@socketsecurity/lib 6.0.8 → 6.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +22 -0
- package/dist/ai/route.d.mts +21 -8
- package/dist/ai/route.js +21 -6
- package/dist/ai/spawn.d.mts +32 -0
- package/dist/ai/spawn.js +91 -2
- package/dist/ai/types.d.mts +10 -0
- package/dist/bin/prim.cjs +18797 -13627
- package/dist/bin/resolve.js +1 -1
- package/dist/cache/ttl/store.js +1 -1
- package/dist/compression/brotli.js +1 -1
- package/dist/compression/gzip.js +1 -1
- package/dist/config/layers.d.ts +53 -0
- package/dist/config/layers.js +83 -0
- package/dist/constants/socket.js +1 -1
- package/dist/debug/caller-info.js +1 -1
- package/dist/dlx/binary-cache.js +1 -1
- package/dist/dlx/binary-resolution.js +1 -1
- package/dist/dlx/firewall.js +1 -1
- package/dist/dlx/lockfile.js +1 -1
- package/dist/eco/npm/npm/parse-lockfile.js +1 -1
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
- package/dist/env/rewire.d.ts +5 -3
- package/dist/env/rewire.js +6 -7
- package/dist/env/xdg.d.ts +17 -0
- package/dist/env/xdg.js +21 -1
- package/dist/errors/stack.js +1 -2
- package/dist/external/@npmcli/package-json.js +3455 -4881
- package/dist/external/@yarnpkg/extensions.js +1 -1
- package/dist/external/external-pack.js +1 -1
- package/dist/external/npm-pack.js +29164 -31799
- package/dist/external/tar-fs.js +63 -16
- package/dist/external-tools/jre/detect-platform-arch.js +1 -1
- package/dist/external-tools/manifest.js +1 -1
- package/dist/external-tools/python/asset-names.js +1 -1
- package/dist/external-tools/python/uv-install.d.ts +89 -0
- package/dist/external-tools/python/uv-install.js +165 -0
- package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
- package/dist/external-tools/skillspector/from-uv.js +56 -0
- package/dist/external-tools/skillspector/resolve.d.ts +18 -3
- package/dist/external-tools/skillspector/resolve.js +21 -8
- package/dist/external-tools/skillspector/types.d.ts +3 -1
- package/dist/external-tools/uv/asset-names.d.ts +36 -0
- package/dist/external-tools/uv/asset-names.js +73 -0
- package/dist/external-tools/uv/from-download.d.ts +17 -0
- package/dist/external-tools/uv/from-download.js +50 -0
- package/dist/external-tools/uv/from-path.d.ts +5 -0
- package/dist/external-tools/uv/from-path.js +22 -0
- package/dist/external-tools/uv/from-vfs.d.ts +7 -0
- package/dist/external-tools/uv/from-vfs.js +26 -0
- package/dist/external-tools/uv/resolve.d.ts +25 -0
- package/dist/external-tools/uv/resolve.js +61 -0
- package/dist/external-tools/uv/types.d.ts +24 -0
- package/dist/external-tools/uv/types.js +2 -0
- package/dist/fleet/repo-config.d.ts +53 -0
- package/dist/fleet/repo-config.js +79 -0
- package/dist/fs/allowed-dirs-cache.js +3 -5
- package/dist/fs/copy.d.ts +88 -0
- package/dist/fs/copy.js +89 -0
- package/dist/fs/safe.js +1 -1
- package/dist/git/_internal.js +2 -2
- package/dist/github/refs.js +10 -15
- package/dist/globs/_internal.js +1 -1
- package/dist/http-request/browser.js +1 -1
- package/dist/http-request/checksum-file.js +1 -1
- package/dist/http-request/headers.js +1 -1
- package/dist/integrity.d.ts +125 -78
- package/dist/integrity.js +168 -84
- package/dist/logger/colors.d.ts +1 -2
- package/dist/logger/colors.js +2 -2
- package/dist/logger/symbols-builder.js +7 -8
- package/dist/logger/symbols.js +8 -8
- package/dist/node/module.d.ts +73 -2
- package/dist/node/module.js +97 -12
- package/dist/objects/predicates.js +1 -1
- package/dist/packages/exports.js +2 -2
