@socketsecurity/lib 6.0.6 → 6.0.7

package/dist/secrets/compare.js

@@ -0,0 +1,61 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
+let node_crypto = require("node:crypto");
+node_crypto = require_runtime.__toESM(node_crypto);
+
+//#region src/secrets/compare.ts
+/**
+* @file Constant-time secret comparison. Wraps Node's `crypto.timingSafeEqual`
+*   so every secret comparison in the codebase runs through one helper that
+*   refuses to short-circuit on the first mismatched byte. Why this matters:
+*
+*   - `===` / `!==` on JS strings short-circuits at the first byte mismatch. An
+*     attacker who can measure server response time can binary-search the
+*     secret one byte at a time: `'a000...'`, `'b000...'`, … until the response
+*     slows down at the right first byte, then on to byte 2. Same trap for
+*     `Buffer.compare` and `==`.
+*   - `crypto.timingSafeEqual` runs in O(n) regardless of where the first
+*     mismatch is. Each iteration is the same cost so the timing channel
+*     carries no information about which byte mismatched. Use whenever
+*     comparing two values that include a secret (session token, API key, MAC,
+*     expected-hash). Don't use for path strings or other non-secret
+*     comparisons — `===` is fine there and faster. Patterned after pilcrow's
+*     `crypto.go::constantTimeCompare`, the canonical shape in
+*     passwordless-example.auth.pilcrowonpaper.com — wrap once, use everywhere,
+*     never byte-compare a secret directly.
+*/
+/**
+* Compare two secrets in constant time. Returns `true` when the inputs are
+* byte-equal. Returns `false` when they differ **or** when the byte-lengths
+* differ. Never throws.
+*
+* Length mismatch handling: `timingSafeEqual` itself throws on length mismatch
+* (it can't preserve the timing-safety contract across differently- sized
+* buffers). We catch that and return `false` so callers don't need a length
+* pre-check.
+*
+* @example
+*   ;```typescript
+*   import { compareSecrets } from '@socketsecurity/lib/secrets/compare'
+*
+*   if (!compareSecrets(presentedToken, storedToken)) {
+*     throw new Error('invalid token')
+*   }
+*   ```
+*
+* @param a - First secret (string or Buffer).
+* @param b - Second secret (string or Buffer).
+*
+* @returns `true` when `a` and `b` are byte-equal; `false` otherwise.
+*/
+function compareSecrets(a, b) {
+	const ab = typeof a === "string" ? Buffer.from(a, "utf8") : a;
+	const bb = typeof b === "string" ? Buffer.from(b, "utf8") : b;
+	if (ab.length !== bb.length) return false;
+	return node_crypto.default.timingSafeEqual(ab, bb);
+}
+
+//#endregion
+exports.compareSecrets = compareSecrets;

package/dist/secrets/keychain.js

@@ -1,12 +1,14 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
 const require_primordials_error = require('../primordials/error.js');
 const require_secrets__internal = require('./_internal.js');
 const require_secrets_macos = require('./macos.js');
 const require_secrets_linux = require('./linux.js');
 const require_secrets_windows = require('./windows.js');
 let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
 
 //#region src/secrets/keychain.ts
 /**
@@ -118,7 +120,7 @@ function deleteSecretSync({ service, account }) {
 * @internal
 */
 function detectPlatform() {
-	const p = (0, node_os.platform)();
+	const p = node_os.default.platform();
 	if (p === "darwin" || p === "linux" || p === "win32") return p;
 	return "other";
 }
@@ -150,7 +152,7 @@ function getBackendAvailability() {
 		default: return {
 			available: false,
 			toolName: "n/a",
-			installHint: `Platform ${(0, node_os.platform)()} is not supported.`
+			installHint: `Platform ${node_os.default.platform()} is not supported.`
 		};
 	}
 }
@@ -231,7 +233,7 @@ function readSecretSync({ service, account }) {
 async function writeSecret({ service, account, value, label }) {
 	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${node_os.default.platform()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (await readSecret({
 		service,
 		account
@@ -254,7 +256,7 @@ async function writeSecret({ service, account, value, label }) {
 function writeSecretSync({ service, account, value, label }) {
 	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${node_os.default.platform()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (readSecretSync({
 		service,
 		account

