@socketsecurity/lib 6.0.8 → 6.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +28 -0
- package/README.md +8 -9
- package/dist/abort/signal.d.ts +1 -1
- package/dist/abort/signal.js +1 -1
- package/dist/ai/agent-context.d.mts +1 -1
- package/dist/ai/agent-context.js +3 -2
- package/dist/ai/backends.d.mts +3 -3
- package/dist/ai/backends.js +2 -2
- package/dist/ai/billing-context.d.mts +74 -0
- package/dist/ai/billing-context.js +129 -0
- package/dist/ai/credentials.d.mts +39 -5
- package/dist/ai/credentials.js +61 -6
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +4 -0
- package/dist/ai/exec.d.mts +1 -1
- package/dist/ai/exec.js +1 -1
- package/dist/ai/http.d.mts +8 -8
- package/dist/ai/http.js +6 -6
- package/dist/ai/profiles.d.mts +9 -10
- package/dist/ai/profiles.js +0 -5
- package/dist/ai/role.d.mts +58 -0
- package/dist/ai/role.js +96 -0
- package/dist/ai/route-heuristic.d.mts +177 -0
- package/dist/ai/route-heuristic.js +194 -0
- package/dist/ai/route.d.mts +31 -17
- package/dist/ai/route.js +35 -19
- package/dist/ai/spawn.d.mts +34 -1
- package/dist/ai/spawn.js +115 -3
- package/dist/ai/subagent-status.d.mts +2 -0
- package/dist/ai/subagent-status.js +2 -0
- package/dist/ai/tier.d.mts +1 -1
- package/dist/ai/types.d.mts +19 -2
- package/dist/ai/worktree.d.mts +1 -1
- package/dist/ai/worktree.js +3 -2
- package/dist/argv/parse.d.ts +2 -0
- package/dist/argv/parse.js +2 -0
- package/dist/bin/_internal.d.ts +1 -1
- package/dist/bin/_internal.js +1 -1
- package/dist/bin/prim.cjs +19253 -13937
- package/dist/bin/resolve.js +1 -1
- package/dist/bin/shadow.js +2 -1
- package/dist/bin/which.d.ts +28 -3
- package/dist/bin/which.js +45 -3
- package/dist/cacache/_internal.d.ts +10 -2
- package/dist/cacache/_internal.js +6 -10
- package/dist/cache/ttl/_internal.d.ts +33 -0
- package/dist/cache/ttl/_internal.js +68 -0
- package/dist/cache/ttl/browser.d.ts +56 -0
- package/dist/cache/ttl/browser.js +257 -0
- package/dist/cache/ttl/store.js +11 -34
- package/dist/cache/ttl/types.d.ts +46 -3
- package/dist/checks/primordials-defaults.d.ts +5 -5
- package/dist/checks/primordials-defaults.js +5 -5
- package/dist/checks/primordials.d.ts +1 -1
- package/dist/checks/primordials.js +25 -17
- package/dist/cli/check-primordials.d.ts +6 -1
- package/dist/cli/check-primordials.js +14 -5
- package/dist/cli/check.js +1 -1
- package/dist/cli/socket-lib.d.ts +1 -1
- package/dist/cli/socket-lib.js +3 -3
- package/dist/colors/socket-palette.d.ts +1 -1
- package/dist/compression/brotli.d.ts +6 -2
- package/dist/compression/brotli.js +5 -1
- package/dist/compression/gzip.d.ts +6 -2
- package/dist/compression/gzip.js +7 -2
- package/dist/config/layers.d.ts +53 -0
- package/dist/config/layers.js +83 -0
- package/dist/constants/agents.d.ts +3 -0
- package/dist/constants/agents.js +3 -0
- package/dist/constants/node.d.ts +14 -0
- package/dist/constants/node.js +14 -0
- package/dist/constants/package-default-node-range.js +1 -5
- package/dist/constants/packages.d.ts +5 -0
- package/dist/constants/packages.js +5 -0
- package/dist/constants/platform.d.ts +1 -1
- package/dist/constants/platform.js +1 -1
- package/dist/constants/socket.js +1 -1
- package/dist/constants/typescript.d.ts +5 -0
- package/dist/constants/typescript.js +5 -0
- package/dist/debug/_internal.d.ts +22 -7
- package/dist/debug/_internal.js +33 -15
- package/dist/debug/caller-info.js +1 -1
- package/dist/debug/namespace.js +11 -8
- package/dist/debug/output.d.ts +12 -1
- package/dist/debug/output.js +33 -16
- package/dist/dlx/binary-cache.js +1 -1
- package/dist/dlx/binary-resolution.js +8 -5
- package/dist/dlx/firewall.js +1 -1
- package/dist/dlx/lockfile.js +1 -1
- package/dist/eco/npm/npm/parse-lockfile.js +3 -2
- package/dist/eco/npm/vlt/exec.d.ts +1 -1
- package/dist/eco/npm/vlt/exec.js +1 -1
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
- package/dist/env/agents.d.ts +6 -0
- package/dist/env/agents.js +29 -0
- package/dist/env/flags.d.ts +12 -0
- package/dist/env/flags.js +23 -0
- package/dist/env/github-status.js +2 -2
- package/dist/env/providers.d.ts +6 -0
- package/dist/env/providers.js +23 -0
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +37 -3
- package/dist/env/rewire.js +60 -29
- package/dist/env/runtimes.d.ts +9 -0
- package/dist/env/runtimes.js +53 -0
- package/dist/env/socket-cli.d.ts +5 -2
- package/dist/env/socket-cli.js +6 -3
- package/dist/env/xdg.d.ts +17 -0
- package/dist/env/xdg.js +21 -1
- package/dist/errors/predicates.d.ts +3 -2
- package/dist/errors/predicates.js +5 -3
- package/dist/events/exit/_internal.d.ts +1 -23
- package/dist/external/@npmcli/package-json.js +3570 -4905
- package/dist/external/@npmcli/promise-spawn.js +2 -2
- package/dist/external/@sinclair/typebox/value.js +5 -4
- package/dist/external/@socketregistry/yocto-spinner.js +3 -3
- package/dist/external/@yarnpkg/extensions.js +1 -1
- package/dist/external/adm-zip.d.ts +82 -0
- package/dist/external/adm-zip.js +2 -2
- package/dist/external/cacache.d.ts +87 -0
- package/dist/external/debug.d.ts +22 -0
- package/dist/external/debug.js +11 -4
- package/dist/external/del.d.ts +1 -0
- package/dist/external/external-pack.d.ts +12 -0
- package/dist/external/external-pack.js +42 -35
- package/dist/external/fast-glob.d.ts +8 -0
- package/dist/external/fast-sort.d.ts +1 -0
- package/dist/external/get-east-asian-width.d.ts +5 -0
- package/dist/external/get-east-asian-width.js +8 -1
- package/dist/external/has-flag.d.ts +1 -0
- package/dist/external/inquirer-pack.d.ts +18 -0
- package/dist/external/libnpmexec.d.ts +35 -0
- package/dist/external/libnpmpack.d.ts +1 -0
- package/dist/external/make-fetch-happen.d.ts +13 -0
- package/dist/external/normalize-package-data.d.ts +4 -0
- package/dist/external/npm-core.d.ts +14 -0
- package/dist/external/npm-pack.d.ts +24 -0
- package/dist/external/npm-pack.js +28934 -31885
- package/dist/external/npm-package-arg.d.ts +4 -0
- package/dist/external/p-map.js +8 -1
- package/dist/external/pacote.d.ts +15 -0
- package/dist/external/pico-pack.d.ts +16 -0
- package/dist/external/pico-pack.js +38 -23
- package/dist/external/picomatch.d.ts +96 -0
- package/dist/external/pony-cause.d.ts +14 -0
- package/dist/external/semver.d.ts +60 -0
- package/dist/external/semver.js +1459 -4