- package/dist/packages/isolation.js +1 -1
- package/dist/packages/manifest.d.ts +29 -0
- package/dist/packages/manifest.js +38 -2
- package/dist/packages/normalize.js +1 -1
- package/dist/packages/provenance.js +2 -2
- package/dist/packages/specs.js +1 -1
- package/dist/paths/_internal.d.ts +1 -7
- package/dist/paths/_internal.js +9 -15
- package/dist/paths/conversion.js +1 -1
- package/dist/paths/normalize.js +1 -1
- package/dist/paths/predicates.js +2 -1
- package/dist/paths/socket.d.ts +74 -23
- package/dist/paths/socket.js +97 -23
- package/dist/perf/metrics.js +1 -1
- package/dist/perf/report.js +1 -1
- package/dist/regexps/spec.js +1 -1
- package/dist/schema/validate.js +1 -1
- package/dist/secrets/broker.d.ts +35 -0
- package/dist/secrets/broker.js +72 -0
- package/dist/secrets/find.d.ts +6 -4
- package/dist/secrets/find.js +15 -1
- package/dist/secrets/rc.js +1 -1
- package/dist/smol/detect.js +1 -1
- package/dist/smol/http.js +1 -1
- package/dist/smol/https.js +1 -1
- package/dist/smol/manifest.js +1 -1
- package/dist/smol/path.js +1 -1
- package/dist/smol/primordial.js +1 -1
- package/dist/smol/purl.js +1 -1
- package/dist/smol/versions.js +1 -1
- package/dist/smol/vfs.js +1 -1
- package/dist/sorts/_internal.d.ts +1 -2
- package/dist/sorts/_internal.js +2 -6
- package/dist/sorts/semver.js +2 -2
- package/dist/spinner/create-spinner-class.js +1 -1
- package/dist/stdio/progress.js +1 -1
- package/dist/stdio/prompts.d.ts +0 -8
- package/dist/stdio/prompts.js +10 -23
- package/dist/strings/format.js +1 -1
- package/dist/strings/search.js +1 -1
- package/dist/themes/context.d.ts +5 -3
- package/dist/themes/context.js +5 -6
- package/llms.txt +750 -0
- package/package.json +79 -13
package/dist/fs/copy.js
ADDED
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_primordials_object = require('../primordials/object.js');
|
|
5
|
+
const require_paths__internal = require('../paths/_internal.js');
|
|
6
|
+
const require_node_fs = require('../node/fs.js');
|
|
7
|
+
const require_node_path = require('../node/path.js');
|
|
8
|
+
const require_fs_safe = require('./safe.js');
|
|
9
|
+
const require_fs_unique = require('./unique.js');
|
|
10
|
+
|
|
11
|
+
//#region src/fs/copy.ts
|
|
12
|
+
/**
|
|
13
|
+
* @file Recursive copy for a file or directory tree, with three destination
|
|
14
|
+
* modes (see {@link CopyMode}). Plain `fs.cp` (even with `force`) overwrites
|
|
15
|
+
* files present in the source but never deletes destination files absent from
|
|
16
|
+
* it, so copying onto an existing target leaves stale leftovers behind. The
|
|
17
|
+
* `'pave'` mode makes the destination an exact copy of the source by staging
|
|
18
|
+
* a fresh tree in a sibling temp directory and swapping it in with a single
|
|
19
|
+
* rename — atomic, with no stale survivors.
|
|
20
|
+
*/
|
|
21
|
+
/**
|
|
22
|
+
* Named values for {@link CopyMode}. A frozen object rather than a TypeScript
|
|
23
|
+
* `enum` so the declaration is erasable (enums emit runtime helper code).
|
|
24
|
+
*/
|
|
25
|
+
const CopyMode = require_primordials_object.ObjectFreeze({
|
|
26
|
+
Fill: "fill",
|
|
27
|
+
Overlay: "overlay",
|
|
28
|
+
Pave: "pave"
|
|
29
|
+
});
|
|
30
|
+
/**
|
|
31
|
+
* Recursively copy a file or directory tree from `from` to `to`.
|
|
32
|
+
*
|
|
33
|
+
* Works for both files and directories. The `mode` option chooses how an
|
|
34
|
+
* existing destination is treated — overlay (default), pave, or fill; see
|
|
35
|
+
* {@link CopyMode}.
