@socketsecurity/lib 6.0.8 → 6.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (396) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/README.md +8 -9
  3. package/dist/abort/signal.d.ts +1 -1
  4. package/dist/abort/signal.js +1 -1
  5. package/dist/ai/agent-context.d.mts +1 -1
  6. package/dist/ai/agent-context.js +3 -2
  7. package/dist/ai/backends.d.mts +3 -3
  8. package/dist/ai/backends.js +2 -2
  9. package/dist/ai/billing-context.d.mts +74 -0
  10. package/dist/ai/billing-context.js +129 -0
  11. package/dist/ai/credentials.d.mts +39 -5
  12. package/dist/ai/credentials.js +61 -6
  13. package/dist/ai/discover.d.mts +4 -0
  14. package/dist/ai/discover.js +4 -0
  15. package/dist/ai/exec.d.mts +1 -1
  16. package/dist/ai/exec.js +1 -1
  17. package/dist/ai/http.d.mts +8 -8
  18. package/dist/ai/http.js +6 -6
  19. package/dist/ai/profiles.d.mts +9 -10
  20. package/dist/ai/profiles.js +0 -5
  21. package/dist/ai/role.d.mts +58 -0
  22. package/dist/ai/role.js +96 -0
  23. package/dist/ai/route-heuristic.d.mts +177 -0
  24. package/dist/ai/route-heuristic.js +194 -0
  25. package/dist/ai/route.d.mts +31 -17
  26. package/dist/ai/route.js +35 -19
  27. package/dist/ai/spawn.d.mts +34 -1
  28. package/dist/ai/spawn.js +115 -3
  29. package/dist/ai/subagent-status.d.mts +2 -0
  30. package/dist/ai/subagent-status.js +2 -0
  31. package/dist/ai/tier.d.mts +1 -1
  32. package/dist/ai/types.d.mts +19 -2
  33. package/dist/ai/worktree.d.mts +1 -1
  34. package/dist/ai/worktree.js +3 -2
  35. package/dist/argv/parse.d.ts +2 -0
  36. package/dist/argv/parse.js +2 -0
  37. package/dist/bin/_internal.d.ts +1 -1
  38. package/dist/bin/_internal.js +1 -1
  39. package/dist/bin/prim.cjs +19253 -13937
  40. package/dist/bin/resolve.js +1 -1
  41. package/dist/bin/shadow.js +2 -1
  42. package/dist/bin/which.d.ts +28 -3
  43. package/dist/bin/which.js +45 -3
  44. package/dist/cacache/_internal.d.ts +10 -2
  45. package/dist/cacache/_internal.js +6 -10
  46. package/dist/cache/ttl/_internal.d.ts +33 -0
  47. package/dist/cache/ttl/_internal.js +68 -0
  48. package/dist/cache/ttl/browser.d.ts +56 -0
  49. package/dist/cache/ttl/browser.js +257 -0
  50. package/dist/cache/ttl/store.js +11 -34
  51. package/dist/cache/ttl/types.d.ts +46 -3
  52. package/dist/checks/primordials-defaults.d.ts +5 -5
  53. package/dist/checks/primordials-defaults.js +5 -5
  54. package/dist/checks/primordials.d.ts +1 -1
  55. package/dist/checks/primordials.js +25 -17
  56. package/dist/cli/check-primordials.d.ts +6 -1
  57. package/dist/cli/check-primordials.js +14 -5
  58. package/dist/cli/check.js +1 -1
  59. package/dist/cli/socket-lib.d.ts +1 -1
  60. package/dist/cli/socket-lib.js +3 -3
  61. package/dist/colors/socket-palette.d.ts +1 -1
  62. package/dist/compression/brotli.d.ts +6 -2
  63. package/dist/compression/brotli.js +5 -1
  64. package/dist/compression/gzip.d.ts +6 -2
  65. package/dist/compression/gzip.js +7 -2
  66. package/dist/config/layers.d.ts +53 -0
  67. package/dist/config/layers.js +83 -0
  68. package/dist/constants/agents.d.ts +3 -0
  69. package/dist/constants/agents.js +3 -0
  70. package/dist/constants/node.d.ts +14 -0
  71. package/dist/constants/node.js +14 -0
  72. package/dist/constants/package-default-node-range.js +1 -5
  73. package/dist/constants/packages.d.ts +5 -0
  74. package/dist/constants/packages.js +5 -0
  75. package/dist/constants/platform.d.ts +1 -1
  76. package/dist/constants/platform.js +1 -1
  77. package/dist/constants/socket.js +1 -1
  78. package/dist/constants/typescript.d.ts +5 -0
  79. package/dist/constants/typescript.js +5 -0
  80. package/dist/debug/_internal.d.ts +22 -7
  81. package/dist/debug/_internal.js +33 -15
  82. package/dist/debug/caller-info.js +1 -1
  83. package/dist/debug/namespace.js +11 -8
  84. package/dist/debug/output.d.ts +12 -1
  85. package/dist/debug/output.js +33 -16
  86. package/dist/dlx/binary-cache.js +1 -1
  87. package/dist/dlx/binary-resolution.js +8 -5
  88. package/dist/dlx/firewall.js +1 -1
  89. package/dist/dlx/lockfile.js +1 -1
  90. package/dist/eco/npm/npm/parse-lockfile.js +3 -2
  91. package/dist/eco/npm/vlt/exec.d.ts +1 -1
  92. package/dist/eco/npm/vlt/exec.js +1 -1
  93. package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
  94. package/dist/env/agents.d.ts +6 -0
  95. package/dist/env/agents.js +29 -0
  96. package/dist/env/flags.d.ts +12 -0
  97. package/dist/env/flags.js +23 -0
  98. package/dist/env/github-status.js +2 -2
  99. package/dist/env/providers.d.ts +6 -0
  100. package/dist/env/providers.js +23 -0
  101. package/dist/env/proxy.js +1 -1
  102. package/dist/env/rewire.d.ts +37 -3
  103. package/dist/env/rewire.js +60 -29
  104. package/dist/env/runtimes.d.ts +9 -0
  105. package/dist/env/runtimes.js +53 -0
  106. package/dist/env/socket-cli.d.ts +5 -2
  107. package/dist/env/socket-cli.js +6 -3
  108. package/dist/env/xdg.d.ts +17 -0
  109. package/dist/env/xdg.js +21 -1
  110. package/dist/errors/predicates.d.ts +3 -2
  111. package/dist/errors/predicates.js +5 -3
  112. package/dist/events/exit/_internal.d.ts +1 -23
  113. package/dist/external/@npmcli/package-json.js +3570 -4905
  114. package/dist/external/@npmcli/promise-spawn.js +2 -2
  115. package/dist/external/@sinclair/typebox/value.js +5 -4
  116. package/dist/external/@socketregistry/yocto-spinner.js +3 -3
  117. package/dist/external/@yarnpkg/extensions.js +1 -1
  118. package/dist/external/adm-zip.d.ts +82 -0
  119. package/dist/external/adm-zip.js +2 -2
  120. package/dist/external/cacache.d.ts +87 -0
  121. package/dist/external/debug.d.ts +22 -0
  122. package/dist/external/debug.js +11 -4
  123. package/dist/external/del.d.ts +1 -0
  124. package/dist/external/external-pack.d.ts +12 -0
  125. package/dist/external/external-pack.js +42 -35
  126. package/dist/external/fast-glob.d.ts +8 -0
  127. package/dist/external/fast-sort.d.ts +1 -0
  128. package/dist/external/get-east-asian-width.d.ts +5 -0
  129. package/dist/external/get-east-asian-width.js +8 -1
  130. package/dist/external/has-flag.d.ts +1 -0
  131. package/dist/external/inquirer-pack.d.ts +18 -0
