@socketsecurity/lib 6.0.7 → 6.0.8

package/dist/git/_internal.js

@@ -2,14 +2,14 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_buffer = require('../primordials/buffer.js');
+const require_primordials_object = require('../primordials/object.js');
+const require_primordials_map_set = require('../primordials/map-set.js');
 const require_primordials_string = require('../primordials/string.js');
 const require_paths_normalize = require('../paths/normalize.js');
 const require_primordials_array = require('../primordials/array.js');
-const require_primordials_map_set = require('../primordials/map-set.js');
 const require_node_path = require('../node/path.js');
 const require_primordials_date = require('../primordials/date.js');
 const require_primordials_json = require('../primordials/json.js');
-const require_primordials_object = require('../primordials/object.js');
 const require_bin_which = require('../bin/which.js');
 const require_ansi_strip = require('../ansi/strip.js');
 const require_process_spawn_child = require('../process/spawn/child.js');

package/dist/git/repo.js

@@ -1,12 +1,10 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_runtime = require('../_virtual/_rolldown/runtime.js');
 const require_primordials_map_set = require('../primordials/map-set.js');
 const require_node_fs = require('../node/fs.js');
 const require_node_path = require('../node/path.js');
-let node_process = require("node:process");
-node_process = require_runtime.__toESM(node_process);
+const require_primordials_process = require('../primordials/process.js');
 
 //#region src/git/repo.ts
 /**
@@ -112,7 +110,7 @@ function getCachedRealpath(pathname) {
 * @returns The resolved real path of `process.cwd()`.
 */
 function getCwd() {
-	return getCachedRealpath(node_process.default.cwd());
+	return getCachedRealpath(require_primordials_process.processCwd());
 }
 
 //#endregion

package/dist/git/staged.js

@@ -44,6 +44,10 @@ const require_git__internal = require('./_internal.js');
 * @returns Promise resolving to array of staged file paths.
 */
 async function getStagedFiles(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const args = require_git__internal.getGitDiffSpawnArgs(options?.cwd).staged;
 	return await require_git__internal.innerDiff(args, options);
 }
@@ -79,6 +83,10 @@ async function getStagedFiles(options) {
 * @returns Array of staged file paths.
 */
 function getStagedFilesSync(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const args = require_git__internal.getGitDiffSpawnArgs(options?.cwd).staged;
 	return require_git__internal.innerDiffSync(args, options);
 }