|
|
36
|
+
*
|
|
37
|
+
* @example
|
|
38
|
+
* ;```ts
|
|
39
|
+
* // Overlay (default) — overwrite collisions, keep files already in dest:
|
|
40
|
+
* await copy('./src', './dest')
|
|
41
|
+
*
|
|
42
|
+
* // Pave — dest ends up identical to src, no stale survivors:
|
|
43
|
+
* await copy('./vendor/upstream', './deps/upstream', { mode: CopyMode.Pave })
|
|
44
|
+
*
|
|
45
|
+
* // Fill — add only what's missing, never overwrite an existing file:
|
|
46
|
+
* await copy('./defaults', './config', { mode: CopyMode.Fill })
|
|
47
|
+
* ```
|
|
48
|
+
*
|
|
49
|
+
* @param from - Source file or directory to copy.
|
|
50
|
+
* @param to - Destination path.
|
|
51
|
+
* @param options - Copy options (mode, filter, dereference, abort signal).
|
|
52
|
+
*/
|
|
53
|
+
async function copy(from, to, options) {
|
|
54
|
+
const fs = require_node_fs.getNodeFs();
|
|
55
|
+
const opts = {
|
|
56
|
+
__proto__: null,
|
|
57
|
+
...options
|
|
58
|
+
};
|
|
59
|
+
const { mode } = opts;
|
|
60
|
+
const fromStr = require_paths__internal.pathLikeToString(from);
|
|
61
|
+
const toStr = require_paths__internal.pathLikeToString(to);
|
|
62
|
+
const cpOptions = {
|
|
63
|
+
__proto__: null,
|
|
64
|
+
dereference: opts.dereference === true,
|
|
65
|
+
force: mode !== CopyMode.Fill,
|
|
66
|
+
recursive: true,
|
|
67
|
+
...opts.filter ? { filter: opts.filter } : {}
|
|
68
|
+
};
|
|
69
|
+
if (mode !== CopyMode.Pave) {
|
|
70
|
+
await fs.promises.cp(fromStr, toStr, cpOptions);
|
|
71
|
+
return;
|
|
72
|
+
}
|
|
73
|
+
const path = require_node_path.getNodePath();
|
|
74
|
+
const tmp = require_fs_unique.uniqueSync(`${toStr}.tmp`);
|
|
75
|
+
try {
|
|
76
|
+
await fs.promises.cp(fromStr, tmp, cpOptions);
|
|
77
|
+
await require_fs_safe.safeMkdir(path.dirname(toStr));
|
|
78
|
+
await require_fs_safe.safeDelete(toStr, { signal: opts.signal });
|
|
79
|
+
await fs.promises.rename(tmp, toStr);
|
|
80
|
+
} catch (e) {
|
|
81
|
+
/* c8 ignore start - best-effort cleanup of the staged copy on failure */
|
|
82
|
+
await require_fs_safe.safeDelete(tmp, { signal: opts.signal });
|
|
83
|
+
throw e;
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
|
|
87
|
+
//#endregion
|
|
88
|
+
exports.CopyMode = CopyMode;
|
|
89
|
+
exports.copy = copy;
|
package/dist/fs/safe.js
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
5
4
|
const require_primordials_string = require('../primordials/string.js');
|
|
5
|
+
const require_arrays_predicates = require('../arrays/predicates.js');
|
|
6
6
|
const require_paths__internal = require('../paths/_internal.js');
|
|
7
7
|
const require_primordials_array = require('../primordials/array.js');
|
|
8
8
|
const require_node_fs = require('../node/fs.js');
|
package/dist/git/_internal.js
CHANGED
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_buffer = require('../primordials/buffer.js');
|
|
5
5
|
const require_primordials_object = require('../primordials/object.js');
|
|
6
|
-
const require_primordials_map_set = require('../primordials/map-set.js');
|
|
7
6
|
const require_primordials_string = require('../primordials/string.js');
|
|
7
|
+
const require_primordials_map_set = require('../primordials/map-set.js');
|
|
8
8
|
const require_paths_normalize = require('../paths/normalize.js');
|
|
9
9
|
const require_primordials_array = require('../primordials/array.js');
|
|
10
10
|
const require_node_path = require('../node/path.js');
|
|
@@ -13,9 +13,9 @@ const require_primordials_json = require('../primordials/json.js');
|
|
|
13
13
|
const require_bin_which = require('../bin/which.js');
|
|
14
14
|
const require_ansi_strip = require('../ansi/strip.js');
|
|
15
15
|
const require_process_spawn_child = require('../process/spawn/child.js');
|
|
16
|
+
const require_git_repo = require('./repo.js');
|
|
16
17
|
const require_debug_output = require('../debug/output.js');
|
|
17
18
|
const require_globs_matcher = require('../globs/matcher.js');
|
|
18
|
-
const require_git_repo = require('./repo.js');
|
|
19
19
|
|
|
20
20
|
//#region src/git/_internal.ts
|
|
21
21
|
/**
|