  132. package/dist/external/libnpmexec.d.ts +35 -0
  133. package/dist/external/libnpmpack.d.ts +1 -0
  134. package/dist/external/make-fetch-happen.d.ts +13 -0
  135. package/dist/external/normalize-package-data.d.ts +4 -0
  136. package/dist/external/npm-core.d.ts +14 -0
  137. package/dist/external/npm-pack.d.ts +24 -0
  138. package/dist/external/npm-pack.js +28934 -31885
  139. package/dist/external/npm-package-arg.d.ts +4 -0
  140. package/dist/external/p-map.js +8 -1
  141. package/dist/external/pacote.d.ts +15 -0
  142. package/dist/external/pico-pack.d.ts +16 -0
  143. package/dist/external/pico-pack.js +38 -23
  144. package/dist/external/picomatch.d.ts +96 -0
  145. package/dist/external/pony-cause.d.ts +14 -0
  146. package/dist/external/semver.d.ts +60 -0
  147. package/dist/external/semver.js +1459 -4
  148. package/dist/external/shell-quote.d.ts +51 -0
  149. package/dist/external/shell-quote.js +55 -15
  150. package/dist/external/signal-exit.d.ts +1 -0
  151. package/dist/external/spdx-correct.d.ts +4 -0
  152. package/dist/external/spdx-expression-parse.d.ts +4 -0
  153. package/dist/external/spdx-pack.d.ts +10 -0
  154. package/dist/external/std-env.d.ts +284 -0
  155. package/dist/external/std-env.js +323 -0
  156. package/dist/external/streaming-iterables.d.ts +11 -0
  157. package/dist/external/supports-color.d.ts +1 -0
  158. package/dist/external/tar-fs.d.ts +31 -0
  159. package/dist/external/tar-fs.js +63 -16
  160. package/dist/external/validate-npm-package-name.d.ts +4 -0
  161. package/dist/external/which.d.ts +25 -0
  162. package/dist/external/which.js +2 -2
  163. package/dist/external/yargs-parser.d.ts +2 -0
  164. package/dist/external/yargs-parser.js +11 -3
  165. package/dist/external/yoctocolors-cjs.d.ts +51 -0
  166. package/dist/external-tools/bazel/asset-names.d.ts +1 -1
  167. package/dist/external-tools/bazel/from-download.d.ts +1 -1
  168. package/dist/external-tools/bazel/resolve.d.ts +3 -0
  169. package/dist/external-tools/bazel/resolve.js +3 -0
  170. package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
  171. package/dist/external-tools/cdxgen/asset-names.js +3 -3
  172. package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
  173. package/dist/external-tools/cdxgen/from-download.js +1 -1
  174. package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
  175. package/dist/external-tools/cdxgen/resolve.js +4 -1
  176. package/dist/external-tools/cdxgen/types.d.ts +1 -1
  177. package/dist/external-tools/from-download.d.ts +2 -2
  178. package/dist/external-tools/from-download.js +1 -1
  179. package/dist/external-tools/janus/asset-names.d.ts +4 -1
  180. package/dist/external-tools/janus/asset-names.js +3 -0
  181. package/dist/external-tools/janus/from-download.d.ts +3 -3
  182. package/dist/external-tools/janus/from-download.js +2 -2
  183. package/dist/external-tools/janus/resolve.d.ts +3 -0
  184. package/dist/external-tools/janus/resolve.js +3 -0
  185. package/dist/external-tools/jre/asset-names.d.ts +3 -1
  186. package/dist/external-tools/jre/asset-names.js +2 -0
  187. package/dist/external-tools/jre/detect-platform-arch.js +1 -1
  188. package/dist/external-tools/jre/from-download.d.ts +1 -1
  189. package/dist/external-tools/manifest.d.ts +5 -3
  190. package/dist/external-tools/manifest.js +5 -3
  191. package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
  192. package/dist/external-tools/opengrep/resolve.d.ts +3 -0
  193. package/dist/external-tools/opengrep/resolve.js +3 -0
  194. package/dist/external-tools/python/asset-names.d.ts +3 -1
  195. package/dist/external-tools/python/asset-names.js +8 -4
  196. package/dist/external-tools/python/pin.js +3 -1
  197. package/dist/external-tools/python/resolve.d.ts +3 -0
  198. package/dist/external-tools/python/resolve.js +3 -0
  199. package/dist/external-tools/python/uv-install.d.ts +89 -0
  200. package/dist/external-tools/python/uv-install.js +165 -0
  201. package/dist/external-tools/sbt/resolve.d.ts +3 -0
  202. package/dist/external-tools/sbt/resolve.js +3 -0
  203. package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
  204. package/dist/external-tools/skillspector/from-uv.js +56 -0
  205. package/dist/external-tools/skillspector/resolve.d.ts +18 -3
  206. package/dist/external-tools/skillspector/resolve.js +21 -8
  207. package/dist/external-tools/skillspector/types.d.ts +3 -1
  208. package/dist/external-tools/synp/resolve.d.ts +3 -0
  209. package/dist/external-tools/synp/resolve.js +3 -0
  210. package/dist/external-tools/trivy/asset-names.d.ts +1 -1
  211. package/dist/external-tools/trivy/resolve.d.ts +3 -0
  212. package/dist/external-tools/trivy/resolve.js +3 -0
  213. package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
  214. package/dist/external-tools/trufflehog/asset-names.js +3 -0
  215. package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
  216. package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
  217. package/dist/external-tools/trufflehog/resolve.js +3 -0
  218. package/dist/external-tools/uv/asset-names.d.ts +36 -0
  219. package/dist/external-tools/uv/asset-names.js +73 -0
  220. package/dist/external-tools/uv/from-download.d.ts +17 -0
  221. package/dist/external-tools/uv/from-download.js +50 -0
  222. package/dist/external-tools/uv/from-path.d.ts +5 -0
  223. package/dist/external-tools/uv/from-path.js +22 -0
  224. package/dist/external-tools/uv/from-vfs.d.ts +7 -0
  225. package/dist/external-tools/uv/from-vfs.js +26 -0
  226. package/dist/external-tools/uv/resolve.d.ts +28 -0
  227. package/dist/external-tools/uv/resolve.js +64 -0
  228. package/dist/external-tools/uv/types.d.ts +24 -0
  229. package/dist/external-tools/uv/types.js +2 -0
  230. package/dist/fleet/repo-config.d.ts +55 -0
  231. package/dist/fleet/repo-config.js +81 -0
  232. package/dist/fs/_internal.d.ts +1 -1
  233. package/dist/fs/_internal.js +1 -1
  234. package/dist/fs/access.d.ts +2 -0
  235. package/dist/fs/access.js +2 -0
  236. package/dist/fs/copy.d.ts +88 -0
  237. package/dist/fs/copy.js +89 -0
  238. package/dist/fs/find.js +1 -2
  239. package/dist/fs/inspect.d.ts +2 -2