- package/dist/external/shell-quote.d.ts +51 -0
- package/dist/external/shell-quote.js +55 -15
- package/dist/external/signal-exit.d.ts +1 -0
- package/dist/external/spdx-correct.d.ts +4 -0
- package/dist/external/spdx-expression-parse.d.ts +4 -0
- package/dist/external/spdx-pack.d.ts +10 -0
- package/dist/external/std-env.d.ts +284 -0
- package/dist/external/std-env.js +323 -0
- package/dist/external/streaming-iterables.d.ts +11 -0
- package/dist/external/supports-color.d.ts +1 -0
- package/dist/external/tar-fs.d.ts +31 -0
- package/dist/external/tar-fs.js +63 -16
- package/dist/external/validate-npm-package-name.d.ts +4 -0
- package/dist/external/which.d.ts +25 -0
- package/dist/external/which.js +2 -2
- package/dist/external/yargs-parser.d.ts +2 -0
- package/dist/external/yargs-parser.js +11 -3
- package/dist/external/yoctocolors-cjs.d.ts +51 -0
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/resolve.d.ts +3 -0
- package/dist/external-tools/bazel/resolve.js +3 -0
- package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
- package/dist/external-tools/cdxgen/asset-names.js +3 -3
- package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
- package/dist/external-tools/cdxgen/from-download.js +1 -1
- package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
- package/dist/external-tools/cdxgen/resolve.js +4 -1
- package/dist/external-tools/cdxgen/types.d.ts +1 -1
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +1 -1
- package/dist/external-tools/janus/asset-names.d.ts +4 -1
- package/dist/external-tools/janus/asset-names.js +3 -0
- package/dist/external-tools/janus/from-download.d.ts +3 -3
- package/dist/external-tools/janus/from-download.js +2 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -0
- package/dist/external-tools/janus/resolve.js +3 -0
- package/dist/external-tools/jre/asset-names.d.ts +3 -1
- package/dist/external-tools/jre/asset-names.js +2 -0
- package/dist/external-tools/jre/detect-platform-arch.js +1 -1
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/manifest.d.ts +5 -3
- package/dist/external-tools/manifest.js +5 -3
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/resolve.d.ts +3 -0
- package/dist/external-tools/opengrep/resolve.js +3 -0
- package/dist/external-tools/python/asset-names.d.ts +3 -1
- package/dist/external-tools/python/asset-names.js +8 -4
- package/dist/external-tools/python/pin.js +3 -1
- package/dist/external-tools/python/resolve.d.ts +3 -0
- package/dist/external-tools/python/resolve.js +3 -0
- package/dist/external-tools/python/uv-install.d.ts +89 -0
- package/dist/external-tools/python/uv-install.js +165 -0
- package/dist/external-tools/sbt/resolve.d.ts +3 -0
- package/dist/external-tools/sbt/resolve.js +3 -0
- package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
- package/dist/external-tools/skillspector/from-uv.js +56 -0
- package/dist/external-tools/skillspector/resolve.d.ts +18 -3
- package/dist/external-tools/skillspector/resolve.js +21 -8
- package/dist/external-tools/skillspector/types.d.ts +3 -1
- package/dist/external-tools/synp/resolve.d.ts +3 -0
- package/dist/external-tools/synp/resolve.js +3 -0
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/resolve.d.ts +3 -0
- package/dist/external-tools/trivy/resolve.js +3 -0
- package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
- package/dist/external-tools/trufflehog/asset-names.js +3 -0
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
- package/dist/external-tools/trufflehog/resolve.js +3 -0
- package/dist/external-tools/uv/asset-names.d.ts +36 -0
- package/dist/external-tools/uv/asset-names.js +73 -0
- package/dist/external-tools/uv/from-download.d.ts +17 -0
- package/dist/external-tools/uv/from-download.js +50 -0
- package/dist/external-tools/uv/from-path.d.ts +5 -0
- package/dist/external-tools/uv/from-path.js +22 -0
- package/dist/external-tools/uv/from-vfs.d.ts +7 -0
- package/dist/external-tools/uv/from-vfs.js +26 -0
- package/dist/external-tools/uv/resolve.d.ts +28 -0
- package/dist/external-tools/uv/resolve.js +64 -0
- package/dist/external-tools/uv/types.d.ts +24 -0
- package/dist/external-tools/uv/types.js +2 -0
- package/dist/fleet/repo-config.d.ts +55 -0
- package/dist/fleet/repo-config.js +81 -0
- package/dist/fs/_internal.d.ts +1 -1
- package/dist/fs/_internal.js +1 -1
- package/dist/fs/access.d.ts +2 -0
- package/dist/fs/access.js +2 -0
- package/dist/fs/copy.d.ts +88 -0
- package/dist/fs/copy.js +89 -0
- package/dist/fs/find.js +1 -2
- package/dist/fs/inspect.d.ts +2 -2
- package/dist/fs/read-file.js +3 -4
- package/dist/fs/safe.js +2 -2
- package/dist/git/_internal.js +7 -3
- package/dist/github/commit.d.ts +92 -0
- package/dist/github/commit.js +113 -0
- package/dist/github/ghsa.js +1 -1
- package/dist/github/refs-graphql.js +1 -1
- package/dist/github/refs.js +10 -15
- package/dist/github/request.js +1 -1
- package/dist/github/token.d.ts +5 -2
- package/dist/github/token.js +6 -4
- package/dist/github/workflow-runs.d.ts +107 -0
- package/dist/github/workflow-runs.js +98 -0
- package/dist/globs/_internal.js +1 -1
- package/dist/http-request/_internal.d.ts +1 -1
- package/dist/http-request/browser.d.ts +6 -0
- package/dist/http-request/browser.js +4 -3
- package/dist/http-request/checksum-file.js +1 -1
- package/dist/http-request/download.js +2 -0
- package/dist/http-request/headers.d.ts +1 -1
- package/dist/http-request/headers.js +2 -2
- package/dist/http-request/request-attempt.js +6 -3
- package/dist/http-request/request-types.d.ts +10 -1
- package/dist/http-request/request.js +2 -2
- package/dist/http-request/user-agent.d.ts +23 -2
- package/dist/http-request/user-agent.js +48 -6
- package/dist/integrity.d.ts +127 -78
- package/dist/integrity.js +170 -84
- package/dist/json/format.js +4 -1
- package/dist/logger/_internal.d.ts +13 -15
- package/dist/logger/_internal.js +21 -21
- package/dist/logger/colors.d.ts +10 -5
- package/dist/logger/colors.js +7 -14
- package/dist/logger/console-methods.js +2 -2
- package/dist/logger/console.d.ts +1 -0
- package/dist/logger/console.js +9 -9
- package/dist/logger/node.js +2 -1
- package/dist/logger/symbols-builder.js +7 -8
- package/dist/logger/symbols.js +8 -8
- package/dist/native-messaging/install.js +1 -1
