@socketsecurity/lib 6.0.8 → 6.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +28 -0
- package/README.md +8 -9
- package/dist/abort/signal.d.ts +1 -1
- package/dist/abort/signal.js +1 -1
- package/dist/ai/agent-context.d.mts +1 -1
- package/dist/ai/agent-context.js +3 -2
- package/dist/ai/backends.d.mts +3 -3
- package/dist/ai/backends.js +2 -2
- package/dist/ai/billing-context.d.mts +74 -0
- package/dist/ai/billing-context.js +129 -0
- package/dist/ai/credentials.d.mts +39 -5
- package/dist/ai/credentials.js +61 -6
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +4 -0
- package/dist/ai/exec.d.mts +1 -1
- package/dist/ai/exec.js +1 -1
- package/dist/ai/http.d.mts +8 -8
- package/dist/ai/http.js +6 -6
- package/dist/ai/profiles.d.mts +9 -10
- package/dist/ai/profiles.js +0 -5
- package/dist/ai/role.d.mts +58 -0
- package/dist/ai/role.js +96 -0
- package/dist/ai/route-heuristic.d.mts +177 -0
- package/dist/ai/route-heuristic.js +194 -0
- package/dist/ai/route.d.mts +31 -17
- package/dist/ai/route.js +35 -19
- package/dist/ai/spawn.d.mts +34 -1
- package/dist/ai/spawn.js +115 -3
- package/dist/ai/subagent-status.d.mts +2 -0
- package/dist/ai/subagent-status.js +2 -0
- package/dist/ai/tier.d.mts +1 -1
- package/dist/ai/types.d.mts +19 -2
- package/dist/ai/worktree.d.mts +1 -1
- package/dist/ai/worktree.js +3 -2
- package/dist/argv/parse.d.ts +2 -0
- package/dist/argv/parse.js +2 -0
- package/dist/bin/_internal.d.ts +1 -1
- package/dist/bin/_internal.js +1 -1
- package/dist/bin/prim.cjs +19253 -13937
- package/dist/bin/resolve.js +1 -1
- package/dist/bin/shadow.js +2 -1
- package/dist/bin/which.d.ts +28 -3
- package/dist/bin/which.js +45 -3
- package/dist/cacache/_internal.d.ts +10 -2
- package/dist/cacache/_internal.js +6 -10
- package/dist/cache/ttl/_internal.d.ts +33 -0
- package/dist/cache/ttl/_internal.js +68 -0
- package/dist/cache/ttl/browser.d.ts +56 -0
- package/dist/cache/ttl/browser.js +257 -0
- package/dist/cache/ttl/store.js +11 -34
- package/dist/cache/ttl/types.d.ts +46 -3
- package/dist/checks/primordials-defaults.d.ts +5 -5
- package/dist/checks/primordials-defaults.js +5 -5
- package/dist/checks/primordials.d.ts +1 -1
- package/dist/checks/primordials.js +25 -17
- package/dist/cli/check-primordials.d.ts +6 -1
- package/dist/cli/check-primordials.js +14 -5
- package/dist/cli/check.js +1 -1
- package/dist/cli/socket-lib.d.ts +1 -1
- package/dist/cli/socket-lib.js +3 -3
- package/dist/colors/socket-palette.d.ts +1 -1
- package/dist/compression/brotli.d.ts +6 -2
- package/dist/compression/brotli.js +5 -1
- package/dist/compression/gzip.d.ts +6 -2
- package/dist/compression/gzip.js +7 -2
- package/dist/config/layers.d.ts +53 -0
- package/dist/config/layers.js +83 -0
- package/dist/constants/agents.d.ts +3 -0
- package/dist/constants/agents.js +3 -0
- package/dist/constants/node.d.ts +14 -0
- package/dist/constants/node.js +14 -0
- package/dist/constants/package-default-node-range.js +1 -5
- package/dist/constants/packages.d.ts +5 -0
- package/dist/constants/packages.js +5 -0
- package/dist/constants/platform.d.ts +1 -1
- package/dist/constants/platform.js +1 -1
- package/dist/constants/socket.js +1 -1
- package/dist/constants/typescript.d.ts +5 -0
- package/dist/constants/typescript.js +5 -0
- package/dist/debug/_internal.d.ts +22 -7
- package/dist/debug/_internal.js +33 -15
- package/dist/debug/caller-info.js +1 -1
- package/dist/debug/namespace.js +11 -8
- package/dist/debug/output.d.ts +12 -1
- package/dist/debug/output.js +33 -16
- package/dist/dlx/binary-cache.js +1 -1
- package/dist/dlx/binary-resolution.js +8 -5
- package/dist/dlx/firewall.js +1 -1
- package/dist/dlx/lockfile.js +1 -1
- package/dist/eco/npm/npm/parse-lockfile.js +3 -2
- package/dist/eco/npm/vlt/exec.d.ts +1 -1
- package/dist/eco/npm/vlt/exec.js +1 -1
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
- package/dist/env/agents.d.ts +6 -0
- package/dist/env/agents.js +29 -0
- package/dist/env/flags.d.ts +12 -0
- package/dist/env/flags.js +23 -0
- package/dist/env/github-status.js +2 -2
- package/dist/env/providers.d.ts +6 -0
- package/dist/env/providers.js +23 -0
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +37 -3
- package/dist/env/rewire.js +60 -29
- package/dist/env/runtimes.d.ts +9 -0
- package/dist/env/runtimes.js +53 -0
- package/dist/env/socket-cli.d.ts +5 -2
- package/dist/env/socket-cli.js +6 -3
- package/dist/env/xdg.d.ts +17 -0
- package/dist/env/xdg.js +21 -1
- package/dist/errors/predicates.d.ts +3 -2
- package/dist/errors/predicates.js +5 -3
- package/dist/events/exit/_internal.d.ts +1 -23
- package/dist/external/@npmcli/package-json.js +3570 -4905
- package/dist/external/@npmcli/promise-spawn.js +2 -2
- package/dist/external/@sinclair/typebox/value.js +5 -4
- package/dist/external/@socketregistry/yocto-spinner.js +3 -3
- package/dist/external/@yarnpkg/extensions.js +1 -1
- package/dist/external/adm-zip.d.ts +82 -0
- package/dist/external/adm-zip.js +2 -2
- package/dist/external/cacache.d.ts +87 -0
- package/dist/external/debug.d.ts +22 -0
- package/dist/external/debug.js +11 -4
- package/dist/external/del.d.ts +1 -0
- package/dist/external/external-pack.d.ts +12 -0
- package/dist/external/external-pack.js +42 -35
- package/dist/external/fast-glob.d.ts +8 -0
- package/dist/external/fast-sort.d.ts +1 -0
- package/dist/external/get-east-asian-width.d.ts +5 -0
- package/dist/external/get-east-asian-width.js +8 -1
- package/dist/external/has-flag.d.ts +1 -0
- package/dist/external/inquirer-pack.d.ts +18 -0
- package/dist/external/libnpmexec.d.ts +35 -0
- package/dist/external/libnpmpack.d.ts +1 -0
- package/dist/external/make-fetch-happen.d.ts +13 -0
- package/dist/external/normalize-package-data.d.ts +4 -0
- package/dist/external/npm-core.d.ts +14 -0
- package/dist/external/npm-pack.d.ts +24 -0
- package/dist/external/npm-pack.js +28934 -31885
- package/dist/external/npm-package-arg.d.ts +4 -0
- package/dist/external/p-map.js +8 -1
- package/dist/external/pacote.d.ts +15 -0
- package/dist/external/pico-pack.d.ts +16 -0
- package/dist/external/pico-pack.js +38 -23