  240. package/dist/fs/read-file.js +3 -4
  241. package/dist/fs/safe.js +2 -2
  242. package/dist/git/_internal.js +7 -3
  243. package/dist/github/commit.d.ts +92 -0
  244. package/dist/github/commit.js +113 -0
  245. package/dist/github/ghsa.js +1 -1
  246. package/dist/github/refs-graphql.js +1 -1
  247. package/dist/github/refs.js +10 -15
  248. package/dist/github/request.js +1 -1
  249. package/dist/github/token.d.ts +5 -2
  250. package/dist/github/token.js +6 -4
  251. package/dist/github/workflow-runs.d.ts +107 -0
  252. package/dist/github/workflow-runs.js +98 -0
  253. package/dist/globs/_internal.js +1 -1
  254. package/dist/http-request/_internal.d.ts +1 -1
  255. package/dist/http-request/browser.d.ts +6 -0
  256. package/dist/http-request/browser.js +4 -3
  257. package/dist/http-request/checksum-file.js +1 -1
  258. package/dist/http-request/download.js +2 -0
  259. package/dist/http-request/headers.d.ts +1 -1
  260. package/dist/http-request/headers.js +2 -2
  261. package/dist/http-request/request-attempt.js +6 -3
  262. package/dist/http-request/request-types.d.ts +10 -1
  263. package/dist/http-request/request.js +2 -2
  264. package/dist/http-request/user-agent.d.ts +23 -2
  265. package/dist/http-request/user-agent.js +48 -6
  266. package/dist/integrity.d.ts +127 -78
  267. package/dist/integrity.js +170 -84
  268. package/dist/json/format.js +4 -1
  269. package/dist/logger/_internal.d.ts +13 -15
  270. package/dist/logger/_internal.js +21 -21
  271. package/dist/logger/colors.d.ts +10 -5
  272. package/dist/logger/colors.js +7 -14
  273. package/dist/logger/console-methods.js +2 -2
  274. package/dist/logger/console.d.ts +1 -0
  275. package/dist/logger/console.js +9 -9
  276. package/dist/logger/node.js +2 -1
  277. package/dist/logger/symbols-builder.js +7 -8
  278. package/dist/logger/symbols.js +8 -8
  279. package/dist/native-messaging/install.js +1 -1
  280. package/dist/native-messaging/rate-limit.d.ts +4 -1
  281. package/dist/native-messaging/rate-limit.js +4 -1
  282. package/dist/node/events.d.ts +3 -0
  283. package/dist/node/events.js +3 -0
  284. package/dist/node/fs.d.ts +1 -1
  285. package/dist/node/module.d.ts +73 -2
  286. package/dist/node/module.js +97 -12
  287. package/dist/node/timers-promises.d.ts +3 -0
  288. package/dist/node/timers-promises.js +3 -0
  289. package/dist/node/url.d.ts +3 -0
  290. package/dist/node/url.js +3 -0
  291. package/dist/npm/meta-cache.d.ts +183 -0
  292. package/dist/npm/meta-cache.js +318 -0
  293. package/dist/npm/meta-slice.d.ts +27 -0
  294. package/dist/npm/meta-slice.js +68 -0
  295. package/dist/npm/meta-types.d.ts +282 -0
  296. package/dist/npm/meta-types.js +2 -0
  297. package/dist/npm/meta.d.ts +125 -0
  298. package/dist/npm/meta.js +347 -0
  299. package/dist/npm/registry.d.ts +212 -0
  300. package/dist/npm/registry.js +284 -0
  301. package/dist/objects/getters.d.ts +1 -1
  302. package/dist/objects/getters.js +1 -1
  303. package/dist/objects/predicates.js +1 -1
  304. package/dist/packages/exports.js +2 -2
  305. package/dist/packages/isolation.js +1 -1
  306. package/dist/packages/manifest.d.ts +29 -0
  307. package/dist/packages/manifest.js +44 -9
  308. package/dist/packages/metadata-extensions.js +2 -4
  309. package/dist/packages/normalize.js +1 -1
  310. package/dist/packages/provenance.d.ts +8 -0
  311. package/dist/packages/provenance.js +10 -2
  312. package/dist/packages/specs.js +1 -1
  313. package/dist/packages/tarball.js +1 -2
  314. package/dist/packages/validation.d.ts +0 -10
  315. package/dist/packages/validation.js +0 -14
  316. package/dist/paths/_internal.d.ts +1 -7
  317. package/dist/paths/_internal.js +9 -15
  318. package/dist/paths/conversion.js +1 -1
  319. package/dist/paths/exts.d.ts +30 -0
  320. package/dist/paths/exts.js +30 -0
  321. package/dist/paths/filenames.d.ts +6 -0
  322. package/dist/paths/filenames.js +6 -0
  323. package/dist/paths/globs.d.ts +6 -0
  324. package/dist/paths/globs.js +6 -0
  325. package/dist/paths/normalize.js +1 -1
  326. package/dist/paths/predicates.js +2 -1
  327. package/dist/paths/resolve.js +19 -14
  328. package/dist/paths/socket.d.ts +81 -30
  329. package/dist/paths/socket.js +102 -28
  330. package/dist/perf/metrics.js +1 -1
  331. package/dist/perf/report.js +5 -3
  332. package/dist/pkg-ext/data.js +0 -2
  333. package/dist/primordials/globals.d.ts +1 -1
  334. package/dist/primordials/globals.js +1 -1
  335. package/dist/primordials/headers.d.ts +13 -1
  336. package/dist/primordials/headers.js +13 -1
  337. package/dist/primordials/process.d.ts +1 -1
  338. package/dist/primordials/process.js +1 -1
  339. package/dist/primordials/url.d.ts +18 -0
  340. package/dist/primordials/url.js +18 -0
  341. package/dist/process/spawn/child.js +3 -5
  342. package/dist/promises/_internal.d.ts +1 -1
  343. package/dist/promises/_internal.js +1 -2
  344. package/dist/promises/options.js +3 -3
  345. package/dist/regexps/spec.js +1 -1
  346. package/dist/releases/socket-btm-binary-naming.js +12 -1
  347. package/dist/schema/validate.js +1 -1
  348. package/dist/secrets/_internal.d.ts +1 -1
  349. package/dist/secrets/_internal.js +1 -1
  350. package/dist/secrets/broker.d.ts +35 -0
  351. package/dist/secrets/broker.js +72 -0
  352. package/dist/secrets/find.d.ts +8 -6
  353. package/dist/secrets/find.js +17 -3
  354. package/dist/secrets/keychain.d.ts +10 -1
  355. package/dist/secrets/keychain.js +10 -1
  356. package/dist/secrets/rc.js +1 -1
  357. package/dist/secrets/socket-api-token.d.ts +1 -1
  358. package/dist/secrets/socket-api-token.js +1 -1
  359. package/dist/secrets/types.d.ts +1 -1
  360. package/dist/smol/detect.js +1 -1
  361. package/dist/smol/http.d.ts +2 -0
  362. package/dist/smol/http.js +3 -1
  363. package/dist/smol/https.d.ts +2 -0
  364. package/dist/smol/https.js +3 -1
  365. package/dist/smol/manifest.js +1 -1
  366. package/dist/smol/path.js +1 -1
  367. package/dist/smol/primordial.js +1 -1
  368. package/dist/smol/purl.js +1 -1
  369. package/dist/smol/versions.js +1 -1
  370. package/dist/smol/vfs.js +1 -1