- package/dist/native-messaging/rate-limit.d.ts +4 -1
- package/dist/native-messaging/rate-limit.js +4 -1
- package/dist/node/events.d.ts +3 -0
- package/dist/node/events.js +3 -0
- package/dist/node/fs.d.ts +1 -1
- package/dist/node/module.d.ts +73 -2
- package/dist/node/module.js +97 -12
- package/dist/node/timers-promises.d.ts +3 -0
- package/dist/node/timers-promises.js +3 -0
- package/dist/node/url.d.ts +3 -0
- package/dist/node/url.js +3 -0
- package/dist/npm/meta-cache.d.ts +183 -0
- package/dist/npm/meta-cache.js +318 -0
- package/dist/npm/meta-slice.d.ts +27 -0
- package/dist/npm/meta-slice.js +68 -0
- package/dist/npm/meta-types.d.ts +282 -0
- package/dist/npm/meta-types.js +2 -0
- package/dist/npm/meta.d.ts +125 -0
- package/dist/npm/meta.js +347 -0
- package/dist/npm/registry.d.ts +212 -0
- package/dist/npm/registry.js +284 -0
- package/dist/objects/getters.d.ts +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/objects/predicates.js +1 -1
- package/dist/packages/exports.js +2 -2
- package/dist/packages/isolation.js +1 -1
- package/dist/packages/manifest.d.ts +29 -0
- package/dist/packages/manifest.js +44 -9
- package/dist/packages/metadata-extensions.js +2 -4
- package/dist/packages/normalize.js +1 -1
- package/dist/packages/provenance.d.ts +8 -0
- package/dist/packages/provenance.js +10 -2
- package/dist/packages/specs.js +1 -1
- package/dist/packages/tarball.js +1 -2
- package/dist/packages/validation.d.ts +0 -10
- package/dist/packages/validation.js +0 -14
- package/dist/paths/_internal.d.ts +1 -7
- package/dist/paths/_internal.js +9 -15
- package/dist/paths/conversion.js +1 -1
- package/dist/paths/exts.d.ts +30 -0
- package/dist/paths/exts.js +30 -0
- package/dist/paths/filenames.d.ts +6 -0
- package/dist/paths/filenames.js +6 -0
- package/dist/paths/globs.d.ts +6 -0
- package/dist/paths/globs.js +6 -0
- package/dist/paths/normalize.js +1 -1
- package/dist/paths/predicates.js +2 -1
- package/dist/paths/resolve.js +19 -14
- package/dist/paths/socket.d.ts +81 -30
- package/dist/paths/socket.js +102 -28
- package/dist/perf/metrics.js +1 -1
- package/dist/perf/report.js +5 -3
- package/dist/pkg-ext/data.js +0 -2
- package/dist/primordials/globals.d.ts +1 -1
- package/dist/primordials/globals.js +1 -1
- package/dist/primordials/headers.d.ts +13 -1
- package/dist/primordials/headers.js +13 -1
- package/dist/primordials/process.d.ts +1 -1
- package/dist/primordials/process.js +1 -1
- package/dist/primordials/url.d.ts +18 -0
- package/dist/primordials/url.js +18 -0
- package/dist/process/spawn/child.js +3 -5
- package/dist/promises/_internal.d.ts +1 -1
- package/dist/promises/_internal.js +1 -2
- package/dist/promises/options.js +3 -3
- package/dist/regexps/spec.js +1 -1
- package/dist/releases/socket-btm-binary-naming.js +12 -1
- package/dist/schema/validate.js +1 -1
- package/dist/secrets/_internal.d.ts +1 -1
- package/dist/secrets/_internal.js +1 -1
- package/dist/secrets/broker.d.ts +35 -0
- package/dist/secrets/broker.js +72 -0
- package/dist/secrets/find.d.ts +8 -6
- package/dist/secrets/find.js +17 -3
- package/dist/secrets/keychain.d.ts +10 -1
- package/dist/secrets/keychain.js +10 -1
- package/dist/secrets/rc.js +1 -1
- package/dist/secrets/socket-api-token.d.ts +1 -1
- package/dist/secrets/socket-api-token.js +1 -1
- package/dist/secrets/types.d.ts +1 -1
- package/dist/smol/detect.js +1 -1
- package/dist/smol/http.d.ts +2 -0
- package/dist/smol/http.js +3 -1
- package/dist/smol/https.d.ts +2 -0
- package/dist/smol/https.js +3 -1
- package/dist/smol/manifest.js +1 -1
- package/dist/smol/path.js +1 -1
- package/dist/smol/primordial.js +1 -1
- package/dist/smol/purl.js +1 -1
- package/dist/smol/versions.js +1 -1
- package/dist/smol/vfs.js +1 -1
- package/dist/sorts/_internal.d.ts +2 -4
- package/dist/sorts/_internal.js +1 -7
- package/dist/sorts/semver.js +2 -2
- package/dist/spinner/create-spinner-class.js +1 -1
- package/dist/spinner/format.js +2 -4
- package/dist/stdio/footer.js +8 -7
- package/dist/stdio/progress.js +1 -1
- package/dist/stdio/prompts.d.ts +8 -23
- package/dist/stdio/prompts.js +28 -52
- package/dist/strings/format.js +1 -1
- package/dist/strings/predicates.d.ts +2 -2
- package/dist/strings/search.js +2 -2
- package/dist/strings/types.d.ts +4 -0
- package/dist/strings/width.d.ts +1 -0
- package/dist/strings/width.js +17 -8
- package/dist/themes/context.d.ts +18 -3
- package/dist/themes/context.js +28 -14
- package/dist/versions/_internal.d.ts +43 -13
- package/dist/versions/_internal.js +27 -15
- package/dist/versions/compare.d.ts +16 -10
- package/dist/versions/compare.js +36 -16
- package/dist/versions/parse.js +1 -1
- package/dist/versions/range.js +3 -2
- package/dist/words/pluralize.js +4 -1
- package/llms.txt +63 -0
- package/package.json +271 -40
|
@@ -0,0 +1,284 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_primordials_string = require('../primordials/string.js');
|
|
5
|
+
|
|
6
|
+
//#region src/npm/registry.ts
|
|
7
|
+
/**
|
|
8
|
+
* @file Browser-safe npm registry client — pure parsers + injectable-fetch
|
|
9
|
+
* shell. Safe for Chrome MV3 service workers, content scripts, and any
|
|
10
|
+
* environment without `node:*` builtins. The HTTP adapter is injected by the
|
|
11
|
+
* caller (`{ http: { json } }`) so Node callers pass `httpJson` from
|
|
12
|
+
* `@socketsecurity/lib/http-request` and browser callers pass `httpJson` from
|
|
13
|
+
* `@socketsecurity/lib/http-request/browser`. No network dependency at module
|
|
14
|
+
* load time.
|
|
15
|
+
*
|
|
16
|
+
* ## Endpoints covered
|
|
17
|
+
*
|
|
18
|
+
* - Packument: `registry.npmjs.org/<pkg>`
|
|
19
|
+
* - Version manifest (package.json):
|
|
20
|
+
* `cdn.jsdelivr.net/npm/<pkg>@<ver>/package.json`
|
|
21
|
+
* - Weekly downloads: `api.npmjs.org/downloads/point/last-week/<pkg>`
|
|
22
|
+
* - Attestation bundle: `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`
|
|
23
|
+
* - Org packages: `registry.npmjs.org/-/org/<org>/package`
|
|
24
|
+
*
|
|
25
|
+
* ## URL encoding
|
|
26
|
+
*
|
|
27
|
+
* Registry endpoints (`registry.npmjs.org`, `api.npmjs.org`): scoped names
|
|
28
|
+
* encode to `@scope%2Fname` (one `encodeURIComponent` call that encodes the
|
|
29
|
+
* slash, then `%40` is restored to `@`).