package/dist/git/tracked.d.ts

@@ -0,0 +1,84 @@
+/**
+ * @file Tracked-status + submodule-membership probes for a working-tree path.
+ *   `isTracked` answers "does git track this exact path?"; `getSubmodulePaths`
+ *   lists the repo's submodule mount points; `isInSubmodule` answers "does this
+ *   path live inside one?"; `isUntrackedNonSubmodulePath` composes them into
+ *   the safe-to-touch condition for cleanup tooling — never delete a tracked
+ *   file or reach into a submodule's own tree (which would dirty it).
+ */
+/**
+ * The repo's submodule mount points as normalized, repo-root-relative paths
+ * (e.g. `vendor/acorn`). Reads `git config` on `.gitmodules`, so it lists
+ * declared submodules whether or not they are initialized — the case a
+ * stderr-message check on `git ls-files` misses.
+ *
+ * @example
+ *   ;```typescript
+ *   await getSubmodulePaths()
+ *   // => ['packages/acorn/upstream/acorn', 'vendor/mbedtls']
+ *   ```
+ */
+export declare function getSubmodulePaths(options?: GitPathOptions | undefined): Promise<string[]>;
+/**
+ * Whether `targetPath` lives inside one of the repo's submodules. Resolves the
+ * submodule list itself; for a batch sweep prefer `getSubmodulePaths` once plus
+ * `pathIsUnderSubmodule` per path.
+ *
+ * @example
+ *   ;```typescript
+ *   await isInSubmodule('vendor/mbedtls/x.py')  // => true
+ *   await isInSubmodule('src/index.ts')         // => false
+ *   ```
+ */
+export declare function isInSubmodule(targetPath: string, options?: GitPathOptions | undefined): Promise<boolean>;
+export interface GitPathOptions {
+    /**
+     * The git working-tree directory the path is resolved against.
+     *
+     * @default process.cwd()
+     */
+    cwd?: string | undefined;
+}
+/**
+ * Whether git tracks `targetPath` exactly. Uses `git ls-files --error-unmatch`,
+ * which exits non-zero for an untracked path. A path inside a submodule, or one
+ * git does not know, returns `false`.
+ *
+ * @example
+ *   ;```typescript
+ *   await isTracked('src/index.ts')        // => true
+ *   await isTracked('.DS_Store')           // => false
+ *   ```
+ */
+export declare function isTracked(targetPath: string, options?: GitPathOptions | undefined): Promise<boolean>;
+/**
+ * Whether `targetPath` is git does NOT track AND does not live inside a
+ * submodule — the safe-to-touch condition for cleanup tooling. A tracked path
+ * is a deliberate file; a submodule-internal path belongs to that submodule's
+ * own git (touching it would dirty the submodule). Composes `isTracked` +
+ * `getSubmodulePaths`/`pathIsUnderSubmodule`. Fails closed — any check error
+ * resolves to `false`.
+ *
+ * For a batch sweep, call `getSubmodulePaths` once and compose `isTracked` +
+ * `pathIsUnderSubmodule` per path to avoid re-reading `.gitmodules` each time.
+ *
+ * @example
+ *   ;```typescript
+ *   await isUntrackedNonSubmodulePath('.DS_Store')        // => true
+ *   await isUntrackedNonSubmodulePath('src/index.ts')     // => false (tracked)
+ *   await isUntrackedNonSubmodulePath('vendor/sub/x.pyc') // => false (submodule)
+ *   ```
+ */
+export declare function isUntrackedNonSubmodulePath(targetPath: string, options?: GitPathOptions | undefined): Promise<boolean>;
+/**
+ * Whether `relativePath` (repo-root-relative) lies at or under any of
+ * `submodulePaths`. Pure — pass the result of `getSubmodulePaths` so the git
+ * read happens once for a whole sweep.
+ *
+ * @example
+ *   ;```typescript
+ *   pathIsUnderSubmodule('vendor/mbedtls/scripts/__pycache__', ['vendor/mbedtls'])
+ *   // => true
+ *   ```
+ */
+export declare function pathIsUnderSubmodule(relativePath: string, submodulePaths: string[]): boolean;