- package/dist/external/picomatch.d.ts +96 -0
- package/dist/external/pony-cause.d.ts +14 -0
- package/dist/external/semver.d.ts +60 -0
- package/dist/external/semver.js +1459 -4
- package/dist/external/shell-quote.d.ts +51 -0
- package/dist/external/shell-quote.js +55 -15
- package/dist/external/signal-exit.d.ts +1 -0
- package/dist/external/spdx-correct.d.ts +4 -0
- package/dist/external/spdx-expression-parse.d.ts +4 -0
- package/dist/external/spdx-pack.d.ts +10 -0
- package/dist/external/std-env.d.ts +284 -0
- package/dist/external/std-env.js +323 -0
- package/dist/external/streaming-iterables.d.ts +11 -0
- package/dist/external/supports-color.d.ts +1 -0
- package/dist/external/tar-fs.d.ts +31 -0
- package/dist/external/tar-fs.js +63 -16
- package/dist/external/validate-npm-package-name.d.ts +4 -0
- package/dist/external/which.d.ts +25 -0
- package/dist/external/which.js +2 -2
- package/dist/external/yargs-parser.d.ts +2 -0
- package/dist/external/yargs-parser.js +11 -3
- package/dist/external/yoctocolors-cjs.d.ts +51 -0
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/resolve.d.ts +3 -0
- package/dist/external-tools/bazel/resolve.js +3 -0
- package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
- package/dist/external-tools/cdxgen/asset-names.js +3 -3
- package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
- package/dist/external-tools/cdxgen/from-download.js +1 -1
- package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
- package/dist/external-tools/cdxgen/resolve.js +4 -1
- package/dist/external-tools/cdxgen/types.d.ts +1 -1
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +1 -1
- package/dist/external-tools/janus/asset-names.d.ts +4 -1
- package/dist/external-tools/janus/asset-names.js +3 -0
- package/dist/external-tools/janus/from-download.d.ts +3 -3
- package/dist/external-tools/janus/from-download.js +2 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -0
- package/dist/external-tools/janus/resolve.js +3 -0
- package/dist/external-tools/jre/asset-names.d.ts +3 -1
- package/dist/external-tools/jre/asset-names.js +2 -0
- package/dist/external-tools/jre/detect-platform-arch.js +1 -1
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/manifest.d.ts +5 -3
- package/dist/external-tools/manifest.js +5 -3
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/resolve.d.ts +3 -0
- package/dist/external-tools/opengrep/resolve.js +3 -0
- package/dist/external-tools/python/asset-names.d.ts +3 -1
- package/dist/external-tools/python/asset-names.js +8 -4
- package/dist/external-tools/python/pin.js +3 -1
- package/dist/external-tools/python/resolve.d.ts +3 -0
- package/dist/external-tools/python/resolve.js +3 -0
- package/dist/external-tools/python/uv-install.d.ts +89 -0
- package/dist/external-tools/python/uv-install.js +165 -0
- package/dist/external-tools/sbt/resolve.d.ts +3 -0
- package/dist/external-tools/sbt/resolve.js +3 -0
- package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
- package/dist/external-tools/skillspector/from-uv.js +56 -0
- package/dist/external-tools/skillspector/resolve.d.ts +18 -3
- package/dist/external-tools/skillspector/resolve.js +21 -8
- package/dist/external-tools/skillspector/types.d.ts +3 -1
- package/dist/external-tools/synp/resolve.d.ts +3 -0
- package/dist/external-tools/synp/resolve.js +3 -0
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/resolve.d.ts +3 -0
- package/dist/external-tools/trivy/resolve.js +3 -0
- package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
- package/dist/external-tools/trufflehog/asset-names.js +3 -0
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
- package/dist/external-tools/trufflehog/resolve.js +3 -0
- package/dist/external-tools/uv/asset-names.d.ts +36 -0
- package/dist/external-tools/uv/asset-names.js +73 -0
- package/dist/external-tools/uv/from-download.d.ts +17 -0
- package/dist/external-tools/uv/from-download.js +50 -0
- package/dist/external-tools/uv/from-path.d.ts +5 -0
- package/dist/external-tools/uv/from-path.js +22 -0
- package/dist/external-tools/uv/from-vfs.d.ts +7 -0
- package/dist/external-tools/uv/from-vfs.js +26 -0
- package/dist/external-tools/uv/resolve.d.ts +28 -0
- package/dist/external-tools/uv/resolve.js +64 -0
- package/dist/external-tools/uv/types.d.ts +24 -0
- package/dist/external-tools/uv/types.js +2 -0
- package/dist/fleet/repo-config.d.ts +55 -0
- package/dist/fleet/repo-config.js +81 -0
- package/dist/fs/_internal.d.ts +1 -1
- package/dist/fs/_internal.js +1 -1
- package/dist/fs/access.d.ts +2 -0
- package/dist/fs/access.js +2 -0
- package/dist/fs/copy.d.ts +88 -0
- package/dist/fs/copy.js +89 -0
- package/dist/fs/find.js +1 -2
- package/dist/fs/inspect.d.ts +2 -2
- package/dist/fs/read-file.js +3 -4
- package/dist/fs/safe.js +2 -2
- package/dist/git/_internal.js +7 -3
- package/dist/github/commit.d.ts +92 -0
- package/dist/github/commit.js +113 -0
- package/dist/github/ghsa.js +1 -1
- package/dist/github/refs-graphql.js +1 -1
- package/dist/github/refs.js +10 -15
- package/dist/github/request.js +1 -1
- package/dist/github/token.d.ts +5 -2
- package/dist/github/token.js +6 -4
- package/dist/github/workflow-runs.d.ts +107 -0
- package/dist/github/workflow-runs.js +98 -0
- package/dist/globs/_internal.js +1 -1
- package/dist/http-request/_internal.d.ts +1 -1
- package/dist/http-request/browser.d.ts +6 -0
- package/dist/http-request/browser.js +4 -3
- package/dist/http-request/checksum-file.js +1 -1
- package/dist/http-request/download.js +2 -0
- package/dist/http-request/headers.d.ts +1 -1
- package/dist/http-request/headers.js +2 -2
- package/dist/http-request/request-attempt.js +6 -3
- package/dist/http-request/request-types.d.ts +10 -1
- package/dist/http-request/request.js +2 -2
- package/dist/http-request/user-agent.d.ts +23 -2
- package/dist/http-request/user-agent.js +48 -6
- package/dist/integrity.d.ts +127 -78
- package/dist/integrity.js +170 -84
- package/dist/json/format.js +4 -1
- package/dist/logger/_internal.d.ts +13 -15
- package/dist/logger/_internal.js +21 -21
