@socketsecurity/lib 6.0.9 → 6.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/README.md +8 -9
- package/dist/abort/signal.d.ts +1 -1
- package/dist/abort/signal.js +1 -1
- package/dist/ai/agent-context.d.mts +1 -1
- package/dist/ai/agent-context.js +3 -2
- package/dist/ai/backends.d.mts +3 -3
- package/dist/ai/backends.js +2 -2
- package/dist/ai/billing-context.d.mts +74 -0
- package/dist/ai/billing-context.js +129 -0
- package/dist/ai/credentials.d.mts +39 -5
- package/dist/ai/credentials.js +61 -6
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +4 -0
- package/dist/ai/exec.d.mts +1 -1
- package/dist/ai/exec.js +1 -1
- package/dist/ai/http.d.mts +8 -8
- package/dist/ai/http.js +6 -6
- package/dist/ai/profiles.d.mts +9 -10
- package/dist/ai/profiles.js +0 -5
- package/dist/ai/role.d.mts +58 -0
- package/dist/ai/role.js +96 -0
- package/dist/ai/route-heuristic.d.mts +177 -0
- package/dist/ai/route-heuristic.js +194 -0
- package/dist/ai/route.d.mts +10 -9
- package/dist/ai/route.js +14 -13
- package/dist/ai/spawn.d.mts +2 -1
- package/dist/ai/spawn.js +25 -2
- package/dist/ai/subagent-status.d.mts +2 -0
- package/dist/ai/subagent-status.js +2 -0
- package/dist/ai/tier.d.mts +1 -1
- package/dist/ai/types.d.mts +9 -2
- package/dist/ai/worktree.d.mts +1 -1
- package/dist/ai/worktree.js +3 -2
- package/dist/argv/parse.d.ts +2 -0
- package/dist/argv/parse.js +2 -0
- package/dist/bin/_internal.d.ts +1 -1
- package/dist/bin/_internal.js +1 -1
- package/dist/bin/prim.cjs +446 -300
- package/dist/bin/shadow.js +2 -1
- package/dist/bin/which.d.ts +28 -3
- package/dist/bin/which.js +45 -3
- package/dist/cacache/_internal.d.ts +10 -2
- package/dist/cacache/_internal.js +6 -10
- package/dist/cache/ttl/_internal.d.ts +33 -0
- package/dist/cache/ttl/_internal.js +68 -0
- package/dist/cache/ttl/browser.d.ts +56 -0
- package/dist/cache/ttl/browser.js +257 -0
- package/dist/cache/ttl/store.js +10 -33
- package/dist/cache/ttl/types.d.ts +46 -3
- package/dist/checks/primordials-defaults.d.ts +5 -5
- package/dist/checks/primordials-defaults.js +5 -5
- package/dist/checks/primordials.d.ts +1 -1
- package/dist/checks/primordials.js +25 -17
- package/dist/cli/check-primordials.d.ts +6 -1
- package/dist/cli/check-primordials.js +14 -5
- package/dist/cli/check.js +1 -1
- package/dist/cli/socket-lib.d.ts +1 -1
- package/dist/cli/socket-lib.js +3 -3
- package/dist/colors/socket-palette.d.ts +1 -1
- package/dist/compression/brotli.d.ts +6 -2
- package/dist/compression/brotli.js +4 -0
- package/dist/compression/gzip.d.ts +6 -2
- package/dist/compression/gzip.js +6 -1
- package/dist/config/layers.d.ts +4 -4
- package/dist/config/layers.js +4 -4
- package/dist/constants/agents.d.ts +3 -0
- package/dist/constants/agents.js +3 -0
- package/dist/constants/node.d.ts +14 -0
- package/dist/constants/node.js +14 -0
- package/dist/constants/package-default-node-range.js +1 -5
- package/dist/constants/packages.d.ts +5 -0
- package/dist/constants/packages.js +5 -0
- package/dist/constants/platform.d.ts +1 -1
- package/dist/constants/platform.js +1 -1
- package/dist/constants/socket.js +1 -1
- package/dist/constants/typescript.d.ts +5 -0
- package/dist/constants/typescript.js +5 -0
- package/dist/debug/_internal.d.ts +22 -7
- package/dist/debug/_internal.js +33 -15
- package/dist/debug/namespace.js +11 -8
- package/dist/debug/output.d.ts +12 -1
- package/dist/debug/output.js +33 -16
- package/dist/dlx/binary-resolution.js +7 -4
- package/dist/eco/npm/npm/parse-lockfile.js +2 -1
- package/dist/eco/npm/vlt/exec.d.ts +1 -1
- package/dist/eco/npm/vlt/exec.js +1 -1
- package/dist/env/agents.d.ts +6 -0
- package/dist/env/agents.js +29 -0
- package/dist/env/flags.d.ts +12 -0
- package/dist/env/flags.js +23 -0
- package/dist/env/github-status.js +2 -2
- package/dist/env/providers.d.ts +6 -0
- package/dist/env/providers.js +23 -0
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +32 -0
- package/dist/env/rewire.js +55 -23
- package/dist/env/runtimes.d.ts +9 -0
- package/dist/env/runtimes.js +53 -0
- package/dist/env/socket-cli.d.ts +5 -2
- package/dist/env/socket-cli.js +6 -3
- package/dist/errors/predicates.d.ts +3 -2
- package/dist/errors/predicates.js +5 -3
- package/dist/errors/stack.js +2 -1
- package/dist/events/exit/_internal.d.ts +1 -23
- package/dist/external/@npmcli/package-json.js +179 -88
- package/dist/external/@npmcli/promise-spawn.js +2 -2
- package/dist/external/@sinclair/typebox/value.js +5 -4
- package/dist/external/@socketregistry/yocto-spinner.js +3 -3
- package/dist/external/adm-zip.d.ts +82 -0
- package/dist/external/adm-zip.js +2 -2
- package/dist/external/cacache.d.ts +87 -0
- package/dist/external/debug.d.ts +22 -0
