@socketsecurity/lib 6.0.8 → 6.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (396) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/README.md +8 -9
  3. package/dist/abort/signal.d.ts +1 -1
  4. package/dist/abort/signal.js +1 -1
  5. package/dist/ai/agent-context.d.mts +1 -1
  6. package/dist/ai/agent-context.js +3 -2
  7. package/dist/ai/backends.d.mts +3 -3
  8. package/dist/ai/backends.js +2 -2
  9. package/dist/ai/billing-context.d.mts +74 -0
  10. package/dist/ai/billing-context.js +129 -0
  11. package/dist/ai/credentials.d.mts +39 -5
  12. package/dist/ai/credentials.js +61 -6
  13. package/dist/ai/discover.d.mts +4 -0
  14. package/dist/ai/discover.js +4 -0
  15. package/dist/ai/exec.d.mts +1 -1
  16. package/dist/ai/exec.js +1 -1
  17. package/dist/ai/http.d.mts +8 -8
  18. package/dist/ai/http.js +6 -6
  19. package/dist/ai/profiles.d.mts +9 -10
  20. package/dist/ai/profiles.js +0 -5
  21. package/dist/ai/role.d.mts +58 -0
  22. package/dist/ai/role.js +96 -0
  23. package/dist/ai/route-heuristic.d.mts +177 -0
  24. package/dist/ai/route-heuristic.js +194 -0
  25. package/dist/ai/route.d.mts +31 -17
  26. package/dist/ai/route.js +35 -19
  27. package/dist/ai/spawn.d.mts +34 -1
  28. package/dist/ai/spawn.js +115 -3
  29. package/dist/ai/subagent-status.d.mts +2 -0
  30. package/dist/ai/subagent-status.js +2 -0
  31. package/dist/ai/tier.d.mts +1 -1
  32. package/dist/ai/types.d.mts +19 -2
  33. package/dist/ai/worktree.d.mts +1 -1
  34. package/dist/ai/worktree.js +3 -2
  35. package/dist/argv/parse.d.ts +2 -0
  36. package/dist/argv/parse.js +2 -0
  37. package/dist/bin/_internal.d.ts +1 -1
  38. package/dist/bin/_internal.js +1 -1
  39. package/dist/bin/prim.cjs +19253 -13937
  40. package/dist/bin/resolve.js +1 -1
  41. package/dist/bin/shadow.js +2 -1
  42. package/dist/bin/which.d.ts +28 -3
  43. package/dist/bin/which.js +45 -3
  44. package/dist/cacache/_internal.d.ts +10 -2
  45. package/dist/cacache/_internal.js +6 -10
  46. package/dist/cache/ttl/_internal.d.ts +33 -0
  47. package/dist/cache/ttl/_internal.js +68 -0
  48. package/dist/cache/ttl/browser.d.ts +56 -0
  49. package/dist/cache/ttl/browser.js +257 -0
  50. package/dist/cache/ttl/store.js +11 -34
  51. package/dist/cache/ttl/types.d.ts +46 -3
  52. package/dist/checks/primordials-defaults.d.ts +5 -5
  53. package/dist/checks/primordials-defaults.js +5 -5
  54. package/dist/checks/primordials.d.ts +1 -1
  55. package/dist/checks/primordials.js +25 -17
  56. package/dist/cli/check-primordials.d.ts +6 -1
  57. package/dist/cli/check-primordials.js +14 -5
  58. package/dist/cli/check.js +1 -1
  59. package/dist/cli/socket-lib.d.ts +1 -1
  60. package/dist/cli/socket-lib.js +3 -3
  61. package/dist/colors/socket-palette.d.ts +1 -1
  62. package/dist/compression/brotli.d.ts +6 -2
  63. package/dist/compression/brotli.js +5 -1
  64. package/dist/compression/gzip.d.ts +6 -2
  65. package/dist/compression/gzip.js +7 -2
  66. package/dist/config/layers.d.ts +53 -0
  67. package/dist/config/layers.js +83 -0
  68. package/dist/constants/agents.d.ts +3 -0
  69. package/dist/constants/agents.js +3 -0
  70. package/dist/constants/node.d.ts +14 -0
  71. package/dist/constants/node.js +14 -0
  72. package/dist/constants/package-default-node-range.js +1 -5
  73. package/dist/constants/packages.d.ts +5 -0
  74. package/dist/constants/packages.js +5 -0
  75. package/dist/constants/platform.d.ts +1 -1
  76. package/dist/constants/platform.js +1 -1
  77. package/dist/constants/socket.js +1 -1
  78. package/dist/constants/typescript.d.ts +5 -0
  79. package/dist/constants/typescript.js +5 -0
  80. package/dist/debug/_internal.d.ts +22 -7
  81. package/dist/debug/_internal.js +33 -15
  82. package/dist/debug/caller-info.js +1 -1
  83. package/dist/debug/namespace.js +11 -8
  84. package/dist/debug/output.d.ts +12 -1
  85. package/dist/debug/output.js +33 -16
  86. package/dist/dlx/binary-cache.js +1 -1
  87. package/dist/dlx/binary-resolution.js +8 -5
  88. package/dist/dlx/firewall.js +1 -1
  89. package/dist/dlx/lockfile.js +1 -1
  90. package/dist/eco/npm/npm/parse-lockfile.js +3 -2
  91. package/dist/eco/npm/vlt/exec.d.ts +1 -1
  92. package/dist/eco/npm/vlt/exec.js +1 -1
  93. package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
  94. package/dist/env/agents.d.ts +6 -0
  95. package/dist/env/agents.js +29 -0
  96. package/dist/env/flags.d.ts +12 -0
  97. package/dist/env/flags.js +23 -0
  98. package/dist/env/github-status.js +2 -2
  99. package/dist/env/providers.d.ts +6 -0
  100. package/dist/env/providers.js +23 -0
  101. package/dist/env/proxy.js +1 -1
  102. package/dist/env/rewire.d.ts +37 -3
  103. package/dist/env/rewire.js +60 -29
  104. package/dist/env/runtimes.d.ts +9 -0
  105. package/dist/env/runtimes.js +53 -0
  106. package/dist/env/socket-cli.d.ts +5 -2
  107. package/dist/env/socket-cli.js +6 -3
  108. package/dist/env/xdg.d.ts +17 -0
  109. package/dist/env/xdg.js +21 -1
  110. package/dist/errors/predicates.d.ts +3 -2
  111. package/dist/errors/predicates.js +5 -3
  112. package/dist/events/exit/_internal.d.ts +1 -23
  113. package/dist/external/@npmcli/package-json.js +3570 -4905
  114. package/dist/external/@npmcli/promise-spawn.js +2 -2
  115. package/dist/external/@sinclair/typebox/value.js +5 -4
  116. package/dist/external/@socketregistry/yocto-spinner.js +3 -3
  117. package/dist/external/@yarnpkg/extensions.js +1 -1
  118. package/dist/external/adm-zip.d.ts +82 -0
  119. package/dist/external/adm-zip.js +2 -2
  120. package/dist/external/cacache.d.ts +87 -0
  121. package/dist/external/debug.d.ts +22 -0
  122. package/dist/external/debug.js +11 -4
  123. package/dist/external/del.d.ts +1 -0
  124. package/dist/external/external-pack.d.ts +12 -0