- package/dist/logger/colors.d.ts +10 -5
- package/dist/logger/colors.js +7 -14
- package/dist/logger/console-methods.js +2 -2
- package/dist/logger/console.d.ts +1 -0
- package/dist/logger/console.js +9 -9
- package/dist/logger/node.js +2 -1
- package/dist/logger/symbols-builder.js +7 -8
- package/dist/logger/symbols.js +8 -8
- package/dist/native-messaging/install.js +1 -1
- package/dist/native-messaging/rate-limit.d.ts +4 -1
- package/dist/native-messaging/rate-limit.js +4 -1
- package/dist/node/events.d.ts +3 -0
- package/dist/node/events.js +3 -0
- package/dist/node/fs.d.ts +1 -1
- package/dist/node/module.d.ts +73 -2
- package/dist/node/module.js +97 -12
- package/dist/node/timers-promises.d.ts +3 -0
- package/dist/node/timers-promises.js +3 -0
- package/dist/node/url.d.ts +3 -0
- package/dist/node/url.js +3 -0
- package/dist/npm/meta-cache.d.ts +183 -0
- package/dist/npm/meta-cache.js +318 -0
- package/dist/npm/meta-slice.d.ts +27 -0
- package/dist/npm/meta-slice.js +68 -0
- package/dist/npm/meta-types.d.ts +282 -0
- package/dist/npm/meta-types.js +2 -0
- package/dist/npm/meta.d.ts +125 -0
- package/dist/npm/meta.js +347 -0
- package/dist/npm/registry.d.ts +212 -0
- package/dist/npm/registry.js +284 -0
- package/dist/objects/getters.d.ts +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/objects/predicates.js +1 -1
- package/dist/packages/exports.js +2 -2
- package/dist/packages/isolation.js +1 -1
- package/dist/packages/manifest.d.ts +29 -0
- package/dist/packages/manifest.js +44 -9
- package/dist/packages/metadata-extensions.js +2 -4
- package/dist/packages/normalize.js +1 -1
- package/dist/packages/provenance.d.ts +8 -0
- package/dist/packages/provenance.js +10 -2
- package/dist/packages/specs.js +1 -1
- package/dist/packages/tarball.js +1 -2
- package/dist/packages/validation.d.ts +0 -10
- package/dist/packages/validation.js +0 -14
- package/dist/paths/_internal.d.ts +1 -7
- package/dist/paths/_internal.js +9 -15
- package/dist/paths/conversion.js +1 -1
- package/dist/paths/exts.d.ts +30 -0
- package/dist/paths/exts.js +30 -0
- package/dist/paths/filenames.d.ts +6 -0
- package/dist/paths/filenames.js +6 -0
- package/dist/paths/globs.d.ts +6 -0
- package/dist/paths/globs.js +6 -0
- package/dist/paths/normalize.js +1 -1
- package/dist/paths/predicates.js +2 -1
- package/dist/paths/resolve.js +19 -14
- package/dist/paths/socket.d.ts +81 -30
- package/dist/paths/socket.js +102 -28
- package/dist/perf/metrics.js +1 -1
- package/dist/perf/report.js +5 -3
- package/dist/pkg-ext/data.js +0 -2
- package/dist/primordials/globals.d.ts +1 -1
- package/dist/primordials/globals.js +1 -1
- package/dist/primordials/headers.d.ts +13 -1
- package/dist/primordials/headers.js +13 -1
- package/dist/primordials/process.d.ts +1 -1
- package/dist/primordials/process.js +1 -1
- package/dist/primordials/url.d.ts +18 -0
- package/dist/primordials/url.js +18 -0
- package/dist/process/spawn/child.js +3 -5
- package/dist/promises/_internal.d.ts +1 -1
- package/dist/promises/_internal.js +1 -2
- package/dist/promises/options.js +3 -3
- package/dist/regexps/spec.js +1 -1
- package/dist/releases/socket-btm-binary-naming.js +12 -1
- package/dist/schema/validate.js +1 -1
- package/dist/secrets/_internal.d.ts +1 -1
- package/dist/secrets/_internal.js +1 -1
- package/dist/secrets/broker.d.ts +35 -0
- package/dist/secrets/broker.js +72 -0
- package/dist/secrets/find.d.ts +8 -6
- package/dist/secrets/find.js +17 -3
- package/dist/secrets/keychain.d.ts +10 -1
- package/dist/secrets/keychain.js +10 -1
- package/dist/secrets/rc.js +1 -1
- package/dist/secrets/socket-api-token.d.ts +1 -1
- package/dist/secrets/socket-api-token.js +1 -1
- package/dist/secrets/types.d.ts +1 -1
- package/dist/smol/detect.js +1 -1
- package/dist/smol/http.d.ts +2 -0
- package/dist/smol/http.js +3 -1
- package/dist/smol/https.d.ts +2 -0
- package/dist/smol/https.js +3 -1
- package/dist/smol/manifest.js +1 -1
- package/dist/smol/path.js +1 -1
- package/dist/smol/primordial.js +1 -1
- package/dist/smol/purl.js +1 -1
- package/dist/smol/versions.js +1 -1
- package/dist/smol/vfs.js +1 -1
- package/dist/sorts/_internal.d.ts +2 -4
- package/dist/sorts/_internal.js +1 -7
- package/dist/sorts/semver.js +2 -2
- package/dist/spinner/create-spinner-class.js +1 -1
- package/dist/spinner/format.js +2 -4
- package/dist/stdio/footer.js +8 -7
- package/dist/stdio/progress.js +1 -1
- package/dist/stdio/prompts.d.ts +8 -23
- package/dist/stdio/prompts.js +28 -52
- package/dist/strings/format.js +1 -1
- package/dist/strings/predicates.d.ts +2 -2
- package/dist/strings/search.js +2 -2
- package/dist/strings/types.d.ts +4 -0
- package/dist/strings/width.d.ts +1 -0
- package/dist/strings/width.js +17 -8
- package/dist/themes/context.d.ts +18 -3
- package/dist/themes/context.js +28 -14
- package/dist/versions/_internal.d.ts +43 -13
- package/dist/versions/_internal.js +27 -15
- package/dist/versions/compare.d.ts +16 -10
- package/dist/versions/compare.js +36 -16
- package/dist/versions/parse.js +1 -1
- package/dist/versions/range.js +3 -2
- package/dist/words/pluralize.js +4 -1
- package/llms.txt +63 -0
- package/package.json +271 -40
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
-
const require_integrity = require('../integrity.js');
|
|
6
5
|
const require_primordials_string = require('../primordials/string.js');
|
|
6
|
+
const require_integrity = require('../integrity.js');
|
|
7
7
|
const require_http_request_request = require('./request.js');
|
|
8
8
|
|
|
9
9
|
//#region src/http-request/checksum-file.ts
|
|
@@ -168,6 +168,8 @@ async function httpDownloadAttempt(url, destPath, options) {
|
|
|
168
168
|
})();
|
|
169
169
|
};
|
|
170
170
|
fileStream.on("error", (error) => {
|
|
171
|
+
res.unpipe(fileStream);
|
|
172
|
+
res.destroy();
|
|
171
173
|
fileStream.destroy();
|
|
172
174
|
cleanupPartial();
|
|
173
175
|
reject(new require_primordials_error.ErrorCtor(`Failed to write file: ${error.message}`, { cause: error }));
|
|
@@ -13,7 +13,7 @@
|
|
|
13
13
|
* Build an HTTP Basic `Authorization` header value from a Socket API token.