  371. package/dist/sorts/_internal.d.ts +2 -4
  372. package/dist/sorts/_internal.js +1 -7
  373. package/dist/sorts/semver.js +2 -2
  374. package/dist/spinner/create-spinner-class.js +1 -1
  375. package/dist/spinner/format.js +2 -4
  376. package/dist/stdio/footer.js +8 -7
  377. package/dist/stdio/progress.js +1 -1
  378. package/dist/stdio/prompts.d.ts +8 -23
  379. package/dist/stdio/prompts.js +28 -52
  380. package/dist/strings/format.js +1 -1
  381. package/dist/strings/predicates.d.ts +2 -2
  382. package/dist/strings/search.js +2 -2
  383. package/dist/strings/types.d.ts +4 -0
  384. package/dist/strings/width.d.ts +1 -0
  385. package/dist/strings/width.js +17 -8
  386. package/dist/themes/context.d.ts +18 -3
  387. package/dist/themes/context.js +28 -14
  388. package/dist/versions/_internal.d.ts +43 -13
  389. package/dist/versions/_internal.js +27 -15
  390. package/dist/versions/compare.d.ts +16 -10
  391. package/dist/versions/compare.js +36 -16
  392. package/dist/versions/parse.js +1 -1
  393. package/dist/versions/range.js +3 -2
  394. package/dist/words/pluralize.js +4 -1
  395. package/llms.txt +63 -0
  396. package/package.json +271 -40
@@ -0,0 +1,2 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
@@ -0,0 +1,125 @@
1
+ /**
2
+ * @file Cached, batch-capable npm registry metadata client — the Socket-wide
3
+ * replacement for ad-hoc packument fetchers. Sibling of `./registry` (pure
4
+ * parsers + injectable HTTP): this module owns caching (`./meta-cache`),
5
+ * slimming (`./meta-slice`), and the derived helpers built on top
6
+ * (`getVersions`, `getLatestVersion`, `getPublishDate`,
7
+ * `getVersionTrustInfo`, `getBatch`) plus their `safe*` fail-open variants.
8
+ * Node-only (the cache layer is cacache-backed) — unlike `./registry`, this
9
+ * module is not browser-safe.
10
+ */
11
+ import type { BatchOptions, BatchResult, GetPackumentSlimOptions, GetVersionsOptions, GetVersionsResult, LatestVersionResult, PackumentMetaSlim, VersionTrustInfo } from './meta-types';
12
+ export { buildMetaCacheKey, createNpmMetaCache, fetchPackumentSlim, getDefaultMetaCache, getPackumentSlim, getStaleMeta, PackumentNotFoundError, rememberStaleMeta, } from './meta-cache';
13
+ export { sliceOneVersion, slicePackument, sliceVersionMeta } from './meta-slice';
14
+ export type { CachedPackumentEntry, CachedPackumentHit, CachedPackumentMiss, ResolvedPackumentFetchOptions, } from './meta-cache';
15
+ export type { BatchOptions, BatchResult, GetPackumentSlimOptions, GetVersionsOptions, GetVersionsResult, LatestVersionResult, NpmMetaHttpAdapter, PackageError, PackumentMetaSlim, PackumentVariant, PackumentVersionMetaSlim, RawNpmUser, RawPackument, RawPackumentVersion, RawVersionDist, VersionTrustInfo, } from './meta-types';
16
+ /**
17
+ * Extract the HTTP status code from a caught error when it came from the
18
+ * `httpJson` adapter (`HttpResponseError`) or a synthesized
19
+ * `PackumentNotFoundError`; `undefined` for anything else (network failure,
20
+ * abort, a custom test-double error).
21
+ */
22
+ export declare function extractHttpStatus(error: unknown): number | undefined;
23
+ /**
24
+ * Fetch `getPackumentSlim` for every name with bounded concurrency, returning
25
+ * an index-preserving array. Every item is attempted regardless of
26
+ * `throwOnError` — nothing is aborted in-flight. A per-item failure becomes a
27
+ * `PackageError` at that index; when `throwOnError` is `true`, once every
28
+ * item has settled the error from the LOWEST-INDEX failed item is thrown —
29
+ * deterministic regardless of settle order.
30
+ */
31
+ export declare function getBatch(names: string[], options?: BatchOptions | undefined): Promise<BatchResult[]>;
32
+ /**
33
+ * Resolve the latest version — `distTags.latest` when no `range` is given, or
34
+ * (when `range` is given) the same dist-tag / exact-version / semver-range
35
+ * resolution `getVersions` uses (`resolveRequestedVersions`), narrowed to a
36
+ * single version. There is no silent fallback to `distTags.latest`: a
37
+ * dist-tag or exact version that doesn't resolve throws (same contract as
38
+ * `getVersions`), and a range matching nothing throws too — an unsatisfiable
39
+ * range must never return a version outside what the caller asked for.
40
+ *
41
+ * @throws {PackumentNotFoundError} When `range` names an exact version or
42
+ * dist-tag that isn't present in the packument, or a semver range that no
43
+ * version satisfies.
44
+ */
45
+ export declare function getLatestVersion(name: string, options?: GetVersionsOptions | undefined): Promise<LatestVersionResult>;
46
+ /**
47
+ * Look up a single version's publish time (ISO string), or `undefined` when
48
+ * the version isn't in the packument.
49
+ */
50
+ export declare function getPublishDate(name: string, version: string, options?: GetPackumentSlimOptions | undefined): Promise<string | undefined>;
51
+ /**
52
+ * Per-version trust signals (forces `variant: 'full'` — `_npmUser` is absent
53
+ * from the abbreviated packument).
54
+ */
55
+ export declare function getVersionTrustInfo(name: string, options?: GetPackumentSlimOptions | undefined): Promise<Record<string, VersionTrustInfo>>;
56
+ /**
57
+ * List versions, optionally filtered by `range` (a semver range, an exact
58
+ * version, or a dist-tag name — see `GetVersionsOptions.range`), an `after`
59
+ * time floor, and/or a `minAgeDays` maturity window. See `GetVersionsOptions`
60
+ * for the `minAgeDays` end-of-UTC-day anchor semantics.
61
+ *
62
+ * @throws {PackumentNotFoundError} When `range` names an exact version or
63
+ * dist-tag that isn't present in the packument.
64
+ */
65
+ export declare function getVersions(name: string, options?: GetVersionsOptions | undefined): Promise<GetVersionsResult>;
66
+ /**
67
+ * `true` when `publishedAt` is at least `minAgeDays` days old, anchored to the
68
+ * END of `publishedAt`'s UTC day (Socket soak-window semantics) — a version
69
+ * published at any point during a UTC day matures at the same wall-clock
70
+ * instant, `minAgeDays` later at 23:59:59.999 UTC. Returns `false` for an
71
+ * unparseable `publishedAt`.