|
|
30
|
+
* CDN endpoint (`cdn.jsdelivr.net`): scope and name are encoded separately,
|
|
31
|
+
* preserving the literal `/` between them. A prior extension bug sent
|
|
32
|
+
* `@scope%2Fname` to the CDN which returned 400; the fix is this split-encode
|
|
33
|
+
* path.
|
|
34
|
+
*
|
|
35
|
+
* ## Trusted Publisher detection
|
|
36
|
+
*
|
|
37
|
+
* From the packument alone, only `!!dist.attestations` is detectable —
|
|
38
|
+
* proving provenance was signed but not identifying which repo or workflow is
|
|
39
|
+
* configured as the TP. To get repo + workflow call `getAttestations()` then
|
|
40
|
+
* `parseProvenancePredicate()` to parse the SLSA
|
|
41
|
+
* `externalParameters.workflow` field. The npm access page
|
|
42
|
+
* (`/package/<name>/access`) is session-only HTML and is out of scope for
|
|
43
|
+
* this public client.
|
|
44
|
+
*/
|
|
45
|
+
const NPM_REGISTRY = "https://registry.npmjs.org";
|
|
46
|
+
const NPM_DOWNLOADS_API = "https://api.npmjs.org";
|
|
47
|
+
const CDN_JSDELIVR = "https://cdn.jsdelivr.net";
|
|
48
|
+
const SLSA_PROVENANCE_TYPE = "https://slsa.dev/provenance/v1";
|
|
49
|
+
/**
|
|
50
|
+
* Build the CDN path `<encoded-name>@<encoded-version>/package.json`.
|
|
51
|
+
* Exposed as a pure function so callers can construct the full URL themselves.
|
|
52
|
+
*/
|
|
53
|
+
function buildCdnPath(name, version) {
|
|
54
|
+
return `${encodeCdnName(name)}@${encodeURIComponent(version)}/package.json`;
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Detect Trusted Publisher configuration from a packument version entry.
|
|
58
|
+
*
|
|
59
|
+
* From the packument alone, only the presence of `dist.attestations` is
|
|
60
|
+
* detectable (`configured: true` means provenance was signed; it does NOT
|
|
61
|
+
* confirm that a TP source is configured on npmjs.com). To get `repo` and
|
|
62
|
+
* `workflow`, fetch the attestation bundle with `getAttestations()` and parse
|
|
63
|
+
* it with `parseProvenancePredicate()`.
|
|
64
|
+
*/
|
|
65
|
+
function detectTrustedPublisher(versionEntry) {
|
|
66
|
+
if (!hasProvenance(versionEntry)) return { configured: false };
|
|
67
|
+
return { configured: true };
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Encode a package name for use in registry CDN URLs.
|
|
71
|
+
* Scope and name are encoded individually, preserving the literal `/`.
|
|
72
|
+
* Use this for `cdn.jsdelivr.net` URLs — fixes the `@scope%2Fname` → 400 bug.
|
|
73
|
+
*/
|
|
74
|
+
function encodeCdnName(name) {
|
|
75
|
+
if (require_primordials_string.StringPrototypeIndexOf(name, "/") === -1) return encodeURIComponent(name);
|
|
76
|
+
const slashAt = require_primordials_string.StringPrototypeIndexOf(name, "/");
|
|
77
|
+
const scope = require_primordials_string.StringPrototypeSlice(name, 0, slashAt);
|
|
78
|
+
const pkg = require_primordials_string.StringPrototypeSlice(name, slashAt + 1);
|
|
79
|
+
return `${encodeURIComponent(scope)}/${encodeURIComponent(pkg)}`;
|
|
80
|
+
}
|
|
81
|
+
/**
|
|
82
|
+
* Encode a package name for use in registry / download-API URLs.
|
|
83
|
+
*
|
|
84
|
+
* Registry form (`cdn: false`, the default): `encodeURIComponent` then restore
|
|
85
|
+
* the leading `@` so `@scope/name` → `@scope%2Fname`.
|
|
86
|
+
*
|
|
87
|
+
* CDN form (`cdn: true`): scope and name are encoded individually so the
|
|
88
|
+
* literal `/` separator is preserved: `@scope/name` → `@scope/name` (each
|
|
89
|
+
* segment encoded separately). This fixes the `@scope%2Fname` → 400 bug on
|
|
90
|
+
* `cdn.jsdelivr.net`.
|
|
91
|
+
*
|
|
92
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
93
|
+
*/
|
|
94
|
+
function encodePackageName(name, options) {
|
|
95
|
+
if ({
|
|
96
|
+
__proto__: null,
|
|
97
|
+
cdn: false,
|
|
98
|
+
...options
|
|
99
|
+
}.cdn) return encodeCdnName(name);
|
|
100
|
+
return encodeRegistryName(name);
|
|
101
|
+
}
|
|
102
|
+
/**
|
|
103
|
+
* Encode a package name for use in registry / download-API URLs.
|
|
104
|
+
* Applies `encodeURIComponent` then restores `@` so scoped names become
|
|
105
|
+
* `@scope%2Fname`.
|
|
106
|
+
*/
|
|
107
|
+
function encodeRegistryName(name) {
|
|
108
|
+
return encodeURIComponent(name).replace("%40", "@");
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Fetch the attestation bundle for a package version from the npm transparency
|
|
112
|
+
* log. Returns `undefined` when no attestations entry is present in the
|
|
113
|
+
* packument (404 is treated as absent rather than an error).
|
|
114
|
+
*/
|
|
115
|
+
async function getAttestations(name, version, options) {
|
|
116
|
+
const opts = {
|
|
117
|
+
__proto__: null,
|
|
118
|
+
...options
|
|
119
|
+
};
|
|
120
|
+
const encoded = `${encodeRegistryName(name)}@${encodeURIComponent(version)}`;
|
|
121
|
+
const url = `${NPM_REGISTRY}/-/npm/v1/attestations/${encoded}`;
|
|
122
|
+
try {
|
|
123
|
+
return await opts.http.json(url);
|
|
124
|
+
} catch {
|
|
125
|
+
return;
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Fetch the list of packages belonging to an npm org.
|
|
130
|
+
* Returns package names as a string array.
|
|
131
|
+
*/
|
|
132
|
+
async function getOrgPackages(org, options) {
|
|
133
|
+
const opts = {
|
|
134
|
+
__proto__: null,
|
|
135
|
+
...options
|
|
136
|
+
};
|
|
137
|
+
const url = `${NPM_REGISTRY}/-/org/${encodeURIComponent(org)}/package`;
|
|
138
|
+
const raw = await opts.http.json(url);
|
|
139
|
+
return Object.keys(raw);
|
|
140
|
+
}
|
|
141
|
+
/**
|
|
142
|
+
* Fetch and parse the full packument for a package.