package/dist/secrets/linux.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_promise = require('../primordials/promise.js');
-let node_child_process = require("node:child_process");
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/linux.ts
 /**
@@ -22,19 +22,19 @@ let node_child_process = require("node:child_process");
 const SECRET_TOOL_BIN = "secret-tool";
 async function deleteLinux(service, account) {
 	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"clear",
 			"service",
 			service,
 			"user",
 			account
 		], { stdio: "ignore" });
-		child.on("error", () => resolve("absent"));
-		child.on("close", (status) => resolve(status === 0 ? "removed" : "absent"));
+		cp.on("error", () => resolve("absent"));
+		cp.on("close", (status) => resolve(status === 0 ? "removed" : "absent"));
 	});
 }
 function deleteLinuxSync(service, account) {
-	return (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"clear",
 		"service",
 		service,
@@ -43,11 +43,11 @@ function deleteLinuxSync(service, account) {
 	], { stdio: "ignore" }).status === 0 ? "removed" : "absent";
 }
 function isLinuxBackendAvailable() {
-	return (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
 }
 async function readLinux(service, account) {
 	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"lookup",
 			"service",
 			service,
@@ -59,12 +59,12 @@ async function readLinux(service, account) {
 			"pipe"
 		] });
 		let stdout = "";
-		child.stdout.setEncoding("utf8");
-		child.stdout.on("data", (chunk) => {
+		cp.stdout.setEncoding("utf8");
+		cp.stdout.on("data", (chunk) => {
 			stdout += chunk;
 		});
-		child.on("error", () => resolve(void 0));
-		child.on("close", (status) => {
+		cp.on("error", () => resolve(void 0));
+		cp.on("close", (status) => {
 			if (status !== 0) {
 				resolve(void 0);
 				return;
@@ -74,7 +74,7 @@ async function readLinux(service, account) {
 	});
 }
 function readLinuxSync(service, account) {
-	const r = (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"lookup",
 		"service",
 		service,
@@ -93,7 +93,7 @@ function readLinuxSync(service, account) {
 }
 async function writeLinux(service, account, value, label) {
 	return new require_primordials_promise.PromiseCtor((resolve, reject) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"store",
 			`--label=${label}`,
 			"service",
@@ -106,23 +106,23 @@ async function writeLinux(service, account, value, label) {
 			"pipe"
 		] });
 		let stderr = "";
-		child.stderr.setEncoding("utf8");
-		child.stderr.on("data", (chunk) => {
+		cp.stderr.setEncoding("utf8");
+		cp.stderr.on("data", (chunk) => {
 			stderr += chunk;
 		});
-		child.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
-		child.on("close", (status) => {
+		cp.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
+		cp.on("close", (status) => {
 			if (status === 0) {
 				resolve();
 				return;
 			}
 			reject(/* @__PURE__ */ new Error(`secret-tool store failed (status=${status}, user=${account}): ${stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`));
 		});
-		child.stdin.end(value);
+		cp.stdin.end(value);
 	});
 }
 function writeLinuxSync(service, account, value, label) {
-	const r = (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"store",
 		`--label=${label}`,
 		"service",

package/dist/secrets/macos.d.ts

@@ -24,7 +24,7 @@ export declare function isMacOSBackendAvailable(): boolean;
 export declare function readMacOS(service: string, account: string): Promise<string | undefined>;
 export declare function readMacOSSync(service: string, account: string): string | undefined;
 interface SpawnOpts {
-    stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'];
+    stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'] | undefined;
 }
 export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Promise<{
     status: number | null;