  125. package/dist/external/external-pack.js +42 -35
  126. package/dist/external/fast-glob.d.ts +8 -0
  127. package/dist/external/fast-sort.d.ts +1 -0
  128. package/dist/external/get-east-asian-width.d.ts +5 -0
  129. package/dist/external/get-east-asian-width.js +8 -1
  130. package/dist/external/has-flag.d.ts +1 -0
  131. package/dist/external/inquirer-pack.d.ts +18 -0
  132. package/dist/external/libnpmexec.d.ts +35 -0
  133. package/dist/external/libnpmpack.d.ts +1 -0
  134. package/dist/external/make-fetch-happen.d.ts +13 -0
  135. package/dist/external/normalize-package-data.d.ts +4 -0
  136. package/dist/external/npm-core.d.ts +14 -0
  137. package/dist/external/npm-pack.d.ts +24 -0
  138. package/dist/external/npm-pack.js +28934 -31885
  139. package/dist/external/npm-package-arg.d.ts +4 -0
  140. package/dist/external/p-map.js +8 -1
  141. package/dist/external/pacote.d.ts +15 -0
  142. package/dist/external/pico-pack.d.ts +16 -0
  143. package/dist/external/pico-pack.js +38 -23
  144. package/dist/external/picomatch.d.ts +96 -0
  145. package/dist/external/pony-cause.d.ts +14 -0
  146. package/dist/external/semver.d.ts +60 -0
  147. package/dist/external/semver.js +1459 -4
  148. package/dist/external/shell-quote.d.ts +51 -0
  149. package/dist/external/shell-quote.js +55 -15
  150. package/dist/external/signal-exit.d.ts +1 -0
  151. package/dist/external/spdx-correct.d.ts +4 -0
  152. package/dist/external/spdx-expression-parse.d.ts +4 -0
  153. package/dist/external/spdx-pack.d.ts +10 -0
  154. package/dist/external/std-env.d.ts +284 -0
  155. package/dist/external/std-env.js +323 -0
  156. package/dist/external/streaming-iterables.d.ts +11 -0
  157. package/dist/external/supports-color.d.ts +1 -0
  158. package/dist/external/tar-fs.d.ts +31 -0
  159. package/dist/external/tar-fs.js +63 -16
  160. package/dist/external/validate-npm-package-name.d.ts +4 -0
  161. package/dist/external/which.d.ts +25 -0
  162. package/dist/external/which.js +2 -2
  163. package/dist/external/yargs-parser.d.ts +2 -0
  164. package/dist/external/yargs-parser.js +11 -3
  165. package/dist/external/yoctocolors-cjs.d.ts +51 -0
  166. package/dist/external-tools/bazel/asset-names.d.ts +1 -1
  167. package/dist/external-tools/bazel/from-download.d.ts +1 -1
  168. package/dist/external-tools/bazel/resolve.d.ts +3 -0
  169. package/dist/external-tools/bazel/resolve.js +3 -0
  170. package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
  171. package/dist/external-tools/cdxgen/asset-names.js +3 -3
  172. package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
  173. package/dist/external-tools/cdxgen/from-download.js +1 -1
  174. package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
  175. package/dist/external-tools/cdxgen/resolve.js +4 -1
  176. package/dist/external-tools/cdxgen/types.d.ts +1 -1
  177. package/dist/external-tools/from-download.d.ts +2 -2
  178. package/dist/external-tools/from-download.js +1 -1
  179. package/dist/external-tools/janus/asset-names.d.ts +4 -1
  180. package/dist/external-tools/janus/asset-names.js +3 -0
  181. package/dist/external-tools/janus/from-download.d.ts +3 -3
  182. package/dist/external-tools/janus/from-download.js +2 -2
  183. package/dist/external-tools/janus/resolve.d.ts +3 -0
  184. package/dist/external-tools/janus/resolve.js +3 -0
  185. package/dist/external-tools/jre/asset-names.d.ts +3 -1
  186. package/dist/external-tools/jre/asset-names.js +2 -0
  187. package/dist/external-tools/jre/detect-platform-arch.js +1 -1
  188. package/dist/external-tools/jre/from-download.d.ts +1 -1
  189. package/dist/external-tools/manifest.d.ts +5 -3
  190. package/dist/external-tools/manifest.js +5 -3
  191. package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
  192. package/dist/external-tools/opengrep/resolve.d.ts +3 -0
  193. package/dist/external-tools/opengrep/resolve.js +3 -0
  194. package/dist/external-tools/python/asset-names.d.ts +3 -1
  195. package/dist/external-tools/python/asset-names.js +8 -4
  196. package/dist/external-tools/python/pin.js +3 -1
  197. package/dist/external-tools/python/resolve.d.ts +3 -0
  198. package/dist/external-tools/python/resolve.js +3 -0
  199. package/dist/external-tools/python/uv-install.d.ts +89 -0
  200. package/dist/external-tools/python/uv-install.js +165 -0
  201. package/dist/external-tools/sbt/resolve.d.ts +3 -0
  202. package/dist/external-tools/sbt/resolve.js +3 -0
  203. package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
  204. package/dist/external-tools/skillspector/from-uv.js +56 -0
  205. package/dist/external-tools/skillspector/resolve.d.ts +18 -3
  206. package/dist/external-tools/skillspector/resolve.js +21 -8
  207. package/dist/external-tools/skillspector/types.d.ts +3 -1
  208. package/dist/external-tools/synp/resolve.d.ts +3 -0
  209. package/dist/external-tools/synp/resolve.js +3 -0
  210. package/dist/external-tools/trivy/asset-names.d.ts +1 -1
  211. package/dist/external-tools/trivy/resolve.d.ts +3 -0
  212. package/dist/external-tools/trivy/resolve.js +3 -0
  213. package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
  214. package/dist/external-tools/trufflehog/asset-names.js +3 -0
  215. package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
  216. package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
  217. package/dist/external-tools/trufflehog/resolve.js +3 -0
  218. package/dist/external-tools/uv/asset-names.d.ts +36 -0
  219. package/dist/external-tools/uv/asset-names.js +73 -0
  220. package/dist/external-tools/uv/from-download.d.ts +17 -0
  221. package/dist/external-tools/uv/from-download.js +50 -0
  222. package/dist/external-tools/uv/from-path.d.ts +5 -0
  223. package/dist/external-tools/uv/from-path.js +22 -0