|
|
14
14
|
*
|
|
15
15
|
* The Socket API uses the token as the username with an empty password, so the
|
|
16
|
-
* credential pair is `<token>:`. Centralized here so every
|
|
16
|
+
* credential pair is `<token>:`. Centralized here so every Socket caller emits
|
|
17
17
|
* the identical shape instead of hand-rolling `btoa(\`${token}:`)`.
|
|
18
18
|
*
|
|
19
19
|
* @example
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_primordials_number = require('../primordials/number.js');
|
|
5
4
|
const require_primordials_object = require('../primordials/object.js');
|
|
5
|
+
const require_primordials_number = require('../primordials/number.js');
|
|
6
6
|
const require_primordials_array = require('../primordials/array.js');
|
|
7
7
|
const require_primordials_date = require('../primordials/date.js');
|
|
8
8
|
const require_primordials_globals = require('../primordials/globals.js');
|
|
@@ -24,7 +24,7 @@ const RETRY_AFTER_INT_RE = /^\d+$/;
|
|
|
24
24
|
* Build an HTTP Basic `Authorization` header value from a Socket API token.
|
|
25
25
|
*
|
|
26
26
|
* The Socket API uses the token as the username with an empty password, so the
|
|
27
|
-
* credential pair is `<token>:`. Centralized here so every
|
|
27
|
+
* credential pair is `<token>:`. Centralized here so every Socket caller emits
|
|
28
28
|
* the identical shape instead of hand-rolling `btoa(\`${token}:`)`.
|
|
29
29
|
*
|
|
30
30
|
* @example
|
|
@@ -118,7 +118,7 @@ async function httpRequestAttempt(url, options) {
|
|
|
118
118
|
let redirectHeaders = headers;
|
|
119
119
|
if (new require_primordials_url.URLCtor(url).origin !== redirectParsed.origin) {
|
|
120
120
|
redirectHeaders = { __proto__: null };
|
|
121
|
-
const stripped = new Set([
|
|
121
|
+
const stripped = /* @__PURE__ */ new Set([
|
|
122
122
|
"authorization",
|
|
123
123
|
"cookie",
|
|
124
124
|
"proxy-authenticate",
|
|
@@ -173,7 +173,9 @@ async function httpRequestAttempt(url, options) {
|
|
|
173
173
|
if (maxResponseSize && totalBytes > maxResponseSize) {
|
|
174
174
|
res.destroy();
|
|
175
175
|
request.destroy();
|
|
176
|
-
|
|
176
|
+
const sizeMB = (totalBytes / (1024 * 1024)).toFixed(2);
|
|
177
|
+
const maxMB = (maxResponseSize / (1024 * 1024)).toFixed(2);
|
|
178
|
+
rejectOnce(new require_primordials_error.ErrorCtor(`Response exceeds maximum size limit (${sizeMB}MB > ${maxMB}MB)`));
|
|
177
179
|
return;
|
|
178
180
|
}
|
|
179
181
|
chunks.push(chunk);
|
|
@@ -213,7 +215,8 @@ async function httpRequestAttempt(url, options) {
|
|
|
213
215
|
});
|
|
214
216
|
});
|
|
215
217
|
request.on("error", (error) => {
|
|
216
|
-
|
|
218
|
+
const message = require_http_request_errors.enrichErrorMessage(url, method, error);
|
|
219
|
+
rejectOnce(new require_primordials_error.ErrorCtor(message, { cause: error }));
|
|
217
220
|
});
|
|
218
221
|
request.on("timeout", () => {
|
|
219
222
|
request.destroy();
|
|
@@ -199,7 +199,7 @@ export interface HttpRequestOptions {
|
|
|
199
199
|
onRetry?: ((attempt: number, error: unknown, delay: number) => boolean | number | undefined) | undefined;
|
|
200
200
|
/**
|
|
201
201
|
* Number of retry attempts for failed requests. Uses exponential backoff:
|
|
202
|
-
* delay = `retryDelay` * 2^attempt.
|
|
202
|
+
* delay = min(`retryDelay` * 2^attempt, `retryDelayMax`).
|
|
203
203
|
*
|
|
204
204
|
* @default 0
|
|
205
205
|
*/
|
|
@@ -211,6 +211,15 @@ export interface HttpRequestOptions {
|
|
|
211
211
|
* @default 1000
|
|
212
212
|
*/
|
|
213
213
|
retryDelay?: number | undefined;
|
|
214
|
+
/**
|
|
215
|
+
* Maximum delay in milliseconds for a single backoff wait. Caps the
|
|
216
|
+
* exponential growth (`retryDelay` * 2^attempt) so a high `retries` count
|
|
217
|
+
* can't produce multi-minute waits. An explicit `onRetry`-returned delay is
|
|
218
|
+
* not capped — that is the caller's deliberate choice.
|
|
219
|
+
*
|
|
220
|
+
* @default 30000
|
|
221
|
+
*/
|
|
222
|
+
retryDelayMax?: number | undefined;
|
|
214
223
|
/**
|
|
215
224
|
* AbortSignal forwarded to the underlying `http.request` / `https.request`
|
|
216
225
|
* call. Supported in Node 22+ via `node:http` request options. When both
|
|
@@ -65,7 +65,7 @@ let node_timers_promises = require("node:timers/promises");
|
|
|
65
65
|
* non-retryable error happens.