package/dist/github/refs.js
CHANGED
|
@@ -1,7 +1,12 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
5
|
+
const require_github_refs_graphql = require('./refs-graphql.js');
|
|
6
|
+
const require_github_refs_rest = require('./refs-rest.js');
|
|
4
7
|
const require_github_refs_cache = require('./refs-cache.js');
|
|
8
|
+
let node_process = require("node:process");
|
|
9
|
+
node_process = require_runtime.__toESM(node_process);
|
|
5
10
|
|
|
6
11
|
//#region src/github/refs.ts
|
|
7
12
|
/**
|
|
@@ -89,25 +94,15 @@ async function resolveRefToSha(owner, repo, ref, options) {
|
|
|
89
94
|
...options
|
|
90
95
|
};
|
|
91
96
|
const cacheKey = `${owner}/${repo}@${ref}`;
|
|
92
|
-
if (
|
|
93
|
-
return await getGithubCache
|
|
94
|
-
return await fetchRefSha
|
|
97
|
+
if (node_process.default.env["DISABLE_GITHUB_CACHE"]) return await require_github_refs_rest.fetchRefSha(owner, repo, ref, opts);
|
|
98
|
+
return await require_github_refs_cache.getGithubCache().getOrFetch(cacheKey, async () => {
|
|
99
|
+
return await require_github_refs_rest.fetchRefSha(owner, repo, ref, opts);
|
|
95
100
|
});
|
|
96
101
|
}
|
|
97
102
|
|
|
98
103
|
//#endregion
|
|
99
104
|
exports.clearRefCache = require_github_refs_cache.clearRefCache;
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
get: function () {
|
|
103
|
-
return fetchRefSha;
|
|
104
|
-
}
|
|
105
|
-
});
|
|
106
|
-
Object.defineProperty(exports, 'fetchRefShaViaGraphQL', {
|
|
107
|
-
enumerable: true,
|
|
108
|
-
get: function () {
|
|
109
|
-
return fetchRefShaViaGraphQL;
|
|
110
|
-
}
|
|
111
|
-
});
|
|
105
|
+
exports.fetchRefSha = require_github_refs_rest.fetchRefSha;
|
|
106
|
+
exports.fetchRefShaViaGraphQL = require_github_refs_graphql.fetchRefShaViaGraphQL;
|
|
112
107
|
exports.getGithubCache = require_github_refs_cache.getGithubCache;
|
|
113
108
|
exports.resolveRefToSha = resolveRefToSha;
|
package/dist/globs/_internal.js
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_primordials_map_set = require('../primordials/map-set.js');
|
|
5
4
|
const require_primordials_string = require('../primordials/string.js');
|
|
5
|
+
const require_primordials_map_set = require('../primordials/map-set.js');
|
|
6
6
|
const require_paths_normalize = require('../paths/normalize.js');
|
|
7
7
|
const require_primordials_array = require('../primordials/array.js');
|
|
8
8
|
const require_node_fs = require('../node/fs.js');
|
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
-
const require_primordials_math = require('../primordials/math.js');
|
|
6
5
|
const require_primordials_string = require('../primordials/string.js');
|
|
6
|
+
const require_primordials_math = require('../primordials/math.js');
|
|
7
7
|
const require_primordials_array = require('../primordials/array.js');
|
|
8
8
|
const require_primordials_date = require('../primordials/date.js');
|
|
9
9
|
const require_primordials_json = require('../primordials/json.js');
|
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
-
const require_integrity = require('../integrity.js');
|
|
6
5
|
const require_primordials_string = require('../primordials/string.js');
|
|
6
|
+
const require_integrity = require('../integrity.js');
|
|
7
7
|
const require_http_request_request = require('./request.js');
|
|
8
8
|
|
|
9
9
|
//#region src/http-request/checksum-file.ts
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_primordials_number = require('../primordials/number.js');
|
|
5
4
|
const require_primordials_object = require('../primordials/object.js');
|
|
5
|
+
const require_primordials_number = require('../primordials/number.js');
|
|
6
6
|
const require_primordials_array = require('../primordials/array.js');
|
|
7
7
|
const require_primordials_date = require('../primordials/date.js');
|
|
8
8
|
const require_primordials_globals = require('../primordials/globals.js');
|
package/dist/integrity.d.ts
CHANGED
|
@@ -1,18 +1,36 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SRI-blessed hash algorithms. The W3C set; the prefix is part of the wire
|
|
3
|
+
* format, not a fleet convention.