  224. package/dist/external-tools/uv/from-vfs.d.ts +7 -0
  225. package/dist/external-tools/uv/from-vfs.js +26 -0
  226. package/dist/external-tools/uv/resolve.d.ts +28 -0
  227. package/dist/external-tools/uv/resolve.js +64 -0
  228. package/dist/external-tools/uv/types.d.ts +24 -0
  229. package/dist/external-tools/uv/types.js +2 -0
  230. package/dist/fleet/repo-config.d.ts +55 -0
  231. package/dist/fleet/repo-config.js +81 -0
  232. package/dist/fs/_internal.d.ts +1 -1
  233. package/dist/fs/_internal.js +1 -1
  234. package/dist/fs/access.d.ts +2 -0
  235. package/dist/fs/access.js +2 -0
  236. package/dist/fs/copy.d.ts +88 -0
  237. package/dist/fs/copy.js +89 -0
  238. package/dist/fs/find.js +1 -2
  239. package/dist/fs/inspect.d.ts +2 -2
  240. package/dist/fs/read-file.js +3 -4
  241. package/dist/fs/safe.js +2 -2
  242. package/dist/git/_internal.js +7 -3
  243. package/dist/github/commit.d.ts +92 -0
  244. package/dist/github/commit.js +113 -0
  245. package/dist/github/ghsa.js +1 -1
  246. package/dist/github/refs-graphql.js +1 -1
  247. package/dist/github/refs.js +10 -15
  248. package/dist/github/request.js +1 -1
  249. package/dist/github/token.d.ts +5 -2
  250. package/dist/github/token.js +6 -4
  251. package/dist/github/workflow-runs.d.ts +107 -0
  252. package/dist/github/workflow-runs.js +98 -0
  253. package/dist/globs/_internal.js +1 -1
  254. package/dist/http-request/_internal.d.ts +1 -1
  255. package/dist/http-request/browser.d.ts +6 -0
  256. package/dist/http-request/browser.js +4 -3
  257. package/dist/http-request/checksum-file.js +1 -1
  258. package/dist/http-request/download.js +2 -0
  259. package/dist/http-request/headers.d.ts +1 -1
  260. package/dist/http-request/headers.js +2 -2
  261. package/dist/http-request/request-attempt.js +6 -3
  262. package/dist/http-request/request-types.d.ts +10 -1
  263. package/dist/http-request/request.js +2 -2
  264. package/dist/http-request/user-agent.d.ts +23 -2
  265. package/dist/http-request/user-agent.js +48 -6
  266. package/dist/integrity.d.ts +127 -78
  267. package/dist/integrity.js +170 -84
  268. package/dist/json/format.js +4 -1
  269. package/dist/logger/_internal.d.ts +13 -15
  270. package/dist/logger/_internal.js +21 -21
  271. package/dist/logger/colors.d.ts +10 -5
  272. package/dist/logger/colors.js +7 -14
  273. package/dist/logger/console-methods.js +2 -2
  274. package/dist/logger/console.d.ts +1 -0
  275. package/dist/logger/console.js +9 -9
  276. package/dist/logger/node.js +2 -1
  277. package/dist/logger/symbols-builder.js +7 -8
  278. package/dist/logger/symbols.js +8 -8
  279. package/dist/native-messaging/install.js +1 -1
  280. package/dist/native-messaging/rate-limit.d.ts +4 -1
  281. package/dist/native-messaging/rate-limit.js +4 -1
  282. package/dist/node/events.d.ts +3 -0
  283. package/dist/node/events.js +3 -0
  284. package/dist/node/fs.d.ts +1 -1
  285. package/dist/node/module.d.ts +73 -2
  286. package/dist/node/module.js +97 -12
  287. package/dist/node/timers-promises.d.ts +3 -0
  288. package/dist/node/timers-promises.js +3 -0
  289. package/dist/node/url.d.ts +3 -0
  290. package/dist/node/url.js +3 -0
  291. package/dist/npm/meta-cache.d.ts +183 -0
  292. package/dist/npm/meta-cache.js +318 -0
  293. package/dist/npm/meta-slice.d.ts +27 -0
  294. package/dist/npm/meta-slice.js +68 -0
  295. package/dist/npm/meta-types.d.ts +282 -0
  296. package/dist/npm/meta-types.js +2 -0
  297. package/dist/npm/meta.d.ts +125 -0
  298. package/dist/npm/meta.js +347 -0
  299. package/dist/npm/registry.d.ts +212 -0
  300. package/dist/npm/registry.js +284 -0
  301. package/dist/objects/getters.d.ts +1 -1
  302. package/dist/objects/getters.js +1 -1
  303. package/dist/objects/predicates.js +1 -1
  304. package/dist/packages/exports.js +2 -2
  305. package/dist/packages/isolation.js +1 -1
  306. package/dist/packages/manifest.d.ts +29 -0
  307. package/dist/packages/manifest.js +44 -9
  308. package/dist/packages/metadata-extensions.js +2 -4
  309. package/dist/packages/normalize.js +1 -1
  310. package/dist/packages/provenance.d.ts +8 -0
  311. package/dist/packages/provenance.js +10 -2
  312. package/dist/packages/specs.js +1 -1
  313. package/dist/packages/tarball.js +1 -2
  314. package/dist/packages/validation.d.ts +0 -10
  315. package/dist/packages/validation.js +0 -14
  316. package/dist/paths/_internal.d.ts +1 -7
  317. package/dist/paths/_internal.js +9 -15
  318. package/dist/paths/conversion.js +1 -1
  319. package/dist/paths/exts.d.ts +30 -0
  320. package/dist/paths/exts.js +30 -0
  321. package/dist/paths/filenames.d.ts +6 -0
  322. package/dist/paths/filenames.js +6 -0
  323. package/dist/paths/globs.d.ts +6 -0
  324. package/dist/paths/globs.js +6 -0
  325. package/dist/paths/normalize.js +1 -1
  326. package/dist/paths/predicates.js +2 -1
  327. package/dist/paths/resolve.js +19 -14
  328. package/dist/paths/socket.d.ts +81 -30
  329. package/dist/paths/socket.js +102 -28
  330. package/dist/perf/metrics.js +1 -1
  331. package/dist/perf/report.js +5 -3
  332. package/dist/pkg-ext/data.js +0 -2
  333. package/dist/primordials/globals.d.ts +1 -1
  334. package/dist/primordials/globals.js +1 -1
  335. package/dist/primordials/headers.d.ts +13 -1
  336. package/dist/primordials/headers.js +13 -1
  337. package/dist/primordials/process.d.ts +1 -1
  338. package/dist/primordials/process.js +1 -1
  339. package/dist/primordials/url.d.ts +18 -0
  340. package/dist/primordials/url.js +18 -0
  341. package/dist/process/spawn/child.js +3 -5
  342. package/dist/promises/_internal.d.ts +1 -1
  343. package/dist/promises/_internal.js +1 -2
  344. package/dist/promises/options.js +3 -3
  345. package/dist/regexps/spec.js +1 -1