|
|
66
66
|
*/
|
|
67
67
|
async function httpRequest(url, options) {
|
|
68
|
-
const { body, ca, followRedirects = true, headers = {}, hooks, maxRedirects = 5, maxResponseSize, method = "GET", onRetry, retries = 0, retryDelay = 1e3, signal, stream = false, throwOnError = false, timeout = 3e4 } = {
|
|
68
|
+
const { body, ca, followRedirects = true, headers = {}, hooks, maxRedirects = 5, maxResponseSize, method = "GET", onRetry, retries = 0, retryDelay = 1e3, retryDelayMax = 3e4, signal, stream = false, throwOnError = false, timeout = 3e4 } = {
|
|
69
69
|
__proto__: null,
|
|
70
70
|
...options
|
|
71
71
|
};
|
|
@@ -104,7 +104,7 @@ async function httpRequest(url, options) {
|
|
|
104
104
|
lastError = e;
|
|
105
105
|
if (attempt === retries) break;
|
|
106
106
|
if (signal?.aborted) break;
|
|
107
|
-
const delayMs = retryDelay * 2 ** attempt;
|
|
107
|
+
const delayMs = require_primordials_math.MathMin(retryDelay * 2 ** attempt, retryDelayMax);
|
|
108
108
|
if (onRetry) {
|
|
109
109
|
const retryResult = onRetry(attempt + 1, e, delayMs);
|
|
110
110
|
if (retryResult === false) break;
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
* Three-token format aligned with socket-cli's `getCliUserAgent` and
|
|
4
4
|
* coana-tech-cli's `configureAxiosUserAgent`: `<slug>/<version>
|
|
5
5
|
* node/<node-version> <platform>/<arch>` e.g. `socketsecurity-lib/6.0.0
|
|
6
|
-
* node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary,
|
|
6
|
+
* node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary, Socket
|
|
7
7
|
* CLIs, etc.) can identify themselves via the `SOCKET_CALLER_USER_AGENT` env
|
|
8
8
|
* var, which is appended to the lib's own UA so the server still sees the lib
|
|
9
9
|
* identifier. @example import { getSocketCallerUserAgent } from
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
*
|
|
17
17
|
* Used directly by socket-lib's own outbound requests (via
|
|
18
18
|
* `getSocketCallerUserAgent`) and exported for sibling packages (socket-cli,
|
|
19
|
-
* socket-sdk-js) so
|
|
19
|
+
* socket-sdk-js) so Socket emits one canonical UA shape.
|
|
20
20
|
*
|
|
21
21
|
* @example
|
|
22
22
|
* ;```typescript
|
|
@@ -31,6 +31,18 @@ export declare function buildUserAgent(pkg: {
|
|
|
31
31
|
name: string;
|
|
32
32
|
version: string;
|
|
33
33
|
}, caller?: string | undefined): string;
|
|
34
|
+
/**
|
|
35
|
+
* Chain User-Agent fragments into a breadcrumb trail, ordered identity → hop
|
|
36
|
+
* (the immediate agent first, each forwarded caller after) so it reads
|
|
37
|
+
* left-to-right and a server's UA parser buckets by the immediate agent. Each
|
|
38
|
+
* fragment is sanitized; empties are dropped; an immediately-repeated fragment
|
|
39
|
+
* is collapsed so re-proxying doesn't stutter the same hop twice.
|
|
40
|
+
*
|
|
41
|
+
* @example
|
|
42
|
+
* chainUserAgents(['socketsecurity-firewall-api-proxy/0.0.0', 'vlt/1.2.3'])
|
|
43
|
+
* // 'socketsecurity-firewall-api-proxy/0.0.0 vlt/1.2.3'
|
|
44
|
+
*/
|
|
45
|
+
export declare function chainUserAgents(parts: ReadonlyArray<string | undefined>): string;
|
|
34
46
|
/**
|
|
35
47
|
* User-Agent header for socket-lib's own outbound HTTP requests.
|
|
36
48
|
*
|
|
@@ -53,3 +65,12 @@ export declare function buildUserAgent(pkg: {
|
|
|
53
65
|
* ```
|
|
54
66
|
*/
|
|
55
67
|
export declare function getSocketCallerUserAgent(): string;
|
|
68
|
+
/**
|
|
69
|
+
* Sanitize a single User-Agent fragment for safe inclusion in an outgoing HTTP
|
|
70
|
+
* header. A caller identifier (`SOCKET_CALLER_USER_AGENT`, or a UA a proxy
|
|
71
|
+
* forwards on behalf of its client) is untrusted, so strip control chars (C0
|
|
72
|
+
* incl. CR/LF — the header- and log-injection vector — DEL, and C1), collapse
|
|
73
|
+
* internal whitespace to one space, trim, and cap length. Returns '' for
|
|
74
|
+
* nullish / blank / all-control input.
|
|
75
|
+
*/
|
|
76
|
+
export declare function sanitizeUserAgent(value: string | undefined): string;
|
|
@@ -2,7 +2,9 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
|
+
const require_primordials_string = require('../primordials/string.js');
|
|
5
6
|
const require_env_rewire = require('../env/rewire.js');
|
|
7
|
+
const require_primordials_array = require('../primordials/array.js');
|
|
6
8
|
const require_constants_socket = require('../constants/socket.js');
|
|
7
9
|
const require_packages_specs = require('../packages/specs.js');
|
|
8
10
|
let node_process = require("node:process");
|
|
@@ -14,20 +16,22 @@ node_process = require_runtime.__toESM(node_process);
|
|
|
14
16
|
* Three-token format aligned with socket-cli's `getCliUserAgent` and
|
|
15
17
|
* coana-tech-cli's `configureAxiosUserAgent`: `<slug>/<version>
|
|
16
18
|
* node/<node-version> <platform>/<arch>` e.g. `socketsecurity-lib/6.0.0
|
|
17
|
-
* node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary,
|
|
19
|
+
* node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary, Socket
|
|
18
20
|
* CLIs, etc.) can identify themselves via the `SOCKET_CALLER_USER_AGENT` env
|
|
19
21
|
* var, which is appended to the lib's own UA so the server still sees the lib
|
|
20
22
|
* identifier. @example import { getSocketCallerUserAgent } from
|
|
21
23
|
* '@socketsecurity/lib/http-request/user-agent'
|
|
22
24
|
* request.setHeader('User-Agent', getSocketCallerUserAgent())
|
|
23
25
|
*/
|
|
26
|
+
const MAX_USER_AGENT_LENGTH = 256;
|
|
27
|
+
let cachedBaseUserAgent;
|
|
24
28
|
/**
|
|
25
29
|
* Compose a three-token User-Agent string from a `{ name, version }` pair,
|
|
26
30
|
* optionally appending a caller-supplied identifier.
|
|
27
31
|
*
|
|
28
32
|
* Used directly by socket-lib's own outbound requests (via
|
|
29
33
|
* `getSocketCallerUserAgent`) and exported for sibling packages (socket-cli,
|
|
30
|
-
* socket-sdk-js) so
|
|
34
|
+
* socket-sdk-js) so Socket emits one canonical UA shape.
|
|
31
35
|
*
|
|
32
36
|
* @example
|
|
33
37
|
* ;```typescript
|
|
@@ -40,9 +44,27 @@ node_process = require_runtime.__toESM(node_process);
|
|
|
40
44
|
*/
|
|
41
45
|
function buildUserAgent(pkg, caller) {
|
|
42
46
|
const base = `${require_packages_specs.pkgNameToSlug(pkg.name)}/${pkg.version} node/${node_process.default.version} ${node_process.default.platform}/${node_process.default.arch}`;
|
|
43
|
-
return caller ?