|
|
4
|
+
*/
|
|
5
|
+
export type HashAlgorithm = 'sha256' | 'sha384' | 'sha512';
|
|
6
|
+
/**
|
|
7
|
+
* A cryptographic hash: an algorithm plus the digest in both encodings. Frozen,
|
|
8
|
+
* plain, self-describing — `h.algorithm` removes every "is this 256 or 512?"
|
|
9
|
+
* guess, and `h.hex` / `h.sri` are precomputed views (cheap transcodes of the
|
|
10
|
+
* digest, eager so the value stays serializable and structurally comparable).
|
|
11
|
+
*/
|
|
12
|
+
export interface Hash {
|
|
13
|
+
readonly algorithm: HashAlgorithm;
|
|
14
|
+
/**
|
|
15
|
+
* Lowercase hex digest (64 chars sha256, 96 sha384, 128 sha512).
|
|
16
|
+
*/
|
|
17
|
+
readonly hex: string;
|
|
18
|
+
/**
|
|
19
|
+
* W3C SRI string: `<algorithm>-<base64>`.
|
|
20
|
+
*/
|
|
21
|
+
readonly sri: string;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Anything a caller can hand verify/convert as "the expected hash": a parsed
|
|
25
|
+
* {@link Hash}, an SRI string, or a bare hex digest (algorithm inferred by
|
|
26
|
+
* length).
|
|
27
|
+
*/
|
|
28
|
+
export type HashInput = string | Hash;
|
|
1
29
|
/**
|
|
2
30
|
* Tagged union representing an expected hash.
|
|
3
31
|
*
|
|
4
|
-
* @
|
|
5
|
-
*
|
|
6
|
-
* 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
|
|
7
|
-
*
|
|
8
|
-
* @example
|
|
9
|
-
* // Bare sha256 hex (sniffed as checksum):
|
|
10
|
-
* 'a1b2c3...'
|
|
11
|
-
*
|
|
12
|
-
* @example
|
|
13
|
-
* // Explicit:
|
|
14
|
-
* { type: 'integrity', value: 'sha512-...' }
|
|
15
|
-
* { type: 'checksum', value: 'a1b2c3...' }
|
|
32
|
+
* @deprecated Prefer {@link HashInput} + {@link parseHash}. Kept for the
|
|
33
|
+
* `integrity?: HashSpec` option fields across dlx / external-tools.
|
|
16
34
|
*/
|
|
17
35
|
export type HashSpec = string | {
|
|
18
36
|
type: 'integrity';
|
|
@@ -22,15 +40,16 @@ export type HashSpec = string | {
|
|
|
22
40
|
value: string;
|
|
23
41
|
};
|
|
24
42
|
/**
|
|
25
|
-
* Normalized internal form. Always an object.
|
|
43
|
+
* Normalized internal form of a {@link HashSpec}. Always an object.
|
|
26
44
|
*/
|
|
27
45
|
export interface NormalizedHash {
|
|
28
46
|
type: 'integrity' | 'checksum';
|
|
29
47
|
value: string;
|
|
30
48
|
}
|
|
31
49
|
/**
|
|
32
|
-
* Both hash formats for the same bytes
|
|
33
|
-
*
|
|
50
|
+
* Both pinned hash formats for the same bytes: the sha512 SRI we pin against
|
|
51
|
+
* and the sha256 hex upstream tools emit. Returned from downloads so callers
|
|
52
|
+
* record whichever their config uses.
|
|
34
53
|
*/
|
|
35
54
|
export interface ComputedHashes {
|
|
36
55
|
/**
|
|
@@ -43,7 +62,7 @@ export interface ComputedHashes {
|
|
|
43
62
|
checksum: string;
|
|
44
63
|
}
|
|
45
64
|
/**
|
|
46
|
-
* Parsed components of an integrity string.