|
|
143
|
+
*/
|
|
144
|
+
async function getPackument(name, options) {
|
|
145
|
+
const opts = {
|
|
146
|
+
__proto__: null,
|
|
147
|
+
...options
|
|
148
|
+
};
|
|
149
|
+
const url = `${NPM_REGISTRY}/${encodeRegistryName(name)}`;
|
|
150
|
+
const parsed = parsePackument(await opts.http.json(url));
|
|
151
|
+
if (!parsed) throw new Error(`getPackument: invalid packument response for "${name}" from ${url}`);
|
|
152
|
+
return parsed;
|
|
153
|
+
}
|
|
154
|
+
/**
|
|
155
|
+
* Fetch a version's package.json via the jsDelivr CDN.
|
|
156
|
+
*
|
|
157
|
+
* Uses split-encode for scoped names so `cdn.jsdelivr.net` receives the literal
|
|
158
|
+
* `/` between scope and name (not `%2F` which causes 400s).
|
|
159
|
+
*
|
|
160
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
161
|
+
*/
|
|
162
|
+
async function getVersionManifest(name, version, options) {
|
|
163
|
+
const opts = {
|
|
164
|
+
__proto__: null,
|
|
165
|
+
...options
|
|
166
|
+
};
|
|
167
|
+
const cdnPath = buildCdnPath(name, version);
|
|
168
|
+
const url = `${CDN_JSDELIVR}/npm/${cdnPath}`;
|
|
169
|
+
return opts.http.json(url);
|
|
170
|
+
}
|
|
171
|
+
/**
|
|
172
|
+
* Fetch last-week download counts for a package from the npm downloads API.
|
|
173
|
+
*
|
|
174
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
175
|
+
*/
|
|
176
|
+
async function getWeeklyDownloads(name, options) {
|
|
177
|
+
const opts = {
|
|
178
|
+
__proto__: null,
|
|
179
|
+
...options
|
|
180
|
+
};
|
|
181
|
+
const url = `${NPM_DOWNLOADS_API}/downloads/point/last-week/${encodeRegistryName(name)}`;
|
|
182
|
+
return opts.http.json(url);
|
|
183
|
+
}
|
|
184
|
+
/**
|
|
185
|
+
* Return true when `versionEntry.dist.attestations` is present — indicating a
|
|
186
|
+
* SLSA provenance attestation was produced for this version.
|
|
187
|
+
*/
|
|
188
|
+
function hasProvenance(versionEntry) {
|
|
189
|
+
return !!versionEntry.dist?.attestations;
|
|
190
|
+
}
|
|
191
|
+
/**
|
|
192
|
+
* Return `true` when `version` of `name` is already published to the registry.
|
|
193
|
+
* Authoritative — reads the packument's `versions` map rather than a CDN, so a
|
|
194
|
+
* pre-publish guard never false-negatives on CDN lag (the asymmetric-cost case:
|
|
195
|
+
* a wrong "not published" invites a duplicate-version publish attempt). Returns
|
|
196
|
+
* `false` when the package does not exist or the packument fetch fails.
|
|
197
|
+
*
|
|
198
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
199
|
+
*/
|
|
200
|
+
async function isVersionPublished(name, version, options) {
|
|
201
|
+
try {
|
|
202
|
+
return (await getPackument(name, options)).versions[version] !== void 0;
|
|
203
|
+
} catch {
|
|
204
|
+
return false;
|
|
205
|
+
}
|
|
206
|
+
}
|
|
207
|
+
/**
|
|
208
|
+
* Parse a raw packument JSON response into a typed `PackumentRecord`.
|
|
209
|
+
* Adds the `distTags` alias for `dist-tags` so callers don't need bracket
|
|
210
|
+
* notation. Returns `undefined` when the input is not a valid packument shape.
|
|
211
|
+
*/
|
|
212
|
+
function parsePackument(raw) {
|
|
213
|
+
if (raw === void 0 || raw === null || typeof raw !== "object" || !("versions" in raw) || !("dist-tags" in raw)) return;
|
|
214
|
+
const rec = raw;
|
|
215
|
+
return {
|
|
216
|
+
"dist-tags": rec["dist-tags"] ?? {},
|
|
217
|
+
distTags: rec["dist-tags"] ?? {},
|
|
218
|
+
name: typeof rec.name === "string" ? rec.name : "",
|
|
219
|
+
time: rec.time,
|
|
220
|
+
versions: rec.versions ?? {}
|
|
221
|
+
};
|
|
222
|
+
}
|
|
223
|
+
/**
|
|
224
|
+
* Parse an npm transparency-log attestation bundle (the JSON returned from
|
|
225
|
+
* `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`) and extract the
|
|
226
|
+
* SLSA provenance predicate.
|
|
227
|
+
*
|
|
228
|
+
* Returns the first SLSA provenance v1 predicate found, or `undefined` when
|
|
229
|
+
* none is present or the bundle is malformed.
|
|
230
|
+
*/
|
|
231
|
+
function parseProvenancePredicate(bundle) {
|
|
232
|
+
if (bundle === void 0 || bundle === null || typeof bundle !== "object" || !("attestations" in bundle) || !Array.isArray(bundle.attestations)) return;
|
|
233
|
+
const { attestations } = bundle;
|
|
234
|
+
/* c8 ignore start - the prior Array.isArray guard above already narrows
|
|
235
|
+
* `attestations` to a real array; even an empty array is truthy, so this
|
|
236
|
+
* falsy-check can never take its true branch at runtime. Kept only to
|
|
237
|
+
* satisfy the optional `attestations?: ... | undefined` field type. */
|
|
238
|
+
if (!attestations) return;
|
|
239
|
+
/* c8 ignore stop */
|
|
240
|
+
for (const entry of attestations) {
|
|
241
|
+
if (entry.predicateType !== SLSA_PROVENANCE_TYPE) continue;
|
|
242
|
+
const b = entry.bundle;
|
|
243
|
+
if (b === void 0 || b === null || typeof b !== "object") continue;
|
|
244
|
+
const verificationMaterial = b.verificationMaterial;
|
|
245
|
+
if (verificationMaterial === void 0 || verificationMaterial === null || typeof verificationMaterial !== "object") continue;
|
|
246
|
+
const content = verificationMaterial.content;
|
|
247
|
+
if (typeof content !== "string") continue;
|
|
248
|
+
let parsed;
|
|
249
|
+
try {
|
|
250
|
+
parsed = JSON.parse(content);
|
|
251
|
+
} catch {
|
|
252
|
+
continue;
|
|
253
|
+
}
|
|
254
|
+
if (parsed === void 0 || parsed === null || typeof parsed !== "object") continue;
|
|
255
|
+
const envelope = parsed;
|
|
256
|
+
if (typeof envelope.payload !== "string") continue;
|
|
257
|
+
let payload;
|
|
258
|
+
try {
|
|
259
|
+
payload = JSON.parse(atob(envelope.payload));
|
|
260
|
+
} catch {
|
|
261
|
+
continue;
|
|
262
|
+
}
|
|
263
|
+
if (payload === void 0 || payload === null || typeof payload !== "object") continue;
|
|
264
|
+
const statement = payload;
|
|
265
|
+
if (statement.predicate === void 0 || statement.predicate === null || typeof statement.predicate !== "object") continue;
|
|
266
|
+
return statement.predicate;
|
|
267
|
+
}
|
|
268
|
+
}
|
|
269
|
+
|
|
270
|
+
//#endregion
|
|
271
|
+
exports.buildCdnPath = buildCdnPath;
|
|
272
|
+
exports.detectTrustedPublisher = detectTrustedPublisher;
|
|
273
|
+
exports.encodeCdnName = encodeCdnName;
|
|
274
|
+
exports.encodePackageName = encodePackageName;
|
|
275
|
+
exports.encodeRegistryName = encodeRegistryName;
|
|
276
|
+
exports.getAttestations = getAttestations;
|
|
277
|
+
exports.getOrgPackages = getOrgPackages;
|
|
278
|
+
exports.getPackument = getPackument;
|
|
279
|
+
exports.getVersionManifest = getVersionManifest;
|
|
280
|
+
exports.getWeeklyDownloads = getWeeklyDownloads;
|
|
281
|
+
exports.hasProvenance = hasProvenance;
|
|
282
|
+
exports.isVersionPublished = isVersionPublished;
|
|
283
|
+
exports.parsePackument = parsePackument;
|
|
284
|
+
exports.parseProvenancePredicate = parseProvenancePredicate;
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* @file Lazy-getter primitives + `createConstantsObject`.
