
 	if (/* @__PURE__ */ require_objects_predicates.isPlainObject(spec)) parsedSpec = spec;
@@ -88,7 +88,7 @@ function isGitHubTgzSpec(spec, where) {
 *   isGitHubUrlSpec('lodash@4.17.21') // false
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isGitHubUrlSpec(spec, where) {
 	let parsedSpec;
 	if (/* @__PURE__ */ require_objects_predicates.isPlainObject(spec)) parsedSpec = spec;

package/dist/packages/validation.js

@@ -19,7 +19,7 @@ src_external_validate_npm_package_name = require_runtime.__toESM(src_external_va
 *   isBlessedPackageName('lodash') // false
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isBlessedPackageName(name) {
 	return typeof name === "string" && (name === "sfw" || name === "socket" || require_primordials_string.StringPrototypeStartsWith(name, "@socketoverride/") || require_primordials_string.StringPrototypeStartsWith(name, "@socketregistry/") || require_primordials_string.StringPrototypeStartsWith(name, "@socketsecurity/"));
 }
@@ -32,7 +32,7 @@ function isBlessedPackageName(name) {
 *   isRegistryFetcherType('git') // false
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isRegistryFetcherType(type) {
 	return type === "alias" || type === "range" || type === "tag" || type === "version";
 }
@@ -45,7 +45,7 @@ function isRegistryFetcherType(type) {
 *   isValidPackageName('.invalid') // false
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isValidPackageName(name) {
 	return (0, src_external_validate_npm_package_name.default)(name).validForOldPackages;
 }

package/dist/paths/_internal.js

@@ -35,9 +35,9 @@ let _url;
 *
 * @private
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getUrl() {
-	if (_url === void 0) _url = /* @__PURE__ */ require("node:url");
+	if (_url === void 0) _url = /*@__PURE__*/ require("node:url");
 	return _url;
 }
 /**
@@ -61,7 +61,7 @@ function getUrl() {
 * @returns {string} The string representation, or empty string for
 *   null/undefined.
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function pathLikeToString(pathLike) {
 	if (pathLike === null || pathLike === void 0) return "";
 	if (typeof pathLike === "string") return pathLike;