|
|
65
|
+
* Parsed components of an SRI integrity string.
|
|
47
66
|
*/
|
|
48
67
|
export interface ParsedIntegrity {
|
|
49
68
|
/**
|
|
@@ -56,60 +75,64 @@ export interface ParsedIntegrity {
|
|
|
56
75
|
body: string;
|
|
57
76
|
}
|
|
58
77
|
/**
|
|
59
|
-
* Convert a
|
|
60
|
-
* Idempotent on integrity input — call this on user-supplied data without first
|
|
61
|
-
* sniffing the format.
|
|
62
|
-
*
|
|
63
|
-
* The default algorithm is `'sha256'` because this converts a _checksum_, and
|
|
64
|
-
* checksums are sha256 by fleet convention (the GitHub-SHA256SUMS interop shape
|
|
65
|
-
* its only caller, `checksum-file.ts`, parses). Do NOT flip this default to
|
|
66
|
-
* sha512: this function only relabels the hex bytes, it does not re-hash, so a
|
|
67
|
-
* sha512 label on a 256-bit digest would be a lie. The canonical algorithm for
|
|
68
|
-
* OUR-side integrity values is sha512 — emitted by `computeHashes` as the
|
|
69
|
-
* `integrity` (`sha512-<base64>`) field; sha256 is reserved for
|
|
70
|
-
* upstream-SHASUMS interop and content addressing. Pass an explicit algorithm
|
|
71
|
-
* if you have a hex digest from `sha384` or `sha512` (the function does not
|
|
72
|
-
* verify hex length against the algorithm — caller's responsibility).
|
|
78
|
+
* Convert a hex checksum to its SRI integrity form.
|
|
73
79
|
*
|
|
74
|
-
* @
|
|
75
|
-
*
|
|
76
|
-
*
|
|
77
|
-
*
|
|
78
|
-
* )
|
|
79
|
-
* // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
|
|
80
|
-
*
|
|
81
|
-
* checksumToIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
|
|
82
|
-
* // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' (idempotent)
|
|
83
|
-
* ```
|
|
80
|
+
* @deprecated Prefer `parseHash(x).sri`, which is total across all algorithms
|
|
81
|
+
* and infers the algorithm from a bare hex digest. This shim defaults to
|
|
82
|
+
* `'sha256'` because it only relabels the hex bytes — it does NOT re-hash, so
|
|
83
|
+
* a sha512 label on a 256-bit digest would be a lie. Idempotent on SRI input.
|
|
84
84
|
*
|
|
85
85
|
* @throws TypeError when the input is neither a recognized SRI nor a hex
|
|
86
86
|
* digest.
|
|
87
87
|
*/
|
|
88
|
-
export declare function checksumToIntegrity(input: string, algorithm?:
|
|
88
|
+
export declare function checksumToIntegrity(input: string, algorithm?: HashAlgorithm): string;
|
|
89
89
|
/**
|
|
90
|
-
* Compute
|
|
91
|
-
*
|
|
90
|
+
* Compute a single {@link Hash} of `bytes`. Defaults to sha512 — the canonical
|
|
91
|
+
* trust string we pin against. Pass `'sha256'` for the upstream-interop digest.
|
|
92
|
+
*
|
|
93
|
+
* @example
|
|
94
|
+
* ;```typescript
|
|
95
|
+
* computeHash(bytes).sri // 'sha512-…' (pin this)
|
|
96
|
+
* computeHash(bytes, 'sha256').hex // '3620a0…' (compare to SHA256SUMS)
|
|
97
|
+
* ```
|
|
98
|
+
*/
|
|
99
|
+
export declare function computeHash(bytes: NodeJS.ArrayBufferView, algorithm?: HashAlgorithm): Hash;
|
|
100
|
+
/**
|
|
101
|
+
* Compute both pinned formats for `bytes`: the sha512 SRI integrity and the
|
|
102
|
+
* sha256 hex checksum. Use when a config records both (e.g.
|
|
103
|
+
* `external-tools.json`, dlx lockfiles).