72
+ */
73
+ export declare function isMatured(publishedAt: string, minAgeDays: number, now?: number): boolean;
74
+ /**
75
+ * Resolve `options.range` against a packument's dist-tags / version set.
76
+ * Exported standalone so its resolution order is independently testable. See
77
+ * `GetVersionsOptions.range` for the full priority-order contract (dist-tag →
78
+ * exact version → semver range filter).
79
+ *
80
+ * @throws {PackumentNotFoundError} When `range` names a dist-tag or exact
81
+ * version that isn't present in the packument.
82
+ */
83
+ export declare function resolveRequestedVersions(name: string, meta: PackumentMetaSlim, options: GetVersionsOptions): string[];
84
+ /**
85
+ * Fail-open `getLatestVersion` — `undefined` on any error.
86
+ *
87
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
88
+ */
89
+ export declare function safeGetLatestVersion(name: string, options?: GetVersionsOptions | undefined): Promise<LatestVersionResult | undefined>;
90
+ /**
91
+ * Fail-open `getPackumentSlim` — `undefined` on any error.
92
+ *
93
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
94
+ */
95
+ export declare function safeGetPackumentSlim(name: string, options?: GetPackumentSlimOptions | undefined): Promise<PackumentMetaSlim | undefined>;
96
+ /**
97
+ * Fail-open `getPublishDate` — `undefined` on any error.
98
+ *
99
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
100
+ */
101
+ export declare function safeGetPublishDate(name: string, version: string, options?: GetPackumentSlimOptions | undefined): Promise<string | undefined>;
102
+ /**
103
+ * Fail-open `getVersionTrustInfo` — an empty record on any error.
104
+ *
105
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
106
+ */
107
+ export declare function safeGetVersionTrustInfo(name: string, options?: GetPackumentSlimOptions | undefined): Promise<Record<string, VersionTrustInfo>>;
108
+ /**
109
+ * Fail-open `getVersions` — an empty result on any error.
110
+ *
111
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
112
+ */
113
+ export declare function safeGetVersions(name: string, options?: GetVersionsOptions | undefined): Promise<GetVersionsResult>;
114
+ /**
115
+ * Resolve an `after` filter value to epoch milliseconds. A `number` is used
116
+ * as-is. A string is treated as an epoch ONLY when it is entirely digits
117
+ * (`/^\d+$/`) — never by trying `Number()` first, which would also accept
118
+ * whitespace, exponents, and other numeric-ish forms `Date.parse` should get
119
+ * a chance at instead. Anything not all-digits is parsed via `Date.parse`.
120
+ *
121
+ * @throws {RangeError} When `after` cannot be resolved to a valid epoch —
122
+ * silently skipping the `after` filter on an unparseable value is the exact
123
+ * reference-implementation bug this module exists to avoid.
124
+ */
125
+ export declare function toEpochMs(after: string | number): number;
@@ -0,0 +1,347 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
3
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_primordials_error = require('../primordials/error.js');
5
+ const require_errors_message = require('../errors/message.js');
6
+ const require_http_request_response_types = require('../http-request/response-types.js');
7
+ const require_promises_iterate = require('../promises/iterate.js');
8
+ const require_npm_meta_slice = require('./meta-slice.js');
9
+ const require_npm_meta_cache = require('./meta-cache.js');
10
+ const require_versions__internal = require('../versions/_internal.js');
11
+
12
+ //#region src/npm/meta.ts
13
+ /**
14
+ * @file Cached, batch-capable npm registry metadata client — the Socket-wide
15
+ * replacement for ad-hoc packument fetchers. Sibling of `./registry` (pure
16
+ * parsers + injectable HTTP): this module owns caching (`./meta-cache`),
17
+ * slimming (`./meta-slice`), and the derived helpers built on top
18
+ * (`getVersions`, `getLatestVersion`, `getPublishDate`,
19
+ * `getVersionTrustInfo`, `getBatch`) plus their `safe*` fail-open variants.
20
+ * Node-only (the cache layer is cacache-backed) — unlike `./registry`, this
21
+ * module is not browser-safe.
22
+ */
23
+ /**
24
+ * Extract the HTTP status code from a caught error when it came from the
25
+ * `httpJson` adapter (`HttpResponseError`) or a synthesized
26
+ * `PackumentNotFoundError`; `undefined` for anything else (network failure,
27
+ * abort, a custom test-double error).
28
+ */
29
+ function extractHttpStatus(error) {
30
+ if (error instanceof require_http_request_response_types.HttpResponseError) return error.response.status;
31
+ if (error instanceof require_npm_meta_cache.PackumentNotFoundError) return error.status;
32
+ }
33
+ /**
34
+ * Fetch `getPackumentSlim` for every name with bounded concurrency, returning
35
+ * an index-preserving array. Every item is attempted regardless of
36
+ * `throwOnError` — nothing is aborted in-flight. A per-item failure becomes a
37
+ * `PackageError` at that index; when `throwOnError` is `true`, once every
38
+ * item has settled the error from the LOWEST-INDEX failed item is thrown —
39
+ * deterministic regardless of settle order.
40
+ */
41
+ async function getBatch(names, options) {
42
+ const opts = {
43
+ __proto__: null,
44
+ concurrency: 8,
45
+ throwOnError: false,
46
+ ...options
47
+ };
48
+ const results = Array.from({ length: names.length });
49
+ const failures = [];
50
+ await require_promises_iterate.pEach(names.map((name, index) => ({
51
+ index,
52
+ name
53
+ })), async (item) => {
54
+ try {
55
+ results[item.index] = await require_npm_meta_cache.getPackumentSlim(item.name, opts);
56
+ } catch (e) {
57
+ failures.push({
58
+ error: e,
59
+ index: item.index
60
+ });
61
+ results[item.index] = {
62
+ error: require_errors_message.errorMessage(e),
63
+ name: item.name,
64
+ status: extractHttpStatus(e)
65
+ };
66
+ }
67
+ }, opts.concurrency);
68
+ if (opts.throwOnError && failures.length > 0) {
69
+ let lowest = failures[0];
70
+ for (let i = 0, { length } = failures; i < length; i += 1) {
71
+ const failure = failures[i];
72
+ if (failure.index < lowest.index) lowest = failure;
73
+ }
74
+ throw lowest.error;
75
+ }
76
+ return results;
77
+ }
78
+ /**
79
+ * Resolve the latest version — `distTags.latest` when no `range` is given, or
80
+ * (when `range` is given) the same dist-tag / exact-version / semver-range
81
+ * resolution `getVersions` uses (`resolveRequestedVersions`), narrowed to a
82
+ * single version. There is no silent fallback to `distTags.latest`: a
83
+ * dist-tag or exact version that doesn't resolve throws (same contract as
84
+ * `getVersions`), and a range matching nothing throws too — an unsatisfiable
85
+ * range must never return a version outside what the caller asked for.
86
+ *
87
+ * @throws {PackumentNotFoundError} When `range` names an exact version or
88
+ * dist-tag that isn't present in the packument, or a semver range that no
89
+ * version satisfies.