|
|
3
|
-
* `createConstantsObject` is the most-used factory in this module —
|
|
3
|
+
* `createConstantsObject` is the most-used factory in this module — Socket
|
|
4
4
|
* repos use it to assemble frozen settings objects with a mix of eager
|
|
5
5
|
* values, lazy-computed values, and internals reachable through
|
|
6
6
|
* `kInternalsSymbol`. The `defineLazyGetter*` helpers underneath are the
|
package/dist/objects/getters.js
CHANGED
|
@@ -10,7 +10,7 @@ const require_objects_sort = require('./sort.js');
|
|
|
10
10
|
//#region src/objects/getters.ts
|
|
11
11
|
/**
|
|
12
12
|
* @file Lazy-getter primitives + `createConstantsObject`.
|
|
13
|
-
* `createConstantsObject` is the most-used factory in this module —
|
|
13
|
+
* `createConstantsObject` is the most-used factory in this module — Socket
|
|
14
14
|
* repos use it to assemble frozen settings objects with a mix of eager
|
|
15
15
|
* values, lazy-computed values, and internals reachable through
|
|
16
16
|
* `kInternalsSymbol`. The `defineLazyGetter*` helpers underneath are the
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
5
4
|
const require_primordials_object = require('../primordials/object.js');
|
|
5
|
+
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
6
6
|
|
|
7
7
|
//#region src/objects/predicates.ts
|
|
8
8
|
/**
|
package/dist/packages/exports.js
CHANGED
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
-
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
6
5
|
const require_primordials_object = require('../primordials/object.js');
|
|
6
|
+
const require_primordials_string = require('../primordials/string.js');
|
|
7
|
+
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
7
8
|
const require_objects_predicates = require('../objects/predicates.js');
|
|
8
9
|
const require_primordials_map_set = require('../primordials/map-set.js');
|
|
9
|
-
const require_primordials_string = require('../primordials/string.js');
|
|
10
10
|
const require_primordials_array = require('../primordials/array.js');
|
|
11
11
|
const require_constants_sentinels = require('../constants/sentinels.js');
|
|
12
12
|
|
|
@@ -3,9 +3,9 @@
|
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
5
|
const require_primordials_error = require('../primordials/error.js');
|
|
6
|
-
const require_constants_platform = require('../constants/platform.js');
|
|
7
6
|
const require_primordials_object = require('../primordials/object.js');
|
|
8
7
|
const require_primordials_string = require('../primordials/string.js');
|
|
8
|
+
const require_constants_platform = require('../constants/platform.js');
|
|
9
9
|
const require_paths_conversion = require('../paths/conversion.js');
|
|
10
10
|
const require_paths_predicates = require('../paths/predicates.js');
|
|
11
11
|
const require_node_fs = require('../node/fs.js');
|
|
@@ -32,3 +32,32 @@ export declare function fetchPackageManifest(pkgNameOrId: string, options?: Paco
|
|
|
32
32
|
* ```
|
|
33
33
|
*/
|
|
34
34
|
export declare function fetchPackagePackument(pkgNameOrId: string, options?: PacoteOptions): Promise<unknown>;
|
|
35
|
+
/**
|
|
36
|
+
* Dev/build-only top-level package.json fields not needed at runtime. The
|
|
37
|
+
* conservative default for {@link trimPublishManifest}; extend per-package via
|
|
38
|
+
* its `drop` option.
|
|
39
|
+
*/
|
|
40
|
+
export declare const DEFAULT_TRIM_FIELDS: readonly string[];
|
|
41
|
+
export interface TrimPublishManifestOptions {
|
|
42
|
+
/**
|
|
43
|
+
* Top-level fields to omit (defaults to {@link DEFAULT_TRIM_FIELDS}).
|
|
44
|
+
*/
|
|
45
|
+
readonly drop?: readonly string[] | undefined;
|
|
46
|
+
/**
|
|
47
|
+
* Fields to KEEP even when listed in `drop` (e.g. a runtime postinstall).
|
|
48
|
+
*/
|
|
49
|
+
readonly keep?: readonly string[] | undefined;
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Return a shallow copy of `manifest` that omits dev/build-only top-level
|
|
53
|
+
* fields so a published tarball + its npm metadata stay lean (npm caps total
|
|
54
|
+
* per-package metadata at 100 MB). The original object is left intact; persist
|
|
55
|
+
* the result only for the publish, never over the repo's own package.json.
|
|
56
|
+
*
|
|
57
|
+
* @example
|
|
58
|
+
* ;```typescript
|
|
59
|
+
* const lean = trimPublishManifest(pkg) // omits devDependencies + scripts
|
|
60
|
+
* const kept = trimPublishManifest(pkg, { keep: ['scripts'] })
|
|
61
|
+
* ```
|
|
62
|
+
*/
|
|
63
|
+
export declare function trimPublishManifest(manifest: PackageJson, options?: TrimPublishManifestOptions | undefined): PackageJson;
|
|
@@ -2,19 +2,18 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
|
-
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
6
5
|
const require_primordials_object = require('../primordials/object.js');
|
|
6
|
+
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
7
7
|
const require_objects_predicates = require('../objects/predicates.js');
|
|
8
8
|
const require_process_abort = require('../process/abort.js');
|
|
9
9
|
const require_constants_socket = require('../constants/socket.js');
|
|
10
10
|
const require_constants_packages = require('../constants/packages.js');
|
|
11
|
+
const require_versions__internal = require('../versions/_internal.js');
|
|
11
12
|
const require_objects_sort = require('../objects/sort.js');
|
|
12
13
|
const require_packages_exports = require('./exports.js');
|
|
13
14
|
const require_packages_validation = require('./validation.js');
|
|
14
15
|
let src_external_npm_package_arg = require("../external/npm-package-arg");
|
|
15
16
|
src_external_npm_package_arg = require_runtime.__toESM(src_external_npm_package_arg);
|
|
16
|
-
let src_external_semver = require("../external/semver");
|
|
17
|
-
src_external_semver = require_runtime.__toESM(src_external_semver);
|
|
18
17
|
let src_external_pacote = require("../external/pacote");
|
|
19
18
|
src_external_pacote = require_runtime.__toESM(src_external_pacote);
|
|
20
19
|
|
|
@@ -22,7 +21,6 @@ src_external_pacote = require_runtime.__toESM(src_external_pacote);
|
|
|
22
21
|
/**
|
|
23
22
|
* @file Package manifest and packument fetching utilities.