  346. package/dist/releases/socket-btm-binary-naming.js +12 -1
  347. package/dist/schema/validate.js +1 -1
  348. package/dist/secrets/_internal.d.ts +1 -1
  349. package/dist/secrets/_internal.js +1 -1
  350. package/dist/secrets/broker.d.ts +35 -0
  351. package/dist/secrets/broker.js +72 -0
  352. package/dist/secrets/find.d.ts +8 -6
  353. package/dist/secrets/find.js +17 -3
  354. package/dist/secrets/keychain.d.ts +10 -1
  355. package/dist/secrets/keychain.js +10 -1
  356. package/dist/secrets/rc.js +1 -1
  357. package/dist/secrets/socket-api-token.d.ts +1 -1
  358. package/dist/secrets/socket-api-token.js +1 -1
  359. package/dist/secrets/types.d.ts +1 -1
  360. package/dist/smol/detect.js +1 -1
  361. package/dist/smol/http.d.ts +2 -0
  362. package/dist/smol/http.js +3 -1
  363. package/dist/smol/https.d.ts +2 -0
  364. package/dist/smol/https.js +3 -1
  365. package/dist/smol/manifest.js +1 -1
  366. package/dist/smol/path.js +1 -1
  367. package/dist/smol/primordial.js +1 -1
  368. package/dist/smol/purl.js +1 -1
  369. package/dist/smol/versions.js +1 -1
  370. package/dist/smol/vfs.js +1 -1
  371. package/dist/sorts/_internal.d.ts +2 -4
  372. package/dist/sorts/_internal.js +1 -7
  373. package/dist/sorts/semver.js +2 -2
  374. package/dist/spinner/create-spinner-class.js +1 -1
  375. package/dist/spinner/format.js +2 -4
  376. package/dist/stdio/footer.js +8 -7
  377. package/dist/stdio/progress.js +1 -1
  378. package/dist/stdio/prompts.d.ts +8 -23
  379. package/dist/stdio/prompts.js +28 -52
  380. package/dist/strings/format.js +1 -1
  381. package/dist/strings/predicates.d.ts +2 -2
  382. package/dist/strings/search.js +2 -2
  383. package/dist/strings/types.d.ts +4 -0
  384. package/dist/strings/width.d.ts +1 -0
  385. package/dist/strings/width.js +17 -8
  386. package/dist/themes/context.d.ts +18 -3
  387. package/dist/themes/context.js +28 -14
  388. package/dist/versions/_internal.d.ts +43 -13
  389. package/dist/versions/_internal.js +27 -15
  390. package/dist/versions/compare.d.ts +16 -10
  391. package/dist/versions/compare.js +36 -16
  392. package/dist/versions/parse.js +1 -1
  393. package/dist/versions/range.js +3 -2
  394. package/dist/words/pluralize.js +4 -1
  395. package/llms.txt +63 -0
  396. package/package.json +271 -40
@@ -0,0 +1,284 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
3
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_primordials_string = require('../primordials/string.js');
5
+
6
+ //#region src/npm/registry.ts
7
+ /**
8
+ * @file Browser-safe npm registry client — pure parsers + injectable-fetch
9
+ * shell. Safe for Chrome MV3 service workers, content scripts, and any
10
+ * environment without `node:*` builtins. The HTTP adapter is injected by the
11
+ * caller (`{ http: { json } }`) so Node callers pass `httpJson` from
12
+ * `@socketsecurity/lib/http-request` and browser callers pass `httpJson` from
13
+ * `@socketsecurity/lib/http-request/browser`. No network dependency at module
14
+ * load time.
15
+ *
16
+ * ## Endpoints covered
17
+ *
18
+ * - Packument: `registry.npmjs.org/<pkg>`
19
+ * - Version manifest (package.json):
20
+ * `cdn.jsdelivr.net/npm/<pkg>@<ver>/package.json`
21
+ * - Weekly downloads: `api.npmjs.org/downloads/point/last-week/<pkg>`
22
+ * - Attestation bundle: `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`
23
+ * - Org packages: `registry.npmjs.org/-/org/<org>/package`
24
+ *
25
+ * ## URL encoding
26
+ *
27
+ * Registry endpoints (`registry.npmjs.org`, `api.npmjs.org`): scoped names
28
+ * encode to `@scope%2Fname` (one `encodeURIComponent` call that encodes the
29
+ * slash, then `%40` is restored to `@`).
30
+ * CDN endpoint (`cdn.jsdelivr.net`): scope and name are encoded separately,
31
+ * preserving the literal `/` between them. A prior extension bug sent
32
+ * `@scope%2Fname` to the CDN which returned 400; the fix is this split-encode
33
+ * path.
34
+ *
35
+ * ## Trusted Publisher detection
36
+ *
37
+ * From the packument alone, only `!!dist.attestations` is detectable —
38
+ * proving provenance was signed but not identifying which repo or workflow is
39
+ * configured as the TP. To get repo + workflow call `getAttestations()` then
40
+ * `parseProvenancePredicate()` to parse the SLSA
41
+ * `externalParameters.workflow` field. The npm access page
42
+ * (`/package/<name>/access`) is session-only HTML and is out of scope for
43
+ * this public client.
44
+ */
45
+ const NPM_REGISTRY = "https://registry.npmjs.org";
46
+ const NPM_DOWNLOADS_API = "https://api.npmjs.org";
47
+ const CDN_JSDELIVR = "https://cdn.jsdelivr.net";
48
+ const SLSA_PROVENANCE_TYPE = "https://slsa.dev/provenance/v1";
49
+ /**
50
+ * Build the CDN path `<encoded-name>@<encoded-version>/package.json`.
51
+ * Exposed as a pure function so callers can construct the full URL themselves.
52
+ */
53
+ function buildCdnPath(name, version) {
54
+ return `${encodeCdnName(name)}@${encodeURIComponent(version)}/package.json`;
55
+ }
56
+ /**
57
+ * Detect Trusted Publisher configuration from a packument version entry.
58
+ *
59
+ * From the packument alone, only the presence of `dist.attestations` is
60
+ * detectable (`configured: true` means provenance was signed; it does NOT
61
+ * confirm that a TP source is configured on npmjs.com). To get `repo` and
62
+ * `workflow`, fetch the attestation bundle with `getAttestations()` and parse
63
+ * it with `parseProvenancePredicate()`.
64
+ */
65
+ function detectTrustedPublisher(versionEntry) {
66
+ if (!hasProvenance(versionEntry)) return { configured: false };
67
+ return { configured: true };
68
+ }
69
+ /**
70
+ * Encode a package name for use in registry CDN URLs.
71
+ * Scope and name are encoded individually, preserving the literal `/`.