90
+ */
91
+ async function getLatestVersion(name, options) {
92
+ const opts = {
93
+ __proto__: null,
94
+ ...options
95
+ };
96
+ const meta = await require_npm_meta_cache.getPackumentSlim(name, opts);
97
+ if (!opts.range) {
98
+ const version = meta.distTags["latest"] ?? "";
99
+ return {
100
+ distTags: meta.distTags,
101
+ publishedAt: meta.versions[version]?.time || void 0,
102
+ version
103
+ };
104
+ }
105
+ const candidates = resolveRequestedVersions(name, meta, opts);
106
+ const version = require_versions__internal.getSemver().maxSatisfying(candidates, "*", {
107
+ includePrerelease: true,
108
+ loose: !!opts.loose
109
+ });
110
+ if (!version) throw new require_npm_meta_cache.PackumentNotFoundError(name, 404, `getLatestVersion: no version of "${name}" satisfies "${opts.range}".`);
111
+ return {
112
+ distTags: meta.distTags,
113
+ publishedAt: meta.versions[version]?.time || void 0,
114
+ version
115
+ };
116
+ }
117
+ /**
118
+ * Look up a single version's publish time (ISO string), or `undefined` when
119
+ * the version isn't in the packument.
120
+ */
121
+ async function getPublishDate(name, version, options) {
122
+ return (await require_npm_meta_cache.getPackumentSlim(name, options)).versions[version]?.time || void 0;
123
+ }
124
+ /**
125
+ * Per-version trust signals (forces `variant: 'full'` — `_npmUser` is absent
126
+ * from the abbreviated packument).
127
+ */
128
+ async function getVersionTrustInfo(name, options) {
129
+ const meta = await require_npm_meta_cache.getPackumentSlim(name, {
130
+ __proto__: null,
131
+ ...options,
132
+ variant: "full"
133
+ });
134
+ const result = {};
135
+ const versions = Object.keys(meta.versions);
136
+ for (let i = 0, { length } = versions; i < length; i += 1) {
137
+ const version = versions[i];
138
+ const entry = meta.versions[version];
139
+ result[version] = {
140
+ approver: entry.staged,
141
+ attestations: entry.attestations,
142
+ integrity: entry.integrity,
143
+ shasum: entry.shasum,
144
+ trustedPublisher: entry.trustedPublisher
145
+ };
146
+ }
147
+ return result;
148
+ }
149
+ /**
150
+ * List versions, optionally filtered by `range` (a semver range, an exact
151
+ * version, or a dist-tag name — see `GetVersionsOptions.range`), an `after`
152
+ * time floor, and/or a `minAgeDays` maturity window. See `GetVersionsOptions`
153
+ * for the `minAgeDays` end-of-UTC-day anchor semantics.
154
+ *
155
+ * @throws {PackumentNotFoundError} When `range` names an exact version or
156
+ * dist-tag that isn't present in the packument.
157
+ */
158
+ async function getVersions(name, options) {
159
+ const opts = {
160
+ __proto__: null,
161
+ ...options
162
+ };
163
+ const meta = await require_npm_meta_cache.getPackumentSlim(name, opts);
164
+ const time = {};
165
+ const versionKeys = Object.keys(meta.versions);
166
+ for (let i = 0, { length } = versionKeys; i < length; i += 1) {
167
+ const version = versionKeys[i];
168
+ time[version] = meta.versions[version].time;
169
+ }
170
+ let versions = resolveRequestedVersions(name, meta, opts);
171
+ if (opts.after !== void 0) {
172
+ const floorMs = toEpochMs(opts.after);
173
+ versions = versions.filter((v) => {
174
+ const publishedAt = time[v];
175
+ return !!publishedAt && Date.parse(publishedAt) >= floorMs;
176
+ });
177
+ }
178
+ if (opts.minAgeDays !== void 0) {
179
+ const minAgeDays = opts.minAgeDays;
180
+ const now = Date.now();
181
+ versions = versions.filter((v) => {
182
+ const publishedAt = time[v];
183
+ return !!publishedAt && isMatured(publishedAt, minAgeDays, now);
184
+ });
185
+ }
186
+ return {
187
+ distTags: meta.distTags,
188
+ time,
189
+ versions
190
+ };
191
+ }
192
+ /**
193
+ * `true` when `publishedAt` is at least `minAgeDays` days old, anchored to the
194
+ * END of `publishedAt`'s UTC day (Socket soak-window semantics) — a version
195
+ * published at any point during a UTC day matures at the same wall-clock
196
+ * instant, `minAgeDays` later at 23:59:59.999 UTC. Returns `false` for an
197
+ * unparseable `publishedAt`.
198
+ */
199
+ function isMatured(publishedAt, minAgeDays, now = Date.now()) {
200
+ const publishedMs = Date.parse(publishedAt);
201
+ if (Number.isNaN(publishedMs)) return false;
202
+ const published = new Date(publishedMs);
203
+ return now >= Date.UTC(published.getUTCFullYear(), published.getUTCMonth(), published.getUTCDate(), 23, 59, 59, 999) + minAgeDays * 24 * 60 * 60 * 1e3;
204
+ }
205
+ /**
206
+ * Resolve `options.range` against a packument's dist-tags / version set.
207
+ * Exported standalone so its resolution order is independently testable. See
208
+ * `GetVersionsOptions.range` for the full priority-order contract (dist-tag →
209
+ * exact version → semver range filter).
210
+ *
211
+ * @throws {PackumentNotFoundError} When `range` names a dist-tag or exact
212
+ * version that isn't present in the packument.
213
+ */
214
+ function resolveRequestedVersions(name, meta, options) {
215
+ const opts = {
216
+ __proto__: null,
217
+ ...options
218
+ };
219
+ const allVersions = Object.keys(meta.versions);
220
+ const { range } = opts;
221
+ if (!range) return allVersions;
222
+ if (Object.hasOwn(meta.distTags, range)) {
223
+ const tagged = meta.distTags[range];
224
+ if (!Object.hasOwn(meta.versions, tagged)) throw new require_npm_meta_cache.PackumentNotFoundError(name, 404, `getVersions: dist-tag "${range}" on "${name}" points to version "${tagged}", which is not in the packument.`);
225
+ return [tagged];
226
+ }
227
+ const semver = require_versions__internal.getSemver();
228
+ const normalized = semver.valid(range, { loose: !!opts.loose });
229
+ if (normalized) {
230
+ const resolvedVersion = Object.hasOwn(meta.versions, normalized) ? normalized : range;
231
+ if (!Object.hasOwn(meta.versions, resolvedVersion)) throw new require_npm_meta_cache.PackumentNotFoundError(name, 404, `getVersions: version "${range}" not found for "${name}".`);
232
+ return [resolvedVersion];
233
+ }
234
+ const semverOptions = {
235
+ includePrerelease: !!opts.includePrerelease,
236
+ loose: !!opts.loose
237
+ };
238
+ return allVersions.filter((v) => semver.satisfies(v, range, semverOptions));
239
+ }
240
+ /**
241
+ * Fail-open `getLatestVersion` — `undefined` on any error.
242
+ *
243
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
244
+ */
245
+ async function safeGetLatestVersion(name, options) {
246
+ try {
247
+ return await getLatestVersion(name, options);
248
+ } catch {
249
+ return;
250
+ }
251
+ }
252
+ /**
253
+ * Fail-open `getPackumentSlim` — `undefined` on any error.