|
|
24
23
|
*/
|
|
25
|
-
const abortSignal = require_process_abort.getAbortSignal();
|
|
26
24
|
const packageDefaultNodeRange = require_constants_packages.getPackageDefaultNodeRange();
|
|
27
25
|
const PACKAGE_DEFAULT_SOCKET_CATEGORIES = require_constants_packages.getPackageDefaultSocketCategories();
|
|
28
26
|
const packumentCache = require_constants_packages.getPackumentCache();
|
|
@@ -72,8 +70,9 @@ function createPackageJson(sockRegPkgName, directory, options) {
|
|
|
72
70
|
if (strKey === "node") {
|
|
73
71
|
const { 1: range } = result;
|
|
74
72
|
if (typeof range === "string" && range && packageDefaultNodeRange) {
|
|
75
|
-
const
|
|
76
|
-
|
|
73
|
+
const semver = require_versions__internal.getSemver();
|
|
74
|
+
const coercedRange = semver.coerce(range);
|
|
75
|
+
if (!semver.satisfies(coercedRange?.version ?? "0.0.0", packageDefaultNodeRange)) result[1] = packageDefaultNodeRange;
|
|
77
76
|
}
|
|
78
77
|
}
|
|
79
78
|
return result;
|
|
@@ -93,7 +92,7 @@ function createPackageJson(sockRegPkgName, directory, options) {
|
|
|
93
92
|
async function fetchPackageManifest(pkgNameOrId, options) {
|
|
94
93
|
const pacoteOptions = {
|
|
95
94
|
__proto__: null,
|
|
96
|
-
signal:
|
|
95
|
+
signal: require_process_abort.getAbortSignal(),
|
|
97
96
|
...options,
|
|
98
97
|
packumentCache,
|
|
99
98
|
preferOffline: true
|
|
@@ -125,15 +124,51 @@ async function fetchPackagePackument(pkgNameOrId, options) {
|
|
|
125
124
|
try {
|
|
126
125
|
return await src_external_pacote.default.packument(pkgNameOrId, {
|
|
127
126
|
__proto__: null,
|
|
128
|
-
signal:
|
|
127
|
+
signal: require_process_abort.getAbortSignal(),
|
|
129
128
|
...options,
|
|
130
129
|
packumentCache,
|
|
131
130
|
preferOffline: true
|
|
132
131
|
});
|
|
133
132
|
} catch {}
|
|
134
133
|
}
|
|
134
|
+
/**
|
|
135
|
+
* Dev/build-only top-level package.json fields not needed at runtime. The
|
|
136
|
+
* conservative default for {@link trimPublishManifest}; extend per-package via
|
|
137
|
+
* its `drop` option.
|
|
138
|
+
*/
|
|
139
|
+
const DEFAULT_TRIM_FIELDS = ["devDependencies", "scripts"];
|
|
140
|
+
/**
|
|
141
|
+
* Return a shallow copy of `manifest` that omits dev/build-only top-level
|
|
142
|
+
* fields so a published tarball + its npm metadata stay lean (npm caps total
|
|
143
|
+
* per-package metadata at 100 MB). The original object is left intact; persist
|
|
144
|
+
* the result only for the publish, never over the repo's own package.json.
|
|
145
|
+
*
|
|
146
|
+
* @example
|
|
147
|
+
* ;```typescript
|
|
148
|
+
* const lean = trimPublishManifest(pkg) // omits devDependencies + scripts
|
|
149
|
+
* const kept = trimPublishManifest(pkg, { keep: ['scripts'] })
|
|
150
|
+
* ```
|
|
151
|
+
*/
|
|
152
|
+
function trimPublishManifest(manifest, options) {
|
|
153
|
+
const opts = {
|
|
154
|
+
__proto__: null,
|
|
155
|
+
...options
|
|
156
|
+
};
|
|
157
|
+
const drop = new Set(opts.drop ?? DEFAULT_TRIM_FIELDS);
|
|
158
|
+
const keep = new Set(opts.keep ?? []);
|
|
159
|
+
const source = manifest;
|
|
160
|
+
const keys = require_primordials_object.ObjectKeys(source);
|
|
161
|
+
const out = {};
|
|
162
|
+
for (let i = 0, { length } = keys; i < length; i += 1) {
|
|
163
|
+
const key = keys[i];
|
|
164
|
+
if (!drop.has(key) || keep.has(key)) out[key] = source[key];
|
|
165
|
+
}
|
|
166
|
+
return out;
|
|
167
|
+
}
|
|
135
168
|
|
|
136
169
|
//#endregion
|
|
170
|
+
exports.DEFAULT_TRIM_FIELDS = DEFAULT_TRIM_FIELDS;
|
|
137
171
|
exports.createPackageJson = createPackageJson;
|
|
138
172
|
exports.fetchPackageManifest = fetchPackageManifest;
|
|
139
|
-
exports.fetchPackagePackument = fetchPackagePackument;
|
|
173
|
+
exports.fetchPackagePackument = fetchPackagePackument;
|
|
174
|
+
exports.trimPublishManifest = trimPublishManifest;
|
|
@@ -1,11 +1,9 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
4
|
const require_objects_mutate = require('../objects/mutate.js');
|
|
6
5
|
const require_constants_packages = require('../constants/packages.js');
|
|
7
|
-
|
|
8
|
-
src_external_semver = require_runtime.__toESM(src_external_semver);
|
|
6
|
+
const require_versions__internal = require('../versions/_internal.js');
|
|
9
7
|
|
|
10
8
|
//#region src/packages/metadata-extensions.ts
|
|
11
9
|
/**
|
|
@@ -30,7 +28,7 @@ function findPackageExtensions(pkgName, pkgVer) {
|
|
|
30
28
|
const lastAtSignIndex = selector.lastIndexOf("@");
|
|
31
29
|
if (pkgName === selector.slice(0, lastAtSignIndex)) {
|
|
32
30
|
const range = selector.slice(lastAtSignIndex + 1);
|
|
33
|
-
if (
|
|
31
|
+
if (require_versions__internal.getSemver().satisfies(pkgVer, range)) {
|
|
34
32
|
if (result === void 0) result = {};
|
|
35
33
|
if (typeof ext === "object" && ext !== null) require_objects_mutate.merge(result, ext);
|
|
36
34
|
}
|
|
@@ -6,8 +6,8 @@ const require_primordials_object = require('../primordials/object.js');
|
|
|
6
6
|
const require_primordials_string = require('../primordials/string.js');
|
|
7
7
|
const require_primordials_regexp = require('../primordials/regexp.js');
|
|
8
8
|
const require_primordials_array = require('../primordials/array.js');
|
|
9
|
-
const require_objects_mutate = require('../objects/mutate.js');
|
|
10
9
|
const require_constants_socket = require('../constants/socket.js');
|
|
10
|
+
const require_objects_mutate = require('../objects/mutate.js');
|
|
11
11
|
const require_regexps_escape = require('../regexps/escape.js');
|
|
12
12
|
const require_packages_metadata_extensions = require('./metadata-extensions.js');
|
|
13
13
|
let src_external_normalize_package_data = require("../external/normalize-package-data");
|
|
@@ -5,6 +5,8 @@ import type { ProvenanceOptions } from './types';
|
|
|
5
5
|
/**
|
|
6
6
|
* Comparator ordering two trust statuses by ascending trust level. Sorts an
|
|
7
7
|
* array of statuses lowest-trust-first; negate for highest-first.