package/dist/secrets/macos.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_promise = require('../primordials/promise.js');
-let node_child_process = require("node:child_process");
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/macos.ts
 /**
@@ -37,7 +37,7 @@ async function deleteMacOS(service, account) {
 	], { stdio: "ignore" })).status === 0 ? "removed" : "absent";
 }
 function deleteMacOSSync(service, account) {
-	return (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"delete-generic-password",
 		"-s",
 		service,
@@ -61,7 +61,7 @@ async function readMacOS(service, account) {
 	return r.stdout.trim() || void 0;
 }
 function readMacOSSync(service, account) {
-	const r = (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"find-generic-password",
 		"-s",
 		service,
@@ -81,31 +81,31 @@ function readMacOSSync(service, account) {
 }
 function runAsync(args, opts = {}) {
 	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
 			"ignore",
 			"pipe",
 			"pipe"
 		] });
 		let stdout = "";
 		let stderr = "";
-		if (child.stdout) {
-			child.stdout.setEncoding("utf8");
-			child.stdout.on("data", (chunk) => {
+		if (cp.stdout) {
+			cp.stdout.setEncoding("utf8");
+			cp.stdout.on("data", (chunk) => {
 				stdout += chunk;
 			});
 		}
-		if (child.stderr) {
-			child.stderr.setEncoding("utf8");
-			child.stderr.on("data", (chunk) => {
+		if (cp.stderr) {
+			cp.stderr.setEncoding("utf8");
+			cp.stderr.on("data", (chunk) => {
 				stderr += chunk;
 			});
 		}
-		child.on("error", () => resolve({
+		cp.on("error", () => resolve({
 			status: -1,
 			stdout,
 			stderr
 		}));
-		child.on("close", (status) => resolve({
+		cp.on("close", (status) => resolve({
 			status,
 			stdout,
 			stderr
@@ -133,7 +133,7 @@ async function writeMacOS(service, account, value, label) {
 	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
 }
 function writeMacOSSync(service, account, value, label) {
-	const r = (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"add-generic-password",
 		"-U",
 		"-A",

package/dist/secrets/rc.d.ts

@@ -67,7 +67,7 @@ export interface WriteOptions {
      * "Rotate via: my-installer --rotate"). Each entry is prefixed with `# `
      * automatically.
      */
-    notes?: readonly string[];
+    notes?: readonly string[] | undefined;
     /**
      * Legacy sentinel BEGIN strings to sweep before writing the new block. Used
      * during a rename/migration so an older managed block is removed rather than
@@ -75,7 +75,7 @@ export interface WriteOptions {
      * tolerates any line endings up to the matching END (same prefix with `END`
      * replacing `BEGIN`).
      */
-    legacySentinels?: readonly string[];
+    legacySentinels?: readonly string[] | undefined;
     /**
      * Override the auto-detected shell. By default the helper reads `$SHELL` and
      * targets the matching rc file:

package/dist/secrets/rc.js

@@ -10,6 +10,7 @@ let node_fs = require("node:fs");
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path);
 let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
 let node_process = require("node:process");
 node_process = require_runtime.__toESM(node_process);
 
@@ -72,13 +73,14 @@ function buildBlock(opts) {
 * no block was present.
 */
 function clear(service, legacySentinels = []) {
-	if ((0, node_os.platform)() !== "darwin") return false;
+	if (node_os.default.platform() !== "darwin") return false;
 	const rcPath = pickRcFile();
 	if (!rcPath || !(0, node_fs.existsSync)(rcPath)) return false;
 	let existing = (0, node_fs.readFileSync)(rcPath, "utf8");
 	let removedAny = false;
 	const sentinelsToStrip = [`# BEGIN ${service} env (managed)`, ...legacySentinels];
-	for (const begin of sentinelsToStrip) {
+	for (let i = 0, { length } = sentinelsToStrip; i < length; i += 1) {
+		const begin = sentinelsToStrip[i];
 		const end = begin.replace(/\bBEGIN\b/, "END");
 		const endStripped = end.replace(/\s*\(managed\)\s*$/, "");
 		const endAlt = end === endStripped ? escapeRegExp(end) : `(?:${escapeRegExp(end)}|${escapeRegExp(endStripped)})`;
@@ -96,7 +98,7 @@ function escapeRegExp(s) {
 	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function pickRcFile(shellOverride) {
-	const home = /* @__PURE__ */ require_env_home.getHome();
+	const home = require_env_home.getHome();
 	if (!home) return;
 	const shellPath = node_process.default.env["SHELL"] ?? "";
 	const shell = shellOverride ?? (require_primordials_string.StringPrototypeEndsWith(shellPath, "zsh") ? "zsh" : require_primordials_string.StringPrototypeEndsWith(shellPath, "bash") ? "bash" : require_primordials_string.StringPrototypeEndsWith(shellPath, "fish") ? "fish" : void 0);
@@ -133,7 +135,7 @@ function shellSingleQuote(value) {
 * dotfile-manager users or installers running under a non-default shell.
 */
 function write(opts) {
-	if ((0, node_os.platform)() !== "darwin") return {
+	if (node_os.default.platform() !== "darwin") return {
 		rcPath: void 0,
 		outcome: "skipped",
 		reason: "unsupported-platform"