72
+ * Use this for `cdn.jsdelivr.net` URLs — fixes the `@scope%2Fname` → 400 bug.
73
+ */
74
+ function encodeCdnName(name) {
75
+ if (require_primordials_string.StringPrototypeIndexOf(name, "/") === -1) return encodeURIComponent(name);
76
+ const slashAt = require_primordials_string.StringPrototypeIndexOf(name, "/");
77
+ const scope = require_primordials_string.StringPrototypeSlice(name, 0, slashAt);
78
+ const pkg = require_primordials_string.StringPrototypeSlice(name, slashAt + 1);
79
+ return `${encodeURIComponent(scope)}/${encodeURIComponent(pkg)}`;
80
+ }
81
+ /**
82
+ * Encode a package name for use in registry / download-API URLs.
83
+ *
84
+ * Registry form (`cdn: false`, the default): `encodeURIComponent` then restore
85
+ * the leading `@` so `@scope/name` → `@scope%2Fname`.
86
+ *
87
+ * CDN form (`cdn: true`): scope and name are encoded individually so the
88
+ * literal `/` separator is preserved: `@scope/name` → `@scope/name` (each
89
+ * segment encoded separately). This fixes the `@scope%2Fname` → 400 bug on
90
+ * `cdn.jsdelivr.net`.
91
+ *
92
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
93
+ */
94
+ function encodePackageName(name, options) {
95
+ if ({
96
+ __proto__: null,
97
+ cdn: false,
98
+ ...options
99
+ }.cdn) return encodeCdnName(name);
100
+ return encodeRegistryName(name);
101
+ }
102
+ /**
103
+ * Encode a package name for use in registry / download-API URLs.
104
+ * Applies `encodeURIComponent` then restores `@` so scoped names become
105
+ * `@scope%2Fname`.
106
+ */
107
+ function encodeRegistryName(name) {
108
+ return encodeURIComponent(name).replace("%40", "@");
109
+ }
110
+ /**
111
+ * Fetch the attestation bundle for a package version from the npm transparency
112
+ * log. Returns `undefined` when no attestations entry is present in the
113
+ * packument (404 is treated as absent rather than an error).
114
+ */
115
+ async function getAttestations(name, version, options) {
116
+ const opts = {
117
+ __proto__: null,
118
+ ...options
119
+ };
120
+ const encoded = `${encodeRegistryName(name)}@${encodeURIComponent(version)}`;
121
+ const url = `${NPM_REGISTRY}/-/npm/v1/attestations/${encoded}`;
122
+ try {
123
+ return await opts.http.json(url);
124
+ } catch {
125
+ return;
126
+ }
127
+ }
128
+ /**
129
+ * Fetch the list of packages belonging to an npm org.
130
+ * Returns package names as a string array.
131
+ */
132
+ async function getOrgPackages(org, options) {
133
+ const opts = {
134
+ __proto__: null,
135
+ ...options
136
+ };
137
+ const url = `${NPM_REGISTRY}/-/org/${encodeURIComponent(org)}/package`;
138
+ const raw = await opts.http.json(url);
139
+ return Object.keys(raw);
140
+ }
141
+ /**
142
+ * Fetch and parse the full packument for a package.
143
+ */
144
+ async function getPackument(name, options) {
145
+ const opts = {
146
+ __proto__: null,
147
+ ...options
148
+ };
149
+ const url = `${NPM_REGISTRY}/${encodeRegistryName(name)}`;
150
+ const parsed = parsePackument(await opts.http.json(url));
151
+ if (!parsed) throw new Error(`getPackument: invalid packument response for "${name}" from ${url}`);
152
+ return parsed;
153
+ }
154
+ /**
155
+ * Fetch a version's package.json via the jsDelivr CDN.
156
+ *
157
+ * Uses split-encode for scoped names so `cdn.jsdelivr.net` receives the literal
158
+ * `/` between scope and name (not `%2F` which causes 400s).
159
+ *
160
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
161
+ */
162
+ async function getVersionManifest(name, version, options) {
163
+ const opts = {
164
+ __proto__: null,
165
+ ...options
166
+ };
167
+ const cdnPath = buildCdnPath(name, version);
168
+ const url = `${CDN_JSDELIVR}/npm/${cdnPath}`;
169
+ return opts.http.json(url);
170
+ }
171
+ /**
172
+ * Fetch last-week download counts for a package from the npm downloads API.
173
+ *
174
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
175
+ */
176
+ async function getWeeklyDownloads(name, options) {
177
+ const opts = {
178
+ __proto__: null,
179
+ ...options
180
+ };
181
+ const url = `${NPM_DOWNLOADS_API}/downloads/point/last-week/${encodeRegistryName(name)}`;
182
+ return opts.http.json(url);
183
+ }
184
+ /**
185
+ * Return true when `versionEntry.dist.attestations` is present — indicating a
186
+ * SLSA provenance attestation was produced for this version.
187
+ */
188
+ function hasProvenance(versionEntry) {
189
+ return !!versionEntry.dist?.attestations;
190
+ }
191
+ /**
192
+ * Return `true` when `version` of `name` is already published to the registry.
193
+ * Authoritative — reads the packument's `versions` map rather than a CDN, so a
194
+ * pre-publish guard never false-negatives on CDN lag (the asymmetric-cost case:
195
+ * a wrong "not published" invites a duplicate-version publish attempt). Returns
196
+ * `false` when the package does not exist or the packument fetch fails.
197
+ *
198
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
199
+ */
200
+ async function isVersionPublished(name, version, options) {
201
+ try {
202
+ return (await getPackument(name, options)).versions[version] !== void 0;
203
+ } catch {
204
+ return false;
205
+ }
206
+ }
207
+ /**
208
+ * Parse a raw packument JSON response into a typed `PackumentRecord`.
209
+ * Adds the `distTags` alias for `dist-tags` so callers don't need bracket
210
+ * notation. Returns `undefined` when the input is not a valid packument shape.
211
+ */
212
+ function parsePackument(raw) {
213
+ if (raw === void 0 || raw === null || typeof raw !== "object" || !("versions" in raw) || !("dist-tags" in raw)) return;
214
+ const rec = raw;
215
+ return {
216
+ "dist-tags": rec["dist-tags"] ?? {},
217
+ distTags: rec["dist-tags"] ?? {},
218
+ name: typeof rec.name === "string" ? rec.name : "",
219
+ time: rec.time,
220
+ versions: rec.versions ?? {}
221
+ };
222
+ }
223
+ /**
224
+ * Parse an npm transparency-log attestation bundle (the JSON returned from
225
+ * `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`) and extract the
226
+ * SLSA provenance predicate.
227
+ *
228
+ * Returns the first SLSA provenance v1 predicate found, or `undefined` when
229
+ * none is present or the bundle is malformed.