254
+ *
255
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
256
+ */
257
+ async function safeGetPackumentSlim(name, options) {
258
+ try {
259
+ return await require_npm_meta_cache.getPackumentSlim(name, options);
260
+ } catch {
261
+ return;
262
+ }
263
+ }
264
+ /**
265
+ * Fail-open `getPublishDate` — `undefined` on any error.
266
+ *
267
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
268
+ */
269
+ async function safeGetPublishDate(name, version, options) {
270
+ try {
271
+ return await getPublishDate(name, version, options);
272
+ } catch {
273
+ return;
274
+ }
275
+ }
276
+ /**
277
+ * Fail-open `getVersionTrustInfo` — an empty record on any error.
278
+ *
279
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
280
+ */
281
+ async function safeGetVersionTrustInfo(name, options) {
282
+ try {
283
+ return await getVersionTrustInfo(name, options);
284
+ } catch {
285
+ return {};
286
+ }
287
+ }
288
+ /**
289
+ * Fail-open `getVersions` — an empty result on any error.
290
+ *
291
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
292
+ */
293
+ async function safeGetVersions(name, options) {
294
+ try {
295
+ return await getVersions(name, options);
296
+ } catch {
297
+ return {
298
+ distTags: {},
299
+ time: {},
300
+ versions: []
301
+ };
302
+ }
303
+ }
304
+ const ALL_DIGITS_RE = /^\d+$/;
305
+ /**
306
+ * Resolve an `after` filter value to epoch milliseconds. A `number` is used
307
+ * as-is. A string is treated as an epoch ONLY when it is entirely digits
308
+ * (`/^\d+$/`) — never by trying `Number()` first, which would also accept
309
+ * whitespace, exponents, and other numeric-ish forms `Date.parse` should get
310
+ * a chance at instead. Anything not all-digits is parsed via `Date.parse`.
311
+ *
312
+ * @throws {RangeError} When `after` cannot be resolved to a valid epoch —
313
+ * silently skipping the `after` filter on an unparseable value is the exact
314
+ * reference-implementation bug this module exists to avoid.
315
+ */
316
+ function toEpochMs(after) {
317
+ const epochMs = typeof after === "number" ? after : ALL_DIGITS_RE.test(after) ? Number(after) : Date.parse(after);
318
+ if (Number.isNaN(epochMs)) throw new require_primordials_error.RangeErrorCtor(`toEpochMs: "${after}" is not a valid ISO 8601 date string or numeric epoch`);
319
+ return epochMs;
320
+ }
321
+
322
+ //#endregion
323
+ exports.PackumentNotFoundError = require_npm_meta_cache.PackumentNotFoundError;
324
+ exports.buildMetaCacheKey = require_npm_meta_cache.buildMetaCacheKey;
325
+ exports.createNpmMetaCache = require_npm_meta_cache.createNpmMetaCache;
326
+ exports.extractHttpStatus = extractHttpStatus;
327
+ exports.fetchPackumentSlim = require_npm_meta_cache.fetchPackumentSlim;
328
+ exports.getBatch = getBatch;
329
+ exports.getDefaultMetaCache = require_npm_meta_cache.getDefaultMetaCache;
330
+ exports.getLatestVersion = getLatestVersion;
331
+ exports.getPackumentSlim = require_npm_meta_cache.getPackumentSlim;
332
+ exports.getPublishDate = getPublishDate;
333
+ exports.getStaleMeta = require_npm_meta_cache.getStaleMeta;
334
+ exports.getVersionTrustInfo = getVersionTrustInfo;
335
+ exports.getVersions = getVersions;
336
+ exports.isMatured = isMatured;
337
+ exports.rememberStaleMeta = require_npm_meta_cache.rememberStaleMeta;
338
+ exports.resolveRequestedVersions = resolveRequestedVersions;
339
+ exports.safeGetLatestVersion = safeGetLatestVersion;
340
+ exports.safeGetPackumentSlim = safeGetPackumentSlim;
341
+ exports.safeGetPublishDate = safeGetPublishDate;
342
+ exports.safeGetVersionTrustInfo = safeGetVersionTrustInfo;
343
+ exports.safeGetVersions = safeGetVersions;
344
+ exports.sliceOneVersion = require_npm_meta_slice.sliceOneVersion;
345
+ exports.slicePackument = require_npm_meta_slice.slicePackument;
346
+ exports.sliceVersionMeta = require_npm_meta_slice.sliceVersionMeta;
347
+ exports.toEpochMs = toEpochMs;
@@ -0,0 +1,212 @@
1
+ /**
2
+ * @file Browser-safe npm registry client — pure parsers + injectable-fetch
3
+ * shell. Safe for Chrome MV3 service workers, content scripts, and any
4
+ * environment without `node:*` builtins. The HTTP adapter is injected by the
5
+ * caller (`{ http: { json } }`) so Node callers pass `httpJson` from
6
+ * `@socketsecurity/lib/http-request` and browser callers pass `httpJson` from
7
+ * `@socketsecurity/lib/http-request/browser`. No network dependency at module
8
+ * load time.
9
+ *
10
+ * ## Endpoints covered
11
+ *
12
+ * - Packument: `registry.npmjs.org/<pkg>`
13
+ * - Version manifest (package.json):
14
+ * `cdn.jsdelivr.net/npm/<pkg>@<ver>/package.json`
15
+ * - Weekly downloads: `api.npmjs.org/downloads/point/last-week/<pkg>`
16
+ * - Attestation bundle: `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`
17
+ * - Org packages: `registry.npmjs.org/-/org/<org>/package`
18
+ *
19
+ * ## URL encoding
20
+ *
21
+ * Registry endpoints (`registry.npmjs.org`, `api.npmjs.org`): scoped names
22
+ * encode to `@scope%2Fname` (one `encodeURIComponent` call that encodes the
23
+ * slash, then `%40` is restored to `@`).
24
+ * CDN endpoint (`cdn.jsdelivr.net`): scope and name are encoded separately,
25
+ * preserving the literal `/` between them. A prior extension bug sent
26
+ * `@scope%2Fname` to the CDN which returned 400; the fix is this split-encode
27
+ * path.
28
+ *
29
+ * ## Trusted Publisher detection
30
+ *
31
+ * From the packument alone, only `!!dist.attestations` is detectable —
32
+ * proving provenance was signed but not identifying which repo or workflow is
33
+ * configured as the TP. To get repo + workflow call `getAttestations()` then
34
+ * `parseProvenancePredicate()` to parse the SLSA
35
+ * `externalParameters.workflow` field. The npm access page
36
+ * (`/package/<name>/access`) is session-only HTML and is out of scope for
37
+ * this public client.
38
+ */
39
+ /**
40
+ * Injectable HTTP adapter. Pass `httpJson` from
41
+ * `@socketsecurity/lib/http-request` (Node) or
42
+ * `@socketsecurity/lib/http-request/browser` (browser / extension).