package/dist/secrets/socket-api-token.d.ts

@@ -2,10 +2,10 @@
  * @file Convenience helper for reading the Socket API token from the canonical
  *   env → keychain precedence order. Centralizes two constants every fleet
  *   consumer would otherwise hard-code: the keychain service name
- *   (`socket-cli`) and the env-var + account fallback list (`SOCKET_API_TOKEN`
- *   canonical, `SOCKET_API_KEY` legacy alias). Consumers like firewall and
- *   wheelhouse hooks call `readSocketApiToken()` instead of redoing the
- *   `resolve({ service, accounts })` boilerplate.
+ *   (`socketsecurity`) and the env-var + account fallback list
+ *   (`SOCKET_API_TOKEN` canonical, `SOCKET_API_KEY` legacy alias). Consumers
+ *   like firewall and wheelhouse hooks call `readSocketApiToken()` instead of
+ *   redoing the `resolve({ service, accounts })` boilerplate.
  */
 export interface ReadSocketApiTokenOptions {
     /**

package/dist/secrets/socket-api-token.js

@@ -8,26 +8,35 @@ const require_secrets_find = require('./find.js');
 * @file Convenience helper for reading the Socket API token from the canonical
 *   env → keychain precedence order. Centralizes two constants every fleet
 *   consumer would otherwise hard-code: the keychain service name
-*   (`socket-cli`) and the env-var + account fallback list (`SOCKET_API_TOKEN`
-*   canonical, `SOCKET_API_KEY` legacy alias). Consumers like firewall and
-*   wheelhouse hooks call `readSocketApiToken()` instead of redoing the
-*   `resolve({ service, accounts })` boilerplate.
+*   (`socketsecurity`) and the env-var + account fallback list
+*   (`SOCKET_API_TOKEN` canonical, `SOCKET_API_KEY` legacy alias). Consumers
+*   like firewall and wheelhouse hooks call `readSocketApiToken()` instead of
+*   redoing the `resolve({ service, accounts })` boilerplate.
 */
-const SOCKET_CLI_SERVICE = "socket-cli";
+const SOCKET_SERVICE = "socketsecurity";
+const SOCKET_SERVICE_LEGACY = "socket-cli";
 const TOKEN_ACCOUNTS = ["SOCKET_API_TOKEN", "SOCKET_API_KEY"];
 async function readSocketApiToken(options) {
 	return (await require_secrets_find.resolve({
-		service: SOCKET_CLI_SERVICE,
+		service: SOCKET_SERVICE,
+		accounts: TOKEN_ACCOUNTS,
+		allowEnvOnly: options?.allowEnvOnly
+	}) ?? await require_secrets_find.resolve({
+		service: SOCKET_SERVICE_LEGACY,
 		accounts: TOKEN_ACCOUNTS,
 		allowEnvOnly: options?.allowEnvOnly
 	}))?.value;
 }
 function readSocketApiTokenSync(options) {
-	return require_secrets_find.resolveSync({
-		service: SOCKET_CLI_SERVICE,
+	return (require_secrets_find.resolveSync({
+		service: SOCKET_SERVICE,
 		accounts: TOKEN_ACCOUNTS,
 		allowEnvOnly: options?.allowEnvOnly
-	})?.value;
+	}) ?? require_secrets_find.resolveSync({
+		service: SOCKET_SERVICE_LEGACY,
+		accounts: TOKEN_ACCOUNTS,
+		allowEnvOnly: options?.allowEnvOnly
+	}))?.value;
 }
 