230
+ */
231
+ function parseProvenancePredicate(bundle) {
232
+ if (bundle === void 0 || bundle === null || typeof bundle !== "object" || !("attestations" in bundle) || !Array.isArray(bundle.attestations)) return;
233
+ const { attestations } = bundle;
234
+ /* c8 ignore start - the prior Array.isArray guard above already narrows
235
+ * `attestations` to a real array; even an empty array is truthy, so this
236
+ * falsy-check can never take its true branch at runtime. Kept only to
237
+ * satisfy the optional `attestations?: ... | undefined` field type. */
238
+ if (!attestations) return;
239
+ /* c8 ignore stop */
240
+ for (const entry of attestations) {
241
+ if (entry.predicateType !== SLSA_PROVENANCE_TYPE) continue;
242
+ const b = entry.bundle;
243
+ if (b === void 0 || b === null || typeof b !== "object") continue;
244
+ const verificationMaterial = b.verificationMaterial;
245
+ if (verificationMaterial === void 0 || verificationMaterial === null || typeof verificationMaterial !== "object") continue;
246
+ const content = verificationMaterial.content;
247
+ if (typeof content !== "string") continue;
248
+ let parsed;
249
+ try {
250
+ parsed = JSON.parse(content);
251
+ } catch {
252
+ continue;
253
+ }
254
+ if (parsed === void 0 || parsed === null || typeof parsed !== "object") continue;
255
+ const envelope = parsed;
256
+ if (typeof envelope.payload !== "string") continue;
257
+ let payload;
258
+ try {
259
+ payload = JSON.parse(atob(envelope.payload));
260
+ } catch {
261
+ continue;
262
+ }
263
+ if (payload === void 0 || payload === null || typeof payload !== "object") continue;
264
+ const statement = payload;
265
+ if (statement.predicate === void 0 || statement.predicate === null || typeof statement.predicate !== "object") continue;
266
+ return statement.predicate;
267
+ }
268
+ }
269
+
270
+ //#endregion
271
+ exports.buildCdnPath = buildCdnPath;
272
+ exports.detectTrustedPublisher = detectTrustedPublisher;
273
+ exports.encodeCdnName = encodeCdnName;
274
+ exports.encodePackageName = encodePackageName;
275
+ exports.encodeRegistryName = encodeRegistryName;
276
+ exports.getAttestations = getAttestations;
277
+ exports.getOrgPackages = getOrgPackages;
278
+ exports.getPackument = getPackument;
279
+ exports.getVersionManifest = getVersionManifest;
280
+ exports.getWeeklyDownloads = getWeeklyDownloads;
281
+ exports.hasProvenance = hasProvenance;
282
+ exports.isVersionPublished = isVersionPublished;
283
+ exports.parsePackument = parsePackument;
284
+ exports.parseProvenancePredicate = parseProvenancePredicate;
@@ -1,6 +1,6 @@
1
1
  /**
2
2
  * @file Lazy-getter primitives + `createConstantsObject`.
3
- * `createConstantsObject` is the most-used factory in this module — fleet
3
+ * `createConstantsObject` is the most-used factory in this module — Socket
4
4
  * repos use it to assemble frozen settings objects with a mix of eager
5
5
  * values, lazy-computed values, and internals reachable through
6
6
  * `kInternalsSymbol`. The `defineLazyGetter*` helpers underneath are the
@@ -10,7 +10,7 @@ const require_objects_sort = require('./sort.js');
10
10
  //#region src/objects/getters.ts
11
11
  /**
12
12
  * @file Lazy-getter primitives + `createConstantsObject`.
13
- * `createConstantsObject` is the most-used factory in this module — fleet
13
+ * `createConstantsObject` is the most-used factory in this module — Socket
14
14
  * repos use it to assemble frozen settings objects with a mix of eager
15
15
  * values, lazy-computed values, and internals reachable through
16
16
  * `kInternalsSymbol`. The `defineLazyGetter*` helpers underneath are the
@@ -1,8 +1,8 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
- const require_arrays_predicates = require('../arrays/predicates.js');
5
4
  const require_primordials_object = require('../primordials/object.js');
5
+ const require_arrays_predicates = require('../arrays/predicates.js');
6
6
 
7
7
  //#region src/objects/predicates.ts
8
8
  /**
@@ -2,11 +2,11 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../primordials/error.js');
5
- const require_arrays_predicates = require('../arrays/predicates.js');
6
5
  const require_primordials_object = require('../primordials/object.js');
6
+ const require_primordials_string = require('../primordials/string.js');
7
+ const require_arrays_predicates = require('../arrays/predicates.js');
7
8
  const require_objects_predicates = require('../objects/predicates.js');
8
9
  const require_primordials_map_set = require('../primordials/map-set.js');
9
- const require_primordials_string = require('../primordials/string.js');
10
10
  const require_primordials_array = require('../primordials/array.js');
11
11
  const require_constants_sentinels = require('../constants/sentinels.js');
12
12
 
@@ -3,9 +3,9 @@
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
5
  const require_primordials_error = require('../primordials/error.js');
6
- const require_constants_platform = require('../constants/platform.js');
7
6
  const require_primordials_object = require('../primordials/object.js');
8
7
  const require_primordials_string = require('../primordials/string.js');
8
+ const require_constants_platform = require('../constants/platform.js');
9
9
  const require_paths_conversion = require('../paths/conversion.js');
10
10
  const require_paths_predicates = require('../paths/predicates.js');
11
11
  const require_node_fs = require('../node/fs.js');
@@ -32,3 +32,32 @@ export declare function fetchPackageManifest(pkgNameOrId: string, options?: Paco
32
32
  * ```
33
33
  */
34
34
  export declare function fetchPackagePackument(pkgNameOrId: string, options?: PacoteOptions): Promise<unknown>;
35
+ /**
36
+ * Dev/build-only top-level package.json fields not needed at runtime. The
37
+ * conservative default for {@link trimPublishManifest}; extend per-package via
38
+ * its `drop` option.
39
+ */
40
+ export declare const DEFAULT_TRIM_FIELDS: readonly string[];
41
+ export interface TrimPublishManifestOptions {
42
+ /**
43
+ * Top-level fields to omit (defaults to {@link DEFAULT_TRIM_FIELDS}).
44
+ */
45
+ readonly drop?: readonly string[] | undefined;
46
+ /**
47
+ * Fields to KEEP even when listed in `drop` (e.g. a runtime postinstall).
48
+ */
49
+ readonly keep?: readonly string[] | undefined;
50
+ }
51
+ /**
52
+ * Return a shallow copy of `manifest` that omits dev/build-only top-level
53
+ * fields so a published tarball + its npm metadata stay lean (npm caps total
54
+ * per-package metadata at 100 MB). The original object is left intact; persist
55
+ * the result only for the publish, never over the repo's own package.json.