|
|
92
104
|
*/
|
|
93
105
|
export declare function computeHashes(bytes: Buffer): ComputedHashes;
|
|
94
106
|
/**
|
|
95
|
-
*
|
|
96
|
-
*
|
|
107
|
+
* Compare two hashes for equality, ENCODING-agnostically. Parses both and —
|
|
108
|
+
* only when they share an algorithm — timing-safe compares the digests.
|
|
97
109
|
*
|
|
98
|
-
*
|
|
99
|
-
*
|
|
100
|
-
*
|
|
110
|
+
* Returns false when the algorithms differ. A sha512 and a sha256 are different
|
|
111
|
+
* functions of the same bytes: their digests are unrelated values, so they can
|
|
112
|
+
* never be "equal", and you CANNOT derive or check one against the other
|
|
113
|
+
* without the original bytes. To confirm a sha256 and a sha512 describe the
|
|
114
|
+
* same content, hash the bytes both ways (`computeHashes`) or `verifyHash` the
|
|
115
|
+
* bytes against each — there is no hash-to-hash shortcut across algorithms.
|
|
116
|
+
*
|
|
117
|
+
* What this DOES solve is the cross-ENCODING case that bites string `===`: a
|
|
118
|
+
* sha256 SRI and the same sha256 hex compare equal here.
|
|
101
119
|
*
|
|
102
120
|
* @example
|
|
103
121
|
* ;```typescript
|
|
104
|
-
*
|
|
105
|
-
*
|
|
106
|
-
*
|
|
107
|
-
* integrityToChecksum(
|
|
108
|
-
* '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
|
|
109
|
-
* )
|
|
110
|
-
* // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b' (idempotent)
|
|
122
|
+
* equalHashes('sha256-NiCg…', '3620a0fc…') // true (same digest, SRI vs hex)
|
|
123
|
+
* equalHashes('sha512-…', '3620a0fc…') // false (different algorithms)
|
|
111
124
|
* ```
|
|
112
125
|
*
|
|
126
|
+
* @throws TypeError when either input is not a recognized hash.
|
|
127
|
+
*/
|
|
128
|
+
export declare function equalHashes(a: HashInput, b: HashInput): boolean;
|
|
129
|
+
/**
|
|
130
|
+
* Convert an SRI integrity string to its hex checksum form.
|
|
131
|
+
*
|
|
132
|
+
* @deprecated Prefer `parseHash(x).hex`, which is total across all algorithms.
|
|
133
|
+
* This shim is sha256-only (throws on sha384 / sha512) to preserve its
|
|
134
|
+
* historical "checksums are sha256" contract. Idempotent on hex input.
|
|
135
|
+
*
|
|
113
136
|
* @throws TypeError when the input is neither a recognized SRI nor a hex
|
|
114
137
|
* checksum, or when the input is a non-sha256 SRI.
|
|
115
138
|
*/
|
|
@@ -118,49 +141,73 @@ export declare function integrityToChecksum(input: string): string;
|
|
|
118
141
|
* True when `s` is a sha256 hex checksum (exactly 64 hex chars).
|
|
119
142
|
*/
|
|
120
143
|
export declare function isChecksum(s: string): boolean;
|
|
144
|
+
/**
|
|
145
|
+
* True when `s` is a bare hex digest of a recognized length (sha256 / sha384 /
|
|
146
|
+
* sha512).
|
|
147
|
+
*/
|
|
148
|
+
export declare function isHex(s: string): boolean;
|
|
121
149
|
/**
|
|
122
150
|
* True when `s` is a W3C SRI integrity string: `sha(256|384|512)-<base64>`.
|
|
123
151
|
*/
|
|
124
152
|
export declare function isIntegrity(s: string): boolean;
|
|
153
|
+
/**
|
|
154
|
+
* Build a frozen {@link Hash} from an algorithm and a hex digest. The internal
|
|
155
|
+
* constructor — trusts its inputs (lowercases the hex, computes the SRI view);
|
|
156
|
+
* use {@link parseHash} for untrusted strings, which validates first.
|
|
157
|
+
*/
|
|
158
|
+
export declare function makeHash(algorithm: HashAlgorithm, hex: string): Hash;
|
|
125
159
|
/**
|
|
126
160
|
* Normalize a {@link HashSpec} to its canonical `{ type, value }` form.
|
|
127
161
|
*
|
|
128
|
-
*
|
|
129
|
-
*
|
|
130
|
-
* - Bare string of 64 hex chars → checksum.