43
+ */
44
+ export interface NpmHttpOptions {
45
+ http: {
46
+ json<T>(url: string): Promise<T>;
47
+ };
48
+ }
49
+ export interface AttestationBundleEntry {
50
+ predicateType?: string | undefined;
51
+ bundle?: unknown | undefined;
52
+ }
53
+ export interface AttestationBundle {
54
+ attestations?: AttestationBundleEntry[] | undefined;
55
+ }
56
+ export interface DownloadsRecord {
57
+ downloads: number;
58
+ package: string;
59
+ }
60
+ export interface OrgPackagesRecord {
61
+ [packageName: string]: string;
62
+ }
63
+ export interface PackumentVersionDist {
64
+ attestations?: {
65
+ url?: string | undefined;
66
+ } | undefined;
67
+ tarball?: string | undefined;
68
+ }
69
+ export interface PackumentVersion {
70
+ deprecated?: string | undefined;
71
+ dist?: PackumentVersionDist | undefined;
72
+ [field: string]: unknown;
73
+ }
74
+ export interface PackumentRecord {
75
+ 'dist-tags': Record<string, string>;
76
+ distTags: Record<string, string>;
77
+ name: string;
78
+ time?: Record<string, string> | undefined;
79
+ versions: Record<string, PackumentVersion>;
80
+ }
81
+ export interface ProvenancePredicate {
82
+ buildDefinition?: {
83
+ externalParameters?: {
84
+ workflow?: {
85
+ path?: string | undefined;
86
+ ref?: string | undefined;
87
+ repository?: string | undefined;
88
+ } | undefined;
89
+ } | undefined;
90
+ } | undefined;
91
+ runDetails?: {
92
+ builder?: {
93
+ id?: string | undefined;
94
+ } | undefined;
95
+ } | undefined;
96
+ }
97
+ /**
98
+ * Result of Trusted Publisher detection from a version entry.
99
+ *
100
+ * When `configured` is true, `repo` and `workflow` are populated only if the
101
+ * attestation bundle was fetched and parsed — `detectTrustedPublisher()` alone
102
+ * (from packument data) cannot provide them. Call `getAttestations()` +
103
+ * `parseProvenancePredicate()` to obtain those fields.
104
+ */
105
+ export interface TrustedPublisherResult {
106
+ configured: boolean;
107
+ repo?: string | undefined;
108
+ workflow?: string | undefined;
109
+ }
110
+ /**
111
+ * Build the CDN path `<encoded-name>@<encoded-version>/package.json`.
112
+ * Exposed as a pure function so callers can construct the full URL themselves.
113
+ */
114
+ export declare function buildCdnPath(name: string, version: string): string;
115
+ /**
116
+ * Detect Trusted Publisher configuration from a packument version entry.
117
+ *
118
+ * From the packument alone, only the presence of `dist.attestations` is
119
+ * detectable (`configured: true` means provenance was signed; it does NOT
120
+ * confirm that a TP source is configured on npmjs.com). To get `repo` and
121
+ * `workflow`, fetch the attestation bundle with `getAttestations()` and parse
122
+ * it with `parseProvenancePredicate()`.
123
+ */
124
+ export declare function detectTrustedPublisher(versionEntry: PackumentVersion): TrustedPublisherResult;
125
+ /**
126
+ * Encode a package name for use in registry CDN URLs.
127
+ * Scope and name are encoded individually, preserving the literal `/`.
128
+ * Use this for `cdn.jsdelivr.net` URLs — fixes the `@scope%2Fname` → 400 bug.
129
+ */
130
+ export declare function encodeCdnName(name: string): string;
131
+ /**
132
+ * Encode a package name for use in registry / download-API URLs.
133
+ *
134
+ * Registry form (`cdn: false`, the default): `encodeURIComponent` then restore
135
+ * the leading `@` so `@scope/name` → `@scope%2Fname`.
136
+ *
137
+ * CDN form (`cdn: true`): scope and name are encoded individually so the
138
+ * literal `/` separator is preserved: `@scope/name` → `@scope/name` (each
139
+ * segment encoded separately). This fixes the `@scope%2Fname` → 400 bug on
140
+ * `cdn.jsdelivr.net`.
141
+ *
142
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
143
+ */
144
+ export declare function encodePackageName(name: string, options?: {
145
+ cdn?: boolean | undefined;
146
+ } | undefined): string;
147
+ /**
148
+ * Encode a package name for use in registry / download-API URLs.
149
+ * Applies `encodeURIComponent` then restores `@` so scoped names become
150
+ * `@scope%2Fname`.
151
+ */
152
+ export declare function encodeRegistryName(name: string): string;
153
+ /**
154
+ * Fetch the attestation bundle for a package version from the npm transparency
155
+ * log. Returns `undefined` when no attestations entry is present in the
156
+ * packument (404 is treated as absent rather than an error).
157
+ */
158
+ export declare function getAttestations(name: string, version: string, options: NpmHttpOptions): Promise<AttestationBundle | undefined>;
159
+ /**
160
+ * Fetch the list of packages belonging to an npm org.
161
+ * Returns package names as a string array.
162
+ */
163
+ export declare function getOrgPackages(org: string, options: NpmHttpOptions): Promise<string[]>;
164
+ /**
165
+ * Fetch and parse the full packument for a package.
166
+ */
167
+ export declare function getPackument(name: string, options: NpmHttpOptions): Promise<PackumentRecord>;
168
+ /**
169
+ * Fetch a version's package.json via the jsDelivr CDN.
170
+ *
171
+ * Uses split-encode for scoped names so `cdn.jsdelivr.net` receives the literal
172
+ * `/` between scope and name (not `%2F` which causes 400s).
173
+ *
174
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
175
+ */
176
+ export declare function getVersionManifest(name: string, version: string, options: NpmHttpOptions): Promise<Record<string, unknown>>;
177
+ /**
178
+ * Fetch last-week download counts for a package from the npm downloads API.
179
+ *
180
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
181
+ */
182
+ export declare function getWeeklyDownloads(name: string, options: NpmHttpOptions): Promise<DownloadsRecord>;
183
+ /**
184
+ * Return true when `versionEntry.dist.attestations` is present — indicating a
185
+ * SLSA provenance attestation was produced for this version.
186
+ */
187
+ export declare function hasProvenance(versionEntry: PackumentVersion): boolean;
188
+ /**
189
+ * Return `true` when `version` of `name` is already published to the registry.
190
+ * Authoritative — reads the packument's `versions` map rather than a CDN, so a
191
+ * pre-publish guard never false-negatives on CDN lag (the asymmetric-cost case:
192
+ * a wrong "not published" invites a duplicate-version publish attempt). Returns
193
+ * `false` when the package does not exist or the packument fetch fails.
194
+ *
195
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
196
+ */
197
+ export declare function isVersionPublished(name: string, version: string, options: NpmHttpOptions): Promise<boolean>;
198
+ /**
199
+ * Parse a raw packument JSON response into a typed `PackumentRecord`.
200
+ * Adds the `distTags` alias for `dist-tags` so callers don't need bracket
201
+ * notation. Returns `undefined` when the input is not a valid packument shape.
202
+ */
203
+ export declare function parsePackument(raw: unknown): PackumentRecord | undefined;
204
+ /**
205
+ * Parse an npm transparency-log attestation bundle (the JSON returned from
206
+ * `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`) and extract the
207
+ * SLSA provenance predicate.
208
+ *
209
+ * Returns the first SLSA provenance v1 predicate found, or `undefined` when
210
+ * none is present or the bundle is malformed.
211
+ */
212
+ export declare function parseProvenancePredicate(bundle: unknown): ProvenancePredicate | undefined;