package/dist/git/tracked.js

@@ -0,0 +1,163 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_string = require('../primordials/string.js');
+const require_paths_normalize = require('../paths/normalize.js');
+const require_primordials_array = require('../primordials/array.js');
+const require_node_path = require('../node/path.js');
+const require_process_spawn_child = require('../process/spawn/child.js');
+const require_git_repo = require('./repo.js');
+
+//#region src/git/tracked.ts
+/**
+* @file Tracked-status + submodule-membership probes for a working-tree path.
+*   `isTracked` answers "does git track this exact path?"; `getSubmodulePaths`
+*   lists the repo's submodule mount points; `isInSubmodule` answers "does this
+*   path live inside one?"; `isUntrackedNonSubmodulePath` composes them into
+*   the safe-to-touch condition for cleanup tooling — never delete a tracked
+*   file or reach into a submodule's own tree (which would dirty it).
+*/
+/**
+* The repo's submodule mount points as normalized, repo-root-relative paths
+* (e.g. `vendor/acorn`). Reads `git config` on `.gitmodules`, so it lists
+* declared submodules whether or not they are initialized — the case a
+* stderr-message check on `git ls-files` misses.
+*
+* @example
+*   ;```typescript
+*   await getSubmodulePaths()
+*   // => ['packages/acorn/upstream/acorn', 'vendor/mbedtls']
+*   ```
+*/
+async function getSubmodulePaths(options) {
+	const { cwd = require_git_repo.getCwd() } = {
+		__proto__: null,
+		...options
+	};
+	const lines = require_primordials_string.StringPrototypeSplit(await require_process_spawn_child.spawn("git", [
+		"config",
+		"--file",
+		".gitmodules",
+		"--get-regexp",
+		"path"
+	], {
+		cwd,
+		stdioString: true
+	}).then(
+		/* c8 ignore next - stdioString:true always yields a string stdout; the
+		?? '' is a defensive fallback that never fires on real spawn output. */
+		(result) => String(result?.stdout ?? ""),
+		() => ""
+	), "\n");
+	const paths = [];
+	for (let i = 0, { length } = lines; i < length; i += 1) {
+		const line = require_primordials_string.StringPrototypeTrim(lines[i]);
+		/* c8 ignore start - defensive parse guards: `git config --get-regexp`
+		always emits a `key value` line, so the blank-line and no-space skips
+		and the empty-value branch never fire on real git output. */
+		if (!line) continue;
+		const spaceIdx = line.indexOf(" ");
+		if (spaceIdx === -1) continue;
+		const rel = require_primordials_string.StringPrototypeTrim(line.slice(spaceIdx + 1));
+		if (!rel) continue;
+		/* c8 ignore stop */
+		paths.push(require_paths_normalize.normalizePath(rel));
+	}
+	return paths;
+}
+/**
+* Whether `targetPath` lives inside one of the repo's submodules. Resolves the
+* submodule list itself; for a batch sweep prefer `getSubmodulePaths` once plus
+* `pathIsUnderSubmodule` per path.
+*
+* @example
+*   ;```typescript
+*   await isInSubmodule('vendor/mbedtls/x.py')  // => true
+*   await isInSubmodule('src/index.ts')         // => false
+*   ```
+*/
+async function isInSubmodule(targetPath, options) {
+	const submodulePaths = await getSubmodulePaths(options);
+	if (!submodulePaths.length) return false;
+	return pathIsUnderSubmodule(targetPath, submodulePaths);
+}
+/**
+* Whether git tracks `targetPath` exactly. Uses `git ls-files --error-unmatch`,
+* which exits non-zero for an untracked path. A path inside a submodule, or one
+* git does not know, returns `false`.
+*
+* @example
+*   ;```typescript
+*   await isTracked('src/index.ts')        // => true
+*   await isTracked('.DS_Store')           // => false
+*   ```
+*/
+async function isTracked(targetPath, options) {
+	const { cwd = require_git_repo.getCwd() } = {
+		__proto__: null,
+		...options
+	};
+	return await require_process_spawn_child.spawn("git", [
+		"ls-files",
+		"--error-unmatch",
+		targetPath
+	], {
+		cwd,
+		stdioString: true
+	}).then(() => true, () => false);
+}
+/**
+* Whether `targetPath` is git does NOT track AND does not live inside a
+* submodule — the safe-to-touch condition for cleanup tooling. A tracked path
+* is a deliberate file; a submodule-internal path belongs to that submodule's
+* own git (touching it would dirty the submodule). Composes `isTracked` +
+* `getSubmodulePaths`/`pathIsUnderSubmodule`. Fails closed — any check error
+* resolves to `false`.
+*
+* For a batch sweep, call `getSubmodulePaths` once and compose `isTracked` +
+* `pathIsUnderSubmodule` per path to avoid re-reading `.gitmodules` each time.
+*
+* @example
+*   ;```typescript
+*   await isUntrackedNonSubmodulePath('.DS_Store')        // => true
+*   await isUntrackedNonSubmodulePath('src/index.ts')     // => false (tracked)
+*   await isUntrackedNonSubmodulePath('vendor/sub/x.pyc') // => false (submodule)
+*   ```
+*/
+async function isUntrackedNonSubmodulePath(targetPath, options) {
+	const { cwd = require_git_repo.getCwd() } = {
+		__proto__: null,
+		...options
+	};
+	if (await isTracked(targetPath, { cwd }).catch(() => true)) return false;
+	const submodulePaths = await getSubmodulePaths({ cwd }).catch(() => []);
+	if (submodulePaths.length) {
+		const path = require_node_path.getNodePath();
+		if (pathIsUnderSubmodule(path.relative(cwd, path.resolve(cwd, targetPath)), submodulePaths)) return false;
+	}
+	return true;
+}
+/**
+* Whether `relativePath` (repo-root-relative) lies at or under any of
+* `submodulePaths`. Pure — pass the result of `getSubmodulePaths` so the git
+* read happens once for a whole sweep.
+*
+* @example
+*   ;```typescript
+*   pathIsUnderSubmodule('vendor/mbedtls/scripts/__pycache__', ['vendor/mbedtls'])
+*   // => true
+*   ```
+*/
+function pathIsUnderSubmodule(relativePath, submodulePaths) {
+	const normalized = require_paths_normalize.normalizePath(relativePath);
+	return require_primordials_array.ArrayPrototypeSome(submodulePaths, (sub) => {
+		return normalized === sub || require_primordials_string.StringPrototypeStartsWith(normalized, `${sub}/`) || require_primordials_string.StringPrototypeEndsWith(sub, normalized);
+	});
+}
+
+//#endregion
+exports.getSubmodulePaths = getSubmodulePaths;
+exports.isInSubmodule = isInSubmodule;
+exports.isTracked = isTracked;
+exports.isUntrackedNonSubmodulePath = isUntrackedNonSubmodulePath;
+exports.pathIsUnderSubmodule = pathIsUnderSubmodule;