56
+ *
57
+ * @example
58
+ * ;```typescript
59
+ * const lean = trimPublishManifest(pkg) // omits devDependencies + scripts
60
+ * const kept = trimPublishManifest(pkg, { keep: ['scripts'] })
61
+ * ```
62
+ */
63
+ export declare function trimPublishManifest(manifest: PackageJson, options?: TrimPublishManifestOptions | undefined): PackageJson;
@@ -2,19 +2,18 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
- const require_arrays_predicates = require('../arrays/predicates.js');
6
5
  const require_primordials_object = require('../primordials/object.js');
6
+ const require_arrays_predicates = require('../arrays/predicates.js');
7
7
  const require_objects_predicates = require('../objects/predicates.js');
8
8
  const require_process_abort = require('../process/abort.js');
9
9
  const require_constants_socket = require('../constants/socket.js');
10
10
  const require_constants_packages = require('../constants/packages.js');
11
+ const require_versions__internal = require('../versions/_internal.js');
11
12
  const require_objects_sort = require('../objects/sort.js');
12
13
  const require_packages_exports = require('./exports.js');
13
14
  const require_packages_validation = require('./validation.js');
14
15
  let src_external_npm_package_arg = require("../external/npm-package-arg");
15
16
  src_external_npm_package_arg = require_runtime.__toESM(src_external_npm_package_arg);
16
- let src_external_semver = require("../external/semver");
17
- src_external_semver = require_runtime.__toESM(src_external_semver);
18
17
  let src_external_pacote = require("../external/pacote");
19
18
  src_external_pacote = require_runtime.__toESM(src_external_pacote);
20
19
 
@@ -22,7 +21,6 @@ src_external_pacote = require_runtime.__toESM(src_external_pacote);
22
21
  /**
23
22
  * @file Package manifest and packument fetching utilities.
24
23
  */
25
- const abortSignal = require_process_abort.getAbortSignal();
26
24
  const packageDefaultNodeRange = require_constants_packages.getPackageDefaultNodeRange();
27
25
  const PACKAGE_DEFAULT_SOCKET_CATEGORIES = require_constants_packages.getPackageDefaultSocketCategories();
28
26
  const packumentCache = require_constants_packages.getPackumentCache();
@@ -72,8 +70,9 @@ function createPackageJson(sockRegPkgName, directory, options) {
72
70
  if (strKey === "node") {
73
71
  const { 1: range } = result;
74
72
  if (typeof range === "string" && range && packageDefaultNodeRange) {
75
- const coercedRange = src_external_semver.default.coerce(range);
76
- if (!src_external_semver.default.satisfies(coercedRange?.version ?? "0.0.0", packageDefaultNodeRange)) result[1] = packageDefaultNodeRange;
73
+ const semver = require_versions__internal.getSemver();
74
+ const coercedRange = semver.coerce(range);
75
+ if (!semver.satisfies(coercedRange?.version ?? "0.0.0", packageDefaultNodeRange)) result[1] = packageDefaultNodeRange;
77
76
  }
78
77
  }
79
78
  return result;
@@ -93,7 +92,7 @@ function createPackageJson(sockRegPkgName, directory, options) {
93
92
  async function fetchPackageManifest(pkgNameOrId, options) {
94
93
  const pacoteOptions = {
95
94
  __proto__: null,
96
- signal: abortSignal,
95
+ signal: require_process_abort.getAbortSignal(),
97
96
  ...options,
98
97
  packumentCache,
99
98
  preferOffline: true
@@ -125,15 +124,51 @@ async function fetchPackagePackument(pkgNameOrId, options) {
125
124
  try {
126
125
  return await src_external_pacote.default.packument(pkgNameOrId, {
127
126
  __proto__: null,
128
- signal: abortSignal,
127
+ signal: require_process_abort.getAbortSignal(),
129
128
  ...options,
130
129
  packumentCache,
131
130
  preferOffline: true
132
131
  });
133
132
  } catch {}
134
133
  }
134
+ /**
135
+ * Dev/build-only top-level package.json fields not needed at runtime. The
136
+ * conservative default for {@link trimPublishManifest}; extend per-package via
137
+ * its `drop` option.
138
+ */
139
+ const DEFAULT_TRIM_FIELDS = ["devDependencies", "scripts"];
140
+ /**
141
+ * Return a shallow copy of `manifest` that omits dev/build-only top-level
142
+ * fields so a published tarball + its npm metadata stay lean (npm caps total
143
+ * per-package metadata at 100 MB). The original object is left intact; persist
144
+ * the result only for the publish, never over the repo's own package.json.
145
+ *
146
+ * @example
147
+ * ;```typescript
148
+ * const lean = trimPublishManifest(pkg) // omits devDependencies + scripts
149
+ * const kept = trimPublishManifest(pkg, { keep: ['scripts'] })
150
+ * ```
151
+ */
152
+ function trimPublishManifest(manifest, options) {
153
+ const opts = {
154
+ __proto__: null,
155
+ ...options
156
+ };
157
+ const drop = new Set(opts.drop ?? DEFAULT_TRIM_FIELDS);
158
+ const keep = new Set(opts.keep ?? []);
159
+ const source = manifest;
160
+ const keys = require_primordials_object.ObjectKeys(source);
161
+ const out = {};
162
+ for (let i = 0, { length } = keys; i < length; i += 1) {
163
+ const key = keys[i];
164
+ if (!drop.has(key) || keep.has(key)) out[key] = source[key];
165
+ }
166
+ return out;
167
+ }
135
168
 
136
169
  //#endregion
170
+ exports.DEFAULT_TRIM_FIELDS = DEFAULT_TRIM_FIELDS;
137
171
  exports.createPackageJson = createPackageJson;
138
172
  exports.fetchPackageManifest = fetchPackageManifest;
139
- exports.fetchPackagePackument = fetchPackagePackument;
173
+ exports.fetchPackagePackument = fetchPackagePackument;
174
+ exports.trimPublishManifest = trimPublishManifest;
@@ -1,11 +1,9 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
- const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
4
  const require_objects_mutate = require('../objects/mutate.js');
6
5
  const require_constants_packages = require('../constants/packages.js');
7
- let src_external_semver = require("../external/semver");
8
- src_external_semver = require_runtime.__toESM(src_external_semver);
6
+ const require_versions__internal = require('../versions/_internal.js');
9
7
 
10
8
  //#region src/packages/metadata-extensions.ts
11
9
  /**
@@ -30,7 +28,7 @@ function findPackageExtensions(pkgName, pkgVer) {
30
28
  const lastAtSignIndex = selector.lastIndexOf("@");
31
29
  if (pkgName === selector.slice(0, lastAtSignIndex)) {
32
30
  const range = selector.slice(lastAtSignIndex + 1);
33
- if (src_external_semver.satisfies(pkgVer, range)) {
31
+ if (require_versions__internal.getSemver().satisfies(pkgVer, range)) {
34
32
  if (result === void 0) result = {};
35
33
  if (typeof ext === "object" && ext !== null) require_objects_mutate.merge(result, ext);
36
34
  }
@@ -6,8 +6,8 @@ const require_primordials_object = require('../primordials/object.js');
6
6
  const require_primordials_string = require('../primordials/string.js');
7
7
  const require_primordials_regexp = require('../primordials/regexp.js');
8
8
  const require_primordials_array = require('../primordials/array.js');
9
- const require_objects_mutate = require('../objects/mutate.js');
10
9
  const require_constants_socket = require('../constants/socket.js');
10
+ const require_objects_mutate = require('../objects/mutate.js');
11
11
  const require_regexps_escape = require('../regexps/escape.js');
12
12
  const require_packages_metadata_extensions = require('./metadata-extensions.js');
13
13
  let src_external_normalize_package_data = require("../external/normalize-package-data");
@@ -5,6 +5,8 @@ import type { ProvenanceOptions } from './types';
5
5
  /**
6
6
  * Comparator ordering two trust statuses by ascending trust level. Sorts an
7
7
  * array of statuses lowest-trust-first; negate for highest-first.