|
|
47
|
+
return caller ? chainUserAgents([base, caller]) : base;
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Chain User-Agent fragments into a breadcrumb trail, ordered identity → hop
|
|
51
|
+
* (the immediate agent first, each forwarded caller after) so it reads
|
|
52
|
+
* left-to-right and a server's UA parser buckets by the immediate agent. Each
|
|
53
|
+
* fragment is sanitized; empties are dropped; an immediately-repeated fragment
|
|
54
|
+
* is collapsed so re-proxying doesn't stutter the same hop twice.
|
|
55
|
+
*
|
|
56
|
+
* @example
|
|
57
|
+
* chainUserAgents(['socketsecurity-firewall-api-proxy/0.0.0', 'vlt/1.2.3'])
|
|
58
|
+
* // 'socketsecurity-firewall-api-proxy/0.0.0 vlt/1.2.3'
|
|
59
|
+
*/
|
|
60
|
+
function chainUserAgents(parts) {
|
|
61
|
+
const trail = [];
|
|
62
|
+
for (let i = 0, { length } = parts; i < length; i += 1) {
|
|
63
|
+
const clean = sanitizeUserAgent(parts[i]);
|
|
64
|
+
if (clean && trail[trail.length - 1] !== clean) require_primordials_array.ArrayPrototypePush(trail, clean);
|
|
65
|
+
}
|
|
66
|
+
return require_primordials_array.ArrayPrototypeJoin(trail, " ");
|
|
44
67
|
}
|
|
45
|
-
let cachedBaseUserAgent;
|
|
46
68
|
/**
|
|
47
69
|
* User-Agent header for socket-lib's own outbound HTTP requests.
|
|
48
70
|
*
|
|
@@ -70,9 +92,29 @@ function getSocketCallerUserAgent() {
|
|
|
70
92
|
version: require_constants_socket.SOCKET_LIB_VERSION
|
|
71
93
|
});
|
|
72
94
|
const caller = require_env_rewire.getEnvValue("SOCKET_CALLER_USER_AGENT");
|
|
73
|
-
return
|
|
95
|
+
return chainUserAgents([cachedBaseUserAgent, caller]);
|
|
96
|
+
}
|
|
97
|
+
/**
|
|
98
|
+
* Sanitize a single User-Agent fragment for safe inclusion in an outgoing HTTP
|
|
99
|
+
* header. A caller identifier (`SOCKET_CALLER_USER_AGENT`, or a UA a proxy
|
|
100
|
+
* forwards on behalf of its client) is untrusted, so strip control chars (C0
|
|
101
|
+
* incl. CR/LF — the header- and log-injection vector — DEL, and C1), collapse
|
|
102
|
+
* internal whitespace to one space, trim, and cap length. Returns '' for
|
|
103
|
+
* nullish / blank / all-control input.
|
|
104
|
+
*/
|
|
105
|
+
function sanitizeUserAgent(value) {
|
|
106
|
+
if (!value) return "";
|
|
107
|
+
let cleaned = "";
|
|
108
|
+
for (let i = 0, { length } = value; i < length; i += 1) {
|
|
109
|
+
const code = require_primordials_string.StringPrototypeCharCodeAt(value, i);
|
|
110
|
+
cleaned += code < 32 || code >= 127 && code <= 159 ? " " : require_primordials_string.StringPrototypeCharAt(value, i);
|
|
111
|
+
}
|
|
112
|
+
cleaned = require_primordials_string.StringPrototypeTrim(require_primordials_string.StringPrototypeReplace(cleaned, /\s+/g, " "));
|
|
113
|
+
return cleaned.length > MAX_USER_AGENT_LENGTH ? require_primordials_string.StringPrototypeTrim(require_primordials_string.StringPrototypeSlice(cleaned, 0, MAX_USER_AGENT_LENGTH)) : cleaned;
|
|
74
114
|
}
|
|
75
115
|
|
|
76
116
|
//#endregion
|
|
77
117
|
exports.buildUserAgent = buildUserAgent;
|
|
78
|
-
exports.
|
|
118
|
+
exports.chainUserAgents = chainUserAgents;
|
|
119
|
+
exports.getSocketCallerUserAgent = getSocketCallerUserAgent;
|
|
120
|
+
exports.sanitizeUserAgent = sanitizeUserAgent;
|
package/dist/integrity.d.ts
CHANGED
|
@@ -1,18 +1,36 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SRI-blessed hash algorithms. The W3C set; the prefix is part of the wire
|
|
3
|
+
* format, not a Socket convention.
|
|
4
|
+
*/
|
|
5
|
+
export type HashAlgorithm = 'sha256' | 'sha384' | 'sha512';
|
|
6
|
+
/**
|
|
7
|
+
* A cryptographic hash: an algorithm plus the digest in both encodings. Frozen,
|
|
8
|
+
* plain, self-describing — `h.algorithm` removes every "is this 256 or 512?"
|
|
9
|
+
* guess, and `h.hex` / `h.sri` are precomputed views (cheap transcodes of the
|
|
10
|
+
* digest, eager so the value stays serializable and structurally comparable).
|
|
11
|
+
*/
|
|
12
|
+
export interface Hash {
|
|
13
|
+
readonly algorithm: HashAlgorithm;
|
|
14
|
+
/**
|
|
15
|
+
* Lowercase hex digest (64 chars sha256, 96 sha384, 128 sha512).
|
|
16
|
+
*/
|
|
17
|
+
readonly hex: string;
|
|
18
|
+
/**
|
|
19
|
+
* W3C SRI string: `<algorithm>-<base64>`.
|
|
20
|
+
*/
|
|
21
|
+
readonly sri: string;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Anything a caller can hand verify/convert as "the expected hash": a parsed
|
|
25
|
+
* {@link Hash}, an SRI string, or a bare hex digest (algorithm inferred by
|
|
26
|
+
* length).
|
|
27
|
+
*/
|
|
28
|
+
export type HashInput = string | Hash;
|
|
1
29
|
/**
|
|
2
30
|
* Tagged union representing an expected hash.
|
|
3
31
|
*
|
|
4
|
-
* @
|
|
5
|
-
*
|
|
6
|
-
* 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
|
|
7
|
-
*
|
|
8
|
-
* @example
|
|
9
|
-
* // Bare sha256 hex (sniffed as checksum):
|
|
10
|
-
* 'a1b2c3...'
|
|
11
|
-
*
|
|
12
|
-
* @example
|
|
13
|
-
* // Explicit:
|
|
14
|
-
* { type: 'integrity', value: 'sha512-...' }
|
|
15
|
-
* { type: 'checksum', value: 'a1b2c3...' }
|
|
32
|
+
* @deprecated Prefer {@link HashInput} + {@link parseHash}. Kept for the
|
|
33
|
+
* `integrity?: HashSpec` option fields across dlx / external-tools.
|
|
16
34
|
*/
|
|
17
35
|
export type HashSpec = string | {
|
|
18
36
|
type: 'integrity';
|
|
@@ -22,15 +40,16 @@ export type HashSpec = string | {
|
|
|
22
40
|
value: string;
|
|
23
41
|
};
|
|
24
42
|
/**
|
|
25
|
-
* Normalized internal form. Always an object.