package/dist/git/unstaged.js

@@ -44,6 +44,10 @@ const require_git__internal = require('./_internal.js');
 * @returns Promise resolving to array of unstaged file paths.
 */
 async function getUnstagedFiles(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const args = require_git__internal.getGitDiffSpawnArgs(options?.cwd).unstaged;
 	return await require_git__internal.innerDiff(args, options);
 }
@@ -79,6 +83,10 @@ async function getUnstagedFiles(options) {
 * @returns Array of unstaged file paths.
 */
 function getUnstagedFilesSync(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const args = require_git__internal.getGitDiffSpawnArgs(options?.cwd).unstaged;
 	return require_git__internal.innerDiffSync(args, options);
 }

package/dist/github/refs-graphql.js

@@ -48,6 +48,10 @@ const require_github_token = require('./token.js');
 *   error.
 */
 async function fetchRefShaViaGraphQL(owner, repo, ref, options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const token = options.token || require_github_token.getGitHubToken();
 	const headers = {
 		Accept: "application/vnd.github.v3+json",

package/dist/github/refs-rest.js

@@ -31,6 +31,10 @@ const require_github_refs_graphql = require('./refs-graphql.js');
 * @throws {Error} When ref cannot be resolved after all strategies fail
 */
 async function fetchRefSha(owner, repo, ref, options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const fetchOptions = { token: options.token };
 	let sawEmptyBody = false;
 	const note404 = (e) => {

package/dist/github/refs.js

@@ -1,12 +1,7 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_runtime = require('../_virtual/_rolldown/runtime.js');
-const require_github_refs_graphql = require('./refs-graphql.js');
-const require_github_refs_rest = require('./refs-rest.js');
 const require_github_refs_cache = require('./refs-cache.js');
-let node_process = require("node:process");
-node_process = require_runtime.__toESM(node_process);
 