 //#endregion

package/dist/secrets/windows.js

@@ -9,9 +9,10 @@ let node_fs = require("node:fs");
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path);
 let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
 let node_process = require("node:process");
 node_process = require_runtime.__toESM(node_process);
-let node_child_process = require("node:child_process");
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/windows.ts
 /**
@@ -66,11 +67,11 @@ function deleteWindowsSync(service, account) {
 function getDpapiFilePath(service, account) {
 	validateKeychainComponent(service, "service");
 	validateKeychainComponent(account, "account");
-	const appData = node_process.default.env["APPDATA"] ?? node_path.default.join((0, node_os.homedir)(), "AppData", "Roaming");
+	const appData = node_process.default.env["APPDATA"] ?? node_path.default.join(node_os.default.homedir(), "AppData", "Roaming");
 	return node_path.default.join(appData, service, `${account}.enc`);
 }
 function isWindowsBackendAvailable() {
-	return (0, node_child_process.spawnSync)(POWERSHELL_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(POWERSHELL_BIN, [
 		"-NoProfile",
 		"-Command",
 		"exit 0"
@@ -129,7 +130,7 @@ function readWindowsSync(service, account) {
 }
 function runPsAsync(script, input) {
 	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(POWERSHELL_BIN, [
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(POWERSHELL_BIN, [
 			"-NoProfile",
 			"-Command",
 			script
@@ -140,30 +141,30 @@ function runPsAsync(script, input) {
 		] });
 		let stdout = "";
 		let stderr = "";
-		child.stdout.setEncoding("utf8");
-		child.stdout.on("data", (chunk) => {
+		cp.stdout.setEncoding("utf8");
+		cp.stdout.on("data", (chunk) => {
 			stdout += chunk;
 		});
-		child.stderr.setEncoding("utf8");
-		child.stderr.on("data", (chunk) => {
+		cp.stderr.setEncoding("utf8");
+		cp.stderr.on("data", (chunk) => {
 			stderr += chunk;
 		});
-		child.on("error", () => resolve({
+		cp.on("error", () => resolve({
 			status: -1,
 			stdout,
 			stderr
 		}));
-		child.on("close", (status) => resolve({
+		cp.on("close", (status) => resolve({
 			status,
 			stdout,
 			stderr
 		}));
-		if (input !== void 0) child.stdin.end(input);
-		else child.stdin.end();
+		if (input !== void 0) cp.stdin.end(input);
+		else cp.stdin.end();
 	});
 }
 function runPsSync(script, input) {
-	const r = (0, node_child_process.spawnSync)(POWERSHELL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(POWERSHELL_BIN, [
 		"-NoProfile",
 		"-Command",
 		script

package/dist/shadow/skip.js

@@ -38,9 +38,9 @@ function shouldSkipShadow(binPath, options) {
 	if (win32 && binPath) return true;
 	const userAgent = node_process.default.env["npm_config_user_agent"];
 	if (userAgent?.includes("exec") || userAgent?.includes("npx") || userAgent?.includes("dlx")) return true;
-	const normalizedCwd = /* @__PURE__ */ require_paths_normalize.normalizePath(cwd);
+	const normalizedCwd = require_paths_normalize.normalizePath(cwd);
 	const npmCache = node_process.default.env["npm_config_cache"];
-	if (npmCache && normalizedCwd.includes(/* @__PURE__ */ require_paths_normalize.normalizePath(npmCache))) return true;
+	if (npmCache && normalizedCwd.includes(require_paths_normalize.normalizePath(npmCache))) return true;
 	return [
 		"_npx",
 		".pnpm-store",