|
|
43
|
+
* Normalized internal form of a {@link HashSpec}. Always an object.
|
|
26
44
|
*/
|
|
27
45
|
export interface NormalizedHash {
|
|
28
46
|
type: 'integrity' | 'checksum';
|
|
29
47
|
value: string;
|
|
30
48
|
}
|
|
31
49
|
/**
|
|
32
|
-
* Both hash formats for the same bytes
|
|
33
|
-
*
|
|
50
|
+
* Both pinned hash formats for the same bytes: the sha512 SRI we pin against
|
|
51
|
+
* and the sha256 hex upstream tools emit. Returned from downloads so callers
|
|
52
|
+
* record whichever their config uses.
|
|
34
53
|
*/
|
|
35
54
|
export interface ComputedHashes {
|
|
36
55
|
/**
|
|
@@ -43,7 +62,7 @@ export interface ComputedHashes {
|
|
|
43
62
|
checksum: string;
|
|
44
63
|
}
|
|
45
64
|
/**
|
|
46
|
-
* Parsed components of an integrity string.
|
|
65
|
+
* Parsed components of an SRI integrity string.
|
|
47
66
|
*/
|
|
48
67
|
export interface ParsedIntegrity {
|
|
49
68
|
/**
|
|
@@ -56,60 +75,64 @@ export interface ParsedIntegrity {
|
|
|
56
75
|
body: string;
|
|
57
76
|
}
|
|
58
77
|
/**
|
|
59
|
-
* Convert a
|
|
60
|
-
* Idempotent on integrity input — call this on user-supplied data without first
|
|
61
|
-
* sniffing the format.
|
|
62
|
-
*
|
|
63
|
-
* The default algorithm is `'sha256'` because this converts a _checksum_, and
|
|
64
|
-
* checksums are sha256 by fleet convention (the GitHub-SHA256SUMS interop shape
|
|
65
|
-
* its only caller, `checksum-file.ts`, parses). Do NOT flip this default to
|
|
66
|
-
* sha512: this function only relabels the hex bytes, it does not re-hash, so a
|
|
67
|
-
* sha512 label on a 256-bit digest would be a lie. The canonical algorithm for
|
|
68
|
-
* OUR-side integrity values is sha512 — emitted by `computeHashes` as the
|
|
69
|
-
* `integrity` (`sha512-<base64>`) field; sha256 is reserved for
|
|
70
|
-
* upstream-SHASUMS interop and content addressing. Pass an explicit algorithm
|
|
71
|
-
* if you have a hex digest from `sha384` or `sha512` (the function does not
|
|
72
|
-
* verify hex length against the algorithm — caller's responsibility).
|
|
78
|
+
* Convert a hex checksum to its SRI integrity form.
|
|
73
79
|
*
|
|
74
|
-
* @
|
|
75
|
-
*
|
|
76
|
-
*
|
|
77
|
-
*
|
|
78
|
-
* )
|
|
79
|
-
* // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
|
|
80
|
-
*
|
|
81
|
-
* checksumToIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
|
|
82
|
-
* // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' (idempotent)
|
|
83
|
-
* ```
|
|
80
|
+
* @deprecated Prefer `parseHash(x).sri`, which is total across all algorithms
|
|
81
|
+
* and infers the algorithm from a bare hex digest. This shim defaults to
|
|
82
|
+
* `'sha256'` because it only relabels the hex bytes — it does NOT re-hash, so
|
|
83
|
+
* a sha512 label on a 256-bit digest would be a lie. Idempotent on SRI input.
|
|
84
84
|
*
|
|
85
85
|
* @throws TypeError when the input is neither a recognized SRI nor a hex
|
|
86
86
|
* digest.
|
|
87
87
|
*/
|
|
88
|
-
export declare function checksumToIntegrity(input: string, algorithm?:
|
|
88
|
+
export declare function checksumToIntegrity(input: string, algorithm?: HashAlgorithm): string;
|
|
89
|
+
/**
|
|
90
|
+
* Compute a single {@link Hash} of `bytes`. Defaults to sha512 — the canonical
|
|
91
|
+
* trust string we pin against. Pass `'sha256'` for the upstream-interop digest.
|
|
92
|
+
*
|
|
93
|
+
* @example
|
|
94
|
+
* ;```typescript
|
|
95
|
+
* computeHash(bytes).sri // 'sha512-…' (pin this)
|
|
96
|
+
* computeHash(bytes, 'sha256').hex // '3620a0…' (compare to SHA256SUMS)
|
|
97
|
+
* ```
|
|
98
|
+
*/
|
|
99
|
+
export declare function computeHash(bytes: NodeJS.ArrayBufferView, algorithm?: HashAlgorithm): Hash;
|
|
89
100
|
/**
|
|
90
|
-
* Compute both
|
|
91
|
-
*
|
|
101
|
+
* Compute both pinned formats for `bytes`: the sha512 SRI integrity and the
|
|
102
|
+
* sha256 hex checksum. Use when a config records both (e.g.
|
|
103
|
+
* `external-tools.json`, dlx lockfiles).
|
|
92
104
|
*/
|
|
93
105
|
export declare function computeHashes(bytes: Buffer): ComputedHashes;
|
|
94
106
|
/**
|
|
95
|
-
*
|
|
96
|
-
*
|
|
107
|
+
* Compare two hashes for equality, ENCODING-agnostically. Parses both and —
|
|
108
|
+
* only when they share an algorithm — timing-safe compares the digests.
|
|
97
109
|
*
|
|
98
|
-
*
|
|
99
|
-
*
|
|
100
|
-
*
|
|
110
|
+
* Returns false when the algorithms differ. A sha512 and a sha256 are different
|
|
111
|
+
* functions of the same bytes: their digests are unrelated values, so they can
|
|
112
|
+
* never be "equal", and you CANNOT derive or check one against the other
|
|
113
|
+
* without the original bytes. To confirm a sha256 and a sha512 describe the
|
|
114
|
+
* same content, hash the bytes both ways (`computeHashes`) or `verifyHash` the
|
|
115
|
+
* bytes against each — there is no hash-to-hash shortcut across algorithms.
|
|
116
|
+
*
|
|
117
|
+
* What this DOES solve is the cross-ENCODING case that bites string `===`: a
|
|
118
|
+
* sha256 SRI and the same sha256 hex compare equal here.
|
|
101
119
|
*
|
|
102
120
|
* @example
|
|
103
121
|
* ;```typescript
|
|
104
|
-
*
|
|
105
|
-
*
|
|
106
|
-
*
|
|
107
|
-
* integrityToChecksum(
|
|
108
|
-
* '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
|
|
109
|
-
* )
|
|
110
|
-
* // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b' (idempotent)
|
|
122
|
+
* equalHashes('sha256-NiCg…', '3620a0fc…') // true (same digest, SRI vs hex)
|
|
123
|
+
* equalHashes('sha512-…', '3620a0fc…') // false (different algorithms)
|
|
111
124
|
* ```
|
|
112
125
|
*
|
|
126
|
+
* @throws TypeError when either input is not a recognized hash.