 //#region src/github/refs.ts
 /**
@@ -94,15 +89,25 @@ async function resolveRefToSha(owner, repo, ref, options) {
 		...options
 	};
 	const cacheKey = `${owner}/${repo}@${ref}`;
-	if (node_process.default.env["DISABLE_GITHUB_CACHE"]) return await require_github_refs_rest.fetchRefSha(owner, repo, ref, opts);
-	return await require_github_refs_cache.getGithubCache().getOrFetch(cacheKey, async () => {
-		return await require_github_refs_rest.fetchRefSha(owner, repo, ref, opts);
+	if (process.env["DISABLE_GITHUB_CACHE"]) return await fetchRefSha$1(owner, repo, ref, opts);
+	return await getGithubCache$1().getOrFetch(cacheKey, async () => {
+		return await fetchRefSha$1(owner, repo, ref, opts);
 	});
 }
 
 //#endregion
 exports.clearRefCache = require_github_refs_cache.clearRefCache;
-exports.fetchRefSha = require_github_refs_rest.fetchRefSha;
-exports.fetchRefShaViaGraphQL = require_github_refs_graphql.fetchRefShaViaGraphQL;
+Object.defineProperty(exports, 'fetchRefSha', {
+  enumerable: true,
+  get: function () {
+    return fetchRefSha;
+  }
+});
+Object.defineProperty(exports, 'fetchRefShaViaGraphQL', {
+  enumerable: true,
+  get: function () {
+    return fetchRefShaViaGraphQL;
+  }
+});
 exports.getGithubCache = require_github_refs_cache.getGithubCache;
 exports.resolveRefToSha = resolveRefToSha;

package/dist/globs/_internal.js

@@ -1,10 +1,10 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_map_set = require('../primordials/map-set.js');
 const require_primordials_string = require('../primordials/string.js');
 const require_paths_normalize = require('../paths/normalize.js');
 const require_primordials_array = require('../primordials/array.js');
-const require_primordials_map_set = require('../primordials/map-set.js');
 const require_node_fs = require('../node/fs.js');
 const require_globs_defaults = require('./defaults.js');
 const require_node_fs_promises = require('../node/fs-promises.js');

package/dist/globs/match.js

@@ -1,8 +1,8 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_node_fs = require('../node/fs.js');
 const require_primordials_object = require('../primordials/object.js');
+const require_node_fs = require('../node/fs.js');
 const require_node_fs_promises = require('../node/fs-promises.js');
 const require_globs__internal = require('./_internal.js');
 const require_promises_resolvers = require('../promises/resolvers.js');
@@ -59,6 +59,10 @@ function canUseNodeFsGlob(options) {
 *   ```
 */
 async function glob(patterns, options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const normalizedIgnore = require_globs__internal.normalizeIgnorePatterns(options?.ignore);
 	/* c8 ignore start */
 	if (canUseNodeFsGlob(options)) return require_globs__internal.normalizeGlobResults(await require_promises_resolvers.fromAsync(require_node_fs_promises.getNodeFsPromises().glob(patterns, {
@@ -81,6 +85,10 @@ async function glob(patterns, options) {
 *   ```
 */
 function globSync(patterns, options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const normalizedIgnore = require_globs__internal.normalizeIgnorePatterns(options?.ignore);
 	/* c8 ignore start */
 	if (canUseNodeFsGlob(options)) return require_globs__internal.normalizeGlobResults([...require_node_fs.getNodeFs().globSync(patterns, {

package/dist/globs/matcher.js

@@ -1,10 +1,10 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_object = require('../primordials/object.js');
 const require_primordials_string = require('../primordials/string.js');
 const require_primordials_array = require('../primordials/array.js');
 const require_primordials_json = require('../primordials/json.js');
-const require_primordials_object = require('../primordials/object.js');
 const require_globs__internal = require('./_internal.js');
 