|
|
131
|
-
* - Anything else throws TypeError.
|
|
162
|
+
* @deprecated Prefer {@link parseHash}, which returns an algorithm-tagged
|
|
163
|
+
* {@link Hash}. Kept for callers that branch on integrity-vs-checksum type.
|
|
132
164
|
*
|
|
133
165
|
* @throws TypeError if the string is not a recognized format, or if an explicit
|
|
134
166
|
* object's value doesn't match its declared type.
|
|
135
167
|
*/
|
|
136
168
|
export declare function normalizeHash(spec: HashSpec): NormalizedHash;
|
|
137
169
|
/**
|
|
138
|
-
*
|
|
139
|
-
*
|
|
170
|
+
* Parse any {@link HashInput} into a canonical {@link Hash}. The one entry
|
|
171
|
+
* point for untrusted input — validates shape + length, then freezes.
|
|
140
172
|
*
|
|
141
|
-
* @
|
|
142
|
-
*
|
|
143
|
-
*
|
|
144
|
-
*
|
|
145
|
-
*
|
|
173
|
+
* - A {@link Hash} object is re-canonicalized from its `algorithm` + `hex`.
|
|
174
|
+
* - An SRI string carries its algorithm in the prefix (the body length is checked
|
|
175
|
+
* against it).
|
|
176
|
+
* - A bare hex digest infers the algorithm from its length (64 / 96 / 128).
|
|
177
|
+
*
|
|
178
|
+
* @throws TypeError when the input is not a recognized SRI or hex digest, or
|
|
179
|
+
* when an SRI body's length doesn't match its declared algorithm.
|
|
180
|
+
*/
|
|
181
|
+
export declare function parseHash(input: HashInput): Hash;
|
|
182
|
+
/**
|
|
183
|
+
* Split an SRI integrity string into its `{ algorithm, body }` components.
|
|
184
|
+
* `body` is the base64-encoded digest.
|
|
146
185
|
*
|
|
147
186
|
* @throws Error when the input is not a valid SRI integrity string.
|
|
148
187
|
*/
|
|
149
188
|
export declare function parseIntegrity(sri: string): ParsedIntegrity;
|
|
150
189
|
/**
|
|
151
|
-
* Verify
|
|
152
|
-
*
|
|
153
|
-
*
|
|
154
|
-
*
|
|
155
|
-
*
|
|
190
|
+
* Verify `bytes` against an expected hash. Reads the algorithm the expected
|
|
191
|
+
* hash declares, computes only that digest, and compares with
|
|
192
|
+
* `crypto.timingSafeEqual` — so any encoding (hex / SRI / {@link Hash}) and any
|
|
193
|
+
* algorithm (sha256 / sha384 / sha512) verifies without the caller reconciling
|
|
194
|
+
* formats first.
|
|
195
|
+
*
|
|
196
|
+
* @throws HashMismatchError when the recomputed digest doesn't match.
|
|
197
|
+
* @throws TypeError when `expected` is not a recognized hash.
|
|
156
198
|
*/
|
|
157
|
-
export declare function verifyHash(
|
|
199
|
+
export declare function verifyHash(bytes: NodeJS.ArrayBufferView, expected: HashInput): void;
|
|
158
200
|
/**
|
|
159
|
-
* Thrown when an expected hash doesn't match the computed hash of the
|
|
160
|
-
*
|
|
201
|
+
* Thrown when an expected hash doesn't match the computed hash of the verified
|
|
202
|
+
* bytes. Carries both sides (as {@link Hash}) for diagnostics.
|
|
161
203
|
*/
|
|
162
|
-
export declare class
|
|
163
|
-
readonly expected:
|
|
164
|
-
readonly actual:
|
|
165
|
-
constructor(expected:
|
|
204
|
+
export declare class HashMismatchError extends Error {
|
|
205
|
+
readonly expected: Hash;
|
|
206
|
+
readonly actual: Hash;
|
|
207
|
+
constructor(expected: Hash, actual: Hash);
|
|
166
208
|
}
|
|
209
|
+
/**
|
|
210
|
+
* @deprecated Renamed to {@link HashMismatchError}. Alias kept for callers that
|
|
211
|
+
* catch the old name.
|
|
212
|
+
*/
|
|
213
|
+
export declare const DlxHashMismatchError: typeof HashMismatchError;
|