|
|
8
|
+
*
|
|
9
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
8
10
|
*/
|
|
9
11
|
export declare function compareTrust(a: TrustStatus, b: TrustStatus): -1 | 0 | 1;
|
|
10
12
|
/**
|
|
@@ -12,6 +14,8 @@ export declare function compareTrust(a: TrustStatus, b: TrustStatus): -1 | 0 | 1
|
|
|
12
14
|
* regressed its supply-chain posture. Drives the post-publish provenance
|
|
13
15
|
* reminder: a version that drops from trustedPublisher back to bare provenance
|
|
14
16
|
* is a red flag worth surfacing.
|
|
17
|
+
*
|
|
18
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
15
19
|
*/
|
|
16
20
|
export declare function didTrustDecrease(prev: TrustStatus, next: TrustStatus): boolean;
|
|
17
21
|
/**
|
|
@@ -48,6 +52,8 @@ export declare function getProvenanceDetails(attestationData: unknown): unknown;
|
|
|
48
52
|
export declare function getTrustLevel(status: TrustStatus): TrustLevel;
|
|
49
53
|
/**
|
|
50
54
|
* Map a trust status to its human-readable level name.
|
|
55
|
+
*
|
|
56
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
51
57
|
*/
|
|
52
58
|
export declare function getTrustLevelName(status: TrustStatus): TrustLevelName;
|
|
53
59
|
/**
|
|
@@ -59,6 +65,8 @@ export declare function getTrustLevelName(status: TrustStatus): TrustLevelName;
|
|
|
59
65
|
* 2FA-gated approve step. That signal ranks ABOVE both `trustedPublisher` and
|
|
60
66
|
* `provenance` in pnpm's trust-evidence ladder, because it adds a human
|
|
61
67
|
* approval gate on top of the OIDC publisher identity.
|
|
68
|
+
*
|
|
69
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
62
70
|
*/
|
|
63
71
|
export declare function getTrustStatus(meta: unknown): TrustStatus;
|
|
64
72
|
/**
|
|
@@ -3,10 +3,10 @@
|
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
5
|
const require_primordials_buffer = require('../primordials/buffer.js');
|
|
6
|
-
const require_abort_signal = require('../abort/signal.js');
|
|
7
6
|
const require_primordials_object = require('../primordials/object.js');
|
|
8
|
-
const require_objects_predicates = require('../objects/predicates.js');
|
|
9
7
|
const require_primordials_string = require('../primordials/string.js');
|
|
8
|
+
const require_abort_signal = require('../abort/signal.js');
|
|
9
|
+
const require_objects_predicates = require('../objects/predicates.js');
|
|
10
10
|
const require_primordials_array = require('../primordials/array.js');
|
|
11
11
|
const require_primordials_json = require('../primordials/json.js');
|
|
12
12
|
const require_constants_agents = require('../constants/agents.js');
|
|
@@ -25,6 +25,8 @@ let cachedFetcher;
|
|
|
25
25
|
/**
|
|
26
26
|
* Comparator ordering two trust statuses by ascending trust level. Sorts an
|
|
27
27
|
* array of statuses lowest-trust-first; negate for highest-first.
|
|
28
|
+
*
|
|
29
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
28
30
|
*/
|
|
29
31
|
function compareTrust(a, b) {
|
|
30
32
|
const levelA = getTrustLevel(a);
|
|
@@ -38,6 +40,8 @@ function compareTrust(a, b) {
|
|
|
38
40
|
* regressed its supply-chain posture. Drives the post-publish provenance
|
|
39
41
|
* reminder: a version that drops from trustedPublisher back to bare provenance
|
|
40
42
|
* is a red flag worth surfacing.
|
|
43
|
+
*
|
|
44
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
41
45
|
*/
|
|
42
46
|
function didTrustDecrease(prev, next) {
|
|
43
47
|
return getTrustLevel(next) < getTrustLevel(prev);
|
|
@@ -152,6 +156,8 @@ function getTrustLevel(status) {
|
|
|
152
156
|
}
|
|
153
157
|
/**
|
|
154
158
|
* Map a trust status to its human-readable level name.
|
|
159
|
+
*
|
|
160
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
155
161
|
*/
|
|
156
162
|
function getTrustLevelName(status) {
|
|
157
163
|
return TRUST_LEVELS[getTrustLevel(status)];
|
|
@@ -165,6 +171,8 @@ function getTrustLevelName(status) {
|
|
|
165
171
|
* 2FA-gated approve step. That signal ranks ABOVE both `trustedPublisher` and
|
|
166
172
|
* `provenance` in pnpm's trust-evidence ladder, because it adds a human
|
|
167
173
|
* approval gate on top of the OIDC publisher identity.
|
|
174
|
+
*
|
|
175
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
168
176
|
*/
|
|
169
177
|
function getTrustStatus(meta) {
|
|
170
178
|
const status = {
|
package/dist/packages/specs.js
CHANGED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
|
-
const require_objects_predicates = require('../objects/predicates.js');
|
|
6
5
|
const require_primordials_string = require('../primordials/string.js');
|
|
6
|
+
const require_objects_predicates = require('../objects/predicates.js');
|
|
7
7
|
const require_strings_predicates = require('../strings/predicates.js');
|
|
8
8
|
const require_constants_socket = require('../constants/socket.js');
|
|
9
9
|
const require_smol_purl = require('../smol/purl.js');
|
package/dist/packages/tarball.js
CHANGED
|
@@ -18,7 +18,6 @@ src_external_libnpmpack = require_runtime.__toESM(src_external_libnpmpack);
|
|
|
18
18
|
* spec into a tarball, both via pacote/libnpmpack with the shared packument
|
|
19
19
|
* cache.
|
|
20
20
|
*/
|
|
21
|
-
const abortSignal = require_process_abort.getAbortSignal();
|
|
22
21
|
const packumentCache = require_constants_packages.getPackumentCache();
|
|
23
22
|
const pacoteCachePath = require_constants_packages.getPacoteCachePath();
|
|
24
23
|
/**
|
|
@@ -68,7 +67,7 @@ async function packPackage(spec, options) {
|
|
|
68
67
|
/* c8 ignore start - External package registry packing */
|
|
69
68
|
return await (0, src_external_libnpmpack.default)(spec, {
|
|
70
69
|
__proto__: null,
|
|
71
|
-
signal:
|
|
70
|
+
signal: require_process_abort.getAbortSignal(),
|
|
72
71
|
...options,
|
|
73
72
|
packumentCache,
|
|
74
73
|
preferOffline: true
|
|
@@ -1,16 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* @file Package name validation utilities.
|
|
3
3
|
*/
|
|
4
|
-
/**
|
|
5
|
-
* Check if package name is a blessed Socket.dev package.
|
|
6
|
-
*
|
|
7
|
-
* @example
|
|
8
|
-
* ;```typescript
|
|
9
|
-
* isBlessedPackageName('@socketregistry/is-number') // true
|
|
10
|
-
* isBlessedPackageName('lodash') // false
|
|
11
|
-
* ```
|
|
12
|
-
*/
|
|
13
|
-
export declare function isBlessedPackageName(name: unknown): boolean;
|
|
14
4
|
/**
|
|
15
5
|
* Check if a type string represents a registry fetcher type.
|
|
16
6
|
*
|