 //#region src/globs/matcher.ts
@@ -41,6 +41,10 @@ let matchesGlobProbed = false;
 *   ```
 */
 function getGlobMatcher(glob, options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const patterns = require_primordials_array.ArrayIsArray(glob) ? glob : [glob];
 	const sortedPatterns = [...patterns].toSorted();
 	const sortedOptions = options ? require_primordials_object.ObjectKeys(options).toSorted().map((k) => {

package/dist/http-request/browser.js

@@ -8,7 +8,7 @@ const require_primordials_array = require('../primordials/array.js');
 const require_primordials_date = require('../primordials/date.js');
 const require_primordials_json = require('../primordials/json.js');
 const require_primordials_promise = require('../primordials/promise.js');
-const require_http_request_browser_fetch = require('./browser-fetch.js');
+const require_http_request_fetch_browser = require('./fetch/browser.js');
 const require_primordials_headers = require('../primordials/headers.js');
 
 //#region src/http-request/browser.ts
@@ -76,6 +76,10 @@ function combineSignals(external, timeoutMs) {
 	};
 }
 async function attempt(url, options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	const method = options.method ?? "GET";
 	const init = { method };
 	if (options.headers) init.headers = options.headers;
@@ -91,7 +95,7 @@ async function attempt(url, options) {
 		timeout: options.timeout
 	});
 	try {
-		const response = await require_http_request_browser_fetch.doFetch(url, init);
+		const response = await require_http_request_fetch_browser.fetchResponse(url, init);
 		const buffer = await response.arrayBuffer();
 		if (options.maxResponseSize !== void 0 && buffer.byteLength > options.maxResponseSize) throw new require_primordials_error.ErrorCtor(`Response body (${buffer.byteLength} bytes) exceeds maxResponseSize (${options.maxResponseSize})`);
 		const body = new require_primordials_array.Uint8ArrayCtor(buffer);

package/dist/http-request/{browser-fetch.d.ts → fetch/browser.d.ts}

@@ -1,10 +1,10 @@
 /**
  * @file Thin wrapper over the global `fetch()` so tests can mock the network
- *   layer via `vi.mock('@socketsecurity/lib/http-request/browser-fetch')`
+ *   layer via `vi.mock('@socketsecurity/lib/http-request/fetch/browser')`
  *   without monkey-patching `globalThis.fetch` (which conflicts with the
  *   project's nock-based test setup). The wrapper itself is `c8 ignore`-marked
  *   because the body is a single uncoverable fetch call; coverage credit is
  *   preserved by the wider test suite that mocks this module and asserts the
  *   call shape.
  */
-export declare function doFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+export declare function fetchResponse(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

package/dist/http-request/{browser-fetch.js → fetch/browser.js}

@@ -2,10 +2,10 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
-//#region src/http-request/browser-fetch.ts
+//#region src/http-request/fetch/browser.ts
 /**
 * @file Thin wrapper over the global `fetch()` so tests can mock the network
-*   layer via `vi.mock('@socketsecurity/lib/http-request/browser-fetch')`
+*   layer via `vi.mock('@socketsecurity/lib/http-request/fetch/browser')`
 *   without monkey-patching `globalThis.fetch` (which conflicts with the
 *   project's nock-based test setup). The wrapper itself is `c8 ignore`-marked
 *   because the body is a single uncoverable fetch call; coverage credit is
@@ -13,10 +13,10 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 *   call shape.
 */
 /* c8 ignore start - native fetch call; tests mock this module wholesale */
-function doFetch(input, init) {
+function fetchResponse(input, init) {
 	return fetch(input, init);
 }
 /* c8 ignore stop */
 
 //#endregion
-exports.doFetch = doFetch;
+exports.fetchResponse = fetchResponse;

package/dist/http-request/headers.js

@@ -2,9 +2,9 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_number = require('../primordials/number.js');
+const require_primordials_object = require('../primordials/object.js');
 const require_primordials_array = require('../primordials/array.js');
 const require_primordials_date = require('../primordials/date.js');