8
+ *
9
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
8
10
  */
9
11
  export declare function compareTrust(a: TrustStatus, b: TrustStatus): -1 | 0 | 1;
10
12
  /**
@@ -12,6 +14,8 @@ export declare function compareTrust(a: TrustStatus, b: TrustStatus): -1 | 0 | 1
12
14
  * regressed its supply-chain posture. Drives the post-publish provenance
13
15
  * reminder: a version that drops from trustedPublisher back to bare provenance
14
16
  * is a red flag worth surfacing.
17
+ *
18
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
15
19
  */
16
20
  export declare function didTrustDecrease(prev: TrustStatus, next: TrustStatus): boolean;
17
21
  /**
@@ -48,6 +52,8 @@ export declare function getProvenanceDetails(attestationData: unknown): unknown;
48
52
  export declare function getTrustLevel(status: TrustStatus): TrustLevel;
49
53
  /**
50
54
  * Map a trust status to its human-readable level name.
55
+ *
56
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
51
57
  */
52
58
  export declare function getTrustLevelName(status: TrustStatus): TrustLevelName;
53
59
  /**
@@ -59,6 +65,8 @@ export declare function getTrustLevelName(status: TrustStatus): TrustLevelName;
59
65
  * 2FA-gated approve step. That signal ranks ABOVE both `trustedPublisher` and
60
66
  * `provenance` in pnpm's trust-evidence ladder, because it adds a human
61
67
  * approval gate on top of the OIDC publisher identity.
68
+ *
69
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
62
70
  */
63
71
  export declare function getTrustStatus(meta: unknown): TrustStatus;
64
72
  /**
@@ -3,10 +3,10 @@
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
5
  const require_primordials_buffer = require('../primordials/buffer.js');
6
- const require_abort_signal = require('../abort/signal.js');
7
6
  const require_primordials_object = require('../primordials/object.js');
8
- const require_objects_predicates = require('../objects/predicates.js');
9
7
  const require_primordials_string = require('../primordials/string.js');
8
+ const require_abort_signal = require('../abort/signal.js');
9
+ const require_objects_predicates = require('../objects/predicates.js');
10
10
  const require_primordials_array = require('../primordials/array.js');
11
11
  const require_primordials_json = require('../primordials/json.js');
12
12
  const require_constants_agents = require('../constants/agents.js');
@@ -25,6 +25,8 @@ let cachedFetcher;
25
25
  /**
26
26
  * Comparator ordering two trust statuses by ascending trust level. Sorts an
27
27
  * array of statuses lowest-trust-first; negate for highest-first.
28
+ *
29
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
28
30
  */
29
31
  function compareTrust(a, b) {
30
32
  const levelA = getTrustLevel(a);
@@ -38,6 +40,8 @@ function compareTrust(a, b) {
38
40
  * regressed its supply-chain posture. Drives the post-publish provenance
39
41
  * reminder: a version that drops from trustedPublisher back to bare provenance
40
42
  * is a red flag worth surfacing.
43
+ *
44
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
41
45
  */
42
46
  function didTrustDecrease(prev, next) {
43
47
  return getTrustLevel(next) < getTrustLevel(prev);
@@ -152,6 +156,8 @@ function getTrustLevel(status) {
152
156
  }
153
157
  /**
154
158
  * Map a trust status to its human-readable level name.
159
+ *
160
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
155
161
  */
156
162
  function getTrustLevelName(status) {
157
163
  return TRUST_LEVELS[getTrustLevel(status)];
@@ -165,6 +171,8 @@ function getTrustLevelName(status) {
165
171
  * 2FA-gated approve step. That signal ranks ABOVE both `trustedPublisher` and
166
172
  * `provenance` in pnpm's trust-evidence ladder, because it adds a human
167
173
  * approval gate on top of the OIDC publisher identity.
174
+ *
175
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
168
176
  */
169
177
  function getTrustStatus(meta) {
170
178
  const status = {
@@ -2,8 +2,8 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
- const require_objects_predicates = require('../objects/predicates.js');
6
5
  const require_primordials_string = require('../primordials/string.js');
6
+ const require_objects_predicates = require('../objects/predicates.js');
7
7
  const require_strings_predicates = require('../strings/predicates.js');
8
8
  const require_constants_socket = require('../constants/socket.js');
9
9
  const require_smol_purl = require('../smol/purl.js');
@@ -18,7 +18,6 @@ src_external_libnpmpack = require_runtime.__toESM(src_external_libnpmpack);
18
18
  * spec into a tarball, both via pacote/libnpmpack with the shared packument
19
19
  * cache.
20
20
  */
21
- const abortSignal = require_process_abort.getAbortSignal();
22
21
  const packumentCache = require_constants_packages.getPackumentCache();
23
22
  const pacoteCachePath = require_constants_packages.getPacoteCachePath();
24
23
  /**
@@ -68,7 +67,7 @@ async function packPackage(spec, options) {
68
67
  /* c8 ignore start - External package registry packing */
69
68
  return await (0, src_external_libnpmpack.default)(spec, {
70
69
  __proto__: null,
71
- signal: abortSignal,
70
+ signal: require_process_abort.getAbortSignal(),
72
71
  ...options,
73
72
  packumentCache,
74
73
  preferOffline: true
@@ -1,16 +1,6 @@
1
1
  /**
2
2
  * @file Package name validation utilities.
3
3
  */
4
- /**
5
- * Check if package name is a blessed Socket.dev package.
6
- *
7
- * @example
8
- * ;```typescript
9
- * isBlessedPackageName('@socketregistry/is-number') // true
10
- * isBlessedPackageName('lodash') // false
11
- * ```
12
- */
13
- export declare function isBlessedPackageName(name: unknown): boolean;
14
4
  /**
15
5
  * Check if a type string represents a registry fetcher type.
16
6
  *