|
|
127
|
+
*/
|
|
128
|
+
export declare function equalHashes(a: HashInput, b: HashInput): boolean;
|
|
129
|
+
/**
|
|
130
|
+
* Convert an SRI integrity string to its hex checksum form.
|
|
131
|
+
*
|
|
132
|
+
* @deprecated Prefer `parseHash(x).hex`, which is total across all algorithms.
|
|
133
|
+
* This shim is sha256-only (throws on sha384 / sha512) to preserve its
|
|
134
|
+
* historical "checksums are sha256" contract. Idempotent on hex input.
|
|
135
|
+
*
|
|
113
136
|
* @throws TypeError when the input is neither a recognized SRI nor a hex
|
|
114
137
|
* checksum, or when the input is a non-sha256 SRI.
|
|
115
138
|
*/
|
|
@@ -118,49 +141,75 @@ export declare function integrityToChecksum(input: string): string;
|
|
|
118
141
|
* True when `s` is a sha256 hex checksum (exactly 64 hex chars).
|
|
119
142
|
*/
|
|
120
143
|
export declare function isChecksum(s: string): boolean;
|
|
144
|
+
/**
|
|
145
|
+
* True when `s` is a bare hex digest of a recognized length (sha256 / sha384 /
|
|
146
|
+
* sha512).
|
|
147
|
+
*/
|
|
148
|
+
export declare function isHex(s: string): boolean;
|
|
121
149
|
/**
|
|
122
150
|
* True when `s` is a W3C SRI integrity string: `sha(256|384|512)-<base64>`.
|
|
123
151
|
*/
|
|
124
152
|
export declare function isIntegrity(s: string): boolean;
|
|
153
|
+
/**
|
|
154
|
+
* Build a frozen {@link Hash} from an algorithm and a hex digest. The internal
|
|
155
|
+
* constructor — trusts its inputs (lowercases the hex, computes the SRI view);
|
|
156
|
+
* use {@link parseHash} for untrusted strings, which validates first.
|
|
157
|
+
*/
|
|
158
|
+
export declare function makeHash(algorithm: HashAlgorithm, hex: string): Hash;
|
|
125
159
|
/**
|
|
126
160
|
* Normalize a {@link HashSpec} to its canonical `{ type, value }` form.
|
|
127
161
|
*
|
|
128
|
-
*
|
|
129
|
-
*
|
|
130
|
-
* - Bare string of 64 hex chars → checksum.
|
|
131
|
-
* - Anything else throws TypeError.
|
|
162
|
+
* @deprecated Prefer {@link parseHash}, which returns an algorithm-tagged
|
|
163
|
+
* {@link Hash}. Kept for callers that branch on integrity-vs-checksum type.
|
|
132
164
|
*
|
|
133
165
|
* @throws TypeError if the string is not a recognized format, or if an explicit
|
|
134
166
|
* object's value doesn't match its declared type.
|
|
135
167
|
*/
|
|
136
168
|
export declare function normalizeHash(spec: HashSpec): NormalizedHash;
|
|
137
169
|
/**
|
|
138
|
-
*
|
|
139
|
-
*
|
|
170
|
+
* Parse any {@link HashInput} into a canonical {@link Hash}. The one entry
|
|
171
|
+
* point for untrusted input — validates shape + length, then freezes.
|
|
140
172
|
*
|
|
141
|
-
* @
|
|
142
|
-
*
|
|
143
|
-
*
|
|
144
|
-
*
|
|
145
|
-
*
|
|
173
|
+
* - A {@link Hash} object is re-canonicalized from its `algorithm` + `hex`.
|
|
174
|
+
* - An SRI string carries its algorithm in the prefix (the body length is checked
|
|
175
|
+
* against it).
|
|
176
|
+
* - A bare hex digest infers the algorithm from its length (64 / 96 / 128).
|
|
177
|
+
*
|
|
178
|
+
* @throws TypeError when the input is not a recognized SRI or hex digest, or
|
|
179
|
+
* when an SRI body's length doesn't match its declared algorithm.
|
|
180
|
+
*/
|
|
181
|
+
export declare function parseHash(input: HashInput): Hash;
|
|
182
|
+
/**
|
|
183
|
+
* Split an SRI integrity string into its `{ algorithm, body }` components.
|
|
184
|
+
* `body` is the base64-encoded digest.
|
|
146
185
|
*
|
|
147
186
|
* @throws Error when the input is not a valid SRI integrity string.
|
|
148
187
|
*/
|
|
149
188
|
export declare function parseIntegrity(sri: string): ParsedIntegrity;
|
|
150
189
|
/**
|
|
151
|
-
* Verify
|
|
152
|
-
*
|
|
153
|
-
*
|
|
154
|
-
*
|
|
155
|
-
*
|
|
190
|
+
* Verify `bytes` against an expected hash. Reads the algorithm the expected
|
|
191
|
+
* hash declares, computes only that digest, and compares with
|
|
192
|
+
* `crypto.timingSafeEqual` — so any encoding (hex / SRI / {@link Hash}) and any
|
|
193
|
+
* algorithm (sha256 / sha384 / sha512) verifies without the caller reconciling
|
|
194
|
+
* formats first.
|
|
195
|
+
*
|
|
196
|
+
* @throws HashMismatchError when the recomputed digest doesn't match.
|
|
197
|
+
* @throws TypeError when `expected` is not a recognized hash.
|
|
156
198
|
*/
|
|
157
|
-
export declare function verifyHash(
|
|
199
|
+
export declare function verifyHash(bytes: NodeJS.ArrayBufferView, expected: HashInput): void;
|
|
158
200
|
/**
|
|
159
|
-
* Thrown when an expected hash doesn't match the computed hash of the
|
|
160
|
-
*
|
|
201
|
+
* Thrown when an expected hash doesn't match the computed hash of the verified
|
|
202
|
+
* bytes. Carries both sides (as {@link Hash}) for diagnostics.
|
|
161
203
|
*/
|
|
162
|
-
export declare class
|
|
163
|
-
readonly expected:
|
|
164
|
-
readonly actual:
|
|
165
|
-
constructor(expected:
|
|
204
|
+
export declare class HashMismatchError extends Error {
|
|
205
|
+
readonly expected: Hash;
|
|
206
|
+
readonly actual: Hash;
|
|
207
|
+
constructor(expected: Hash, actual: Hash);
|
|
166
208
|
}
|
|
209
|
+
/**
|
|
210
|
+
* @deprecated Renamed to {@link HashMismatchError}. Alias kept for callers that
|
|
211
|
+
* catch the old name.
|
|
212
|
+
*
|
|
213
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
214
|
+
*/
|
|
215
|
+
export declare const DlxHashMismatchError: typeof HashMismatchError;
|