package/dist/smol/detect.js

@@ -27,26 +27,25 @@ const require_node_module = require('../node/module.js');
 /**
 * Cached smol-binary detection result.
 */
-let _isSmol;
+let isSmolCache;
 /**
 * Cached `node:smol-util` binding. `null` = probed and unavailable; `undefined`
 * = not yet probed. JS truthiness collapses both to "no binding" at the call
 * site.
 */
-let _smolUtil;
-let _smolUtilProbed = false;
+let smolUtilCache;
+let smolUtilProbed = false;
 /**
 * Returns `node:smol-util` when running on the smol Node binary, otherwise
 * `undefined`. Result is cached across calls.
 */
-/*@__NO_SIDE_EFFECTS__*/
 function getSmolUtil() {
-	if (!_smolUtilProbed) {
-		_smolUtilProbed = true;
+	if (!smolUtilProbed) {
+		smolUtilProbed = true;
 		/* c8 ignore start - smol Node binary only. */
-		if (/* @__PURE__ */ require_node_module.isNodeBuiltin("node:smol-util")) _smolUtil = require("node:smol-util");
+		if (require_node_module.isNodeBuiltin("node:smol-util")) smolUtilCache = require("node:smol-util");
 	}
-	return _smolUtil;
+	return smolUtilCache;
 }
 /**
 * Detect if the current process is running on socket-btm's smol Node binary.
@@ -66,8 +65,8 @@ function getSmolUtil() {
 *   ```
 */
 function isSmol() {
-	if (_isSmol === void 0) _isSmol = /* @__PURE__ */ require_node_module.isNodeBuiltin("node:smol-util");
-	return _isSmol;
+	if (isSmolCache === void 0) isSmolCache = require_node_module.isNodeBuiltin("node:smol-util");
+	return isSmolCache;
 }
 
 //#endregion

package/dist/smol/http.js

@@ -18,20 +18,19 @@ const require_node_module = require('../node/module.js');
 *   `httpText` exports, which already route through this when smol
 *   is present.
 */
-let _smolHttp;
-let _smolHttpProbed = false;
+let smolHttpBinding;
+let smolHttpProbed = false;
 /**
 * Returns `node:smol-http` when running on the smol Node binary, otherwise
 * `undefined`. Result is cached across calls.
 */
-/*@__NO_SIDE_EFFECTS__*/
 function getSmolHttp() {
-	if (!_smolHttpProbed) {
-		_smolHttpProbed = true;
+	if (!smolHttpProbed) {
+		smolHttpProbed = true;
 		/* c8 ignore start - smol Node binary only. */
-		if (/* @__PURE__ */ require_node_module.isNodeBuiltin("node:smol-http")) _smolHttp = require("node:smol-http");
+		if (require_node_module.isNodeBuiltin("node:smol-http")) smolHttpBinding = require("node:smol-http");
 	}
-	return _smolHttp;
+	return smolHttpBinding;
 }
 
 //#endregion

package/dist/smol/https.js

@@ -16,20 +16,19 @@ const require_node_module = require('../node/module.js');
 *   callers should use the standard server-side helpers, which
 *   route through this when smol is present.
 */
-let _smolHttps;
-let _smolHttpsProbed = false;
+let smolHttps;
+let smolHttpsProbed = false;
 /**
 * Returns `node:smol-https` when running on the smol Node binary, otherwise
 * `undefined`. Result is cached across calls.
 */
-/*@__NO_SIDE_EFFECTS__*/
 function getSmolHttps() {
-	if (!_smolHttpsProbed) {
-		_smolHttpsProbed = true;
+	if (!smolHttpsProbed) {
+		smolHttpsProbed = true;
 		/* c8 ignore start - smol Node binary only. */
-		if (/* @__PURE__ */ require_node_module.isNodeBuiltin("node:smol-https")) _smolHttps = require("node:smol-https");
+		if (require_node_module.isNodeBuiltin("node:smol-https")) smolHttps = require("node:smol-https");
 	}
-	return _smolHttps;
+	return smolHttps;
 }
 
 //#endregion

package/dist/smol/manifest.d.ts

@@ -83,7 +83,7 @@ export interface ParsedLockfile {
 export interface FormatDescriptor {
     readonly ecosystem: EcosystemString;
     readonly type: 'manifest' | 'lockfile';
-    readonly format?: 'npm' | 'yarn' | 'pnpm' | 'composer' | 'cargo';
+    readonly format?: 'npm' | 'yarn' | 'pnpm' | 'composer' | 'cargo' | undefined;
 }
 /**
  * Supported-files index returned by `supportedFiles`.