-const require_primordials_object = require('../primordials/object.js');
 const require_primordials_globals = require('../primordials/globals.js');
 
 //#region src/http-request/headers.ts

package/dist/http-request/request-attempt.js

@@ -3,13 +3,13 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_buffer = require('../primordials/buffer.js');
 const require_primordials_error = require('../primordials/error.js');
+const require_primordials_object = require('../primordials/object.js');
 const require_primordials_date = require('../primordials/date.js');
 const require_primordials_json = require('../primordials/json.js');
-const require_primordials_object = require('../primordials/object.js');
 const require_primordials_promise = require('../primordials/promise.js');
+const require_primordials_url = require('../primordials/url.js');
 const require_node_http = require('../node/http.js');
 const require_node_https = require('../node/https.js');
-const require_primordials_url = require('../primordials/url.js');
 const require_http_request_errors = require('./errors.js');
 const require_http_request_response_reader = require('./response-reader.js');
 const require_http_request_user_agent = require('./user-agent.js');

package/dist/http-request/user-agent.js

@@ -70,7 +70,7 @@ function getSocketCallerUserAgent() {
 		version: require_constants_socket.SOCKET_LIB_VERSION
 	});
 	const caller = require_env_rewire.getEnvValue("SOCKET_CALLER_USER_AGENT");
-	return caller && caller.trim() ? `${cachedBaseUserAgent} ${caller}` : cachedBaseUserAgent;
+	return caller?.trim() ? `${cachedBaseUserAgent} ${caller}` : cachedBaseUserAgent;
 }
 
 //#endregion

package/dist/integrity.d.ts

@@ -60,10 +60,16 @@ export interface ParsedIntegrity {
  * Idempotent on integrity input — call this on user-supplied data without first
  * sniffing the format.
  *
- * The default algorithm is `'sha256'` because that's the fleet's checksum
- * convention; pass an explicit algorithm if you have a hex digest from `sha384`
- * or `sha512` (the function does not verify hex length against the algorithm —
- * caller's responsibility).
+ * The default algorithm is `'sha256'` because this converts a _checksum_, and
+ * checksums are sha256 by fleet convention (the GitHub-SHA256SUMS interop shape
+ * its only caller, `checksum-file.ts`, parses). Do NOT flip this default to
+ * sha512: this function only relabels the hex bytes, it does not re-hash, so a
+ * sha512 label on a 256-bit digest would be a lie. The canonical algorithm for
+ * OUR-side integrity values is sha512 — emitted by `computeHashes` as the
+ * `integrity` (`sha512-<base64>`) field; sha256 is reserved for
+ * upstream-SHASUMS interop and content addressing. Pass an explicit algorithm
+ * if you have a hex digest from `sha384` or `sha512` (the function does not
+ * verify hex length against the algorithm — caller's responsibility).
  *
  * @example
  *   ;```typescript

package/dist/integrity.js

@@ -33,10 +33,16 @@ const CHECKSUM_RE = /^[a-f0-9]{64}$/i;
 * Idempotent on integrity input — call this on user-supplied data without first
 * sniffing the format.
 *
-* The default algorithm is `'sha256'` because that's the fleet's checksum
-* convention; pass an explicit algorithm if you have a hex digest from `sha384`
-* or `sha512` (the function does not verify hex length against the algorithm —
-* caller's responsibility).
+* The default algorithm is `'sha256'` because this converts a _checksum_, and
+* checksums are sha256 by fleet convention (the GitHub-SHA256SUMS interop shape
+* its only caller, `checksum-file.ts`, parses). Do NOT flip this default to
+* sha512: this function only relabels the hex bytes, it does not re-hash, so a
+* sha512 label on a 256-bit digest would be a lie. The canonical algorithm for
+* OUR-side integrity values is sha512 — emitted by `computeHashes` as the
+* `integrity` (`sha512-<base64>`) field; sha256 is reserved for
+* upstream-SHASUMS interop and content addressing. Pass an explicit algorithm
+* if you have a hex digest from `sha384` or `sha512` (the function does not
+* verify hex length against the algorithm — caller's responsibility).
 *
 * @example
 *   ;```typescript