- package/dist/external/debug.js +11 -4
- package/dist/external/del.d.ts +1 -0
- package/dist/external/external-pack.d.ts +12 -0
- package/dist/external/external-pack.js +41 -34
- package/dist/external/fast-glob.d.ts +8 -0
- package/dist/external/fast-sort.d.ts +1 -0
- package/dist/external/get-east-asian-width.d.ts +5 -0
- package/dist/external/get-east-asian-width.js +8 -1
- package/dist/external/has-flag.d.ts +1 -0
- package/dist/external/inquirer-pack.d.ts +18 -0
- package/dist/external/libnpmexec.d.ts +35 -0
- package/dist/external/libnpmpack.d.ts +1 -0
- package/dist/external/make-fetch-happen.d.ts +13 -0
- package/dist/external/normalize-package-data.d.ts +4 -0
- package/dist/external/npm-core.d.ts +14 -0
- package/dist/external/npm-pack.d.ts +24 -0
- package/dist/external/npm-pack.js +1551 -1867
- package/dist/external/npm-package-arg.d.ts +4 -0
- package/dist/external/p-map.js +8 -1
- package/dist/external/pacote.d.ts +15 -0
- package/dist/external/pico-pack.d.ts +16 -0
- package/dist/external/pico-pack.js +38 -23
- package/dist/external/picomatch.d.ts +96 -0
- package/dist/external/pony-cause.d.ts +14 -0
- package/dist/external/semver.d.ts +60 -0
- package/dist/external/semver.js +1459 -4
- package/dist/external/shell-quote.d.ts +51 -0
- package/dist/external/shell-quote.js +55 -15
- package/dist/external/signal-exit.d.ts +1 -0
- package/dist/external/spdx-correct.d.ts +4 -0
- package/dist/external/spdx-expression-parse.d.ts +4 -0
- package/dist/external/spdx-pack.d.ts +10 -0
- package/dist/external/std-env.d.ts +284 -0
- package/dist/external/std-env.js +323 -0
- package/dist/external/streaming-iterables.d.ts +11 -0
- package/dist/external/supports-color.d.ts +1 -0
- package/dist/external/tar-fs.d.ts +31 -0
- package/dist/external/validate-npm-package-name.d.ts +4 -0
- package/dist/external/which.d.ts +25 -0
- package/dist/external/which.js +2 -2
- package/dist/external/yargs-parser.d.ts +2 -0
- package/dist/external/yargs-parser.js +11 -3
- package/dist/external/yoctocolors-cjs.d.ts +51 -0
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/resolve.d.ts +3 -0
- package/dist/external-tools/bazel/resolve.js +3 -0
- package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
- package/dist/external-tools/cdxgen/asset-names.js +3 -3
- package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
- package/dist/external-tools/cdxgen/from-download.js +1 -1
- package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
- package/dist/external-tools/cdxgen/resolve.js +4 -1
- package/dist/external-tools/cdxgen/types.d.ts +1 -1
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +1 -1
- package/dist/external-tools/janus/asset-names.d.ts +4 -1
- package/dist/external-tools/janus/asset-names.js +3 -0
- package/dist/external-tools/janus/from-download.d.ts +3 -3
- package/dist/external-tools/janus/from-download.js +2 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -0
- package/dist/external-tools/janus/resolve.js +3 -0
- package/dist/external-tools/jre/asset-names.d.ts +3 -1
- package/dist/external-tools/jre/asset-names.js +2 -0
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/manifest.d.ts +5 -3
- package/dist/external-tools/manifest.js +4 -2
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/resolve.d.ts +3 -0
- package/dist/external-tools/opengrep/resolve.js +3 -0
- package/dist/external-tools/python/asset-names.d.ts +3 -1
- package/dist/external-tools/python/asset-names.js +7 -3
- package/dist/external-tools/python/pin.js +3 -1
- package/dist/external-tools/python/resolve.d.ts +3 -0
- package/dist/external-tools/python/resolve.js +3 -0
- package/dist/external-tools/sbt/resolve.d.ts +3 -0
- package/dist/external-tools/sbt/resolve.js +3 -0
- package/dist/external-tools/skillspector/from-uv.d.ts +1 -1
- package/dist/external-tools/synp/resolve.d.ts +3 -0
- package/dist/external-tools/synp/resolve.js +3 -0
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/resolve.d.ts +3 -0
- package/dist/external-tools/trivy/resolve.js +3 -0
- package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
- package/dist/external-tools/trufflehog/asset-names.js +3 -0
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
- package/dist/external-tools/trufflehog/resolve.js +3 -0
- package/dist/external-tools/uv/asset-names.d.ts +1 -1
- package/dist/external-tools/uv/resolve.d.ts +3 -0
- package/dist/external-tools/uv/resolve.js +3 -0
- package/dist/fleet/repo-config.d.ts +8 -6
- package/dist/fleet/repo-config.js +8 -6
- package/dist/fs/_internal.d.ts +1 -1
- package/dist/fs/_internal.js +1 -1
- package/dist/fs/access.d.ts +2 -0
- package/dist/fs/access.js +2 -0
- package/dist/fs/allowed-dirs-cache.js +5 -3
- package/dist/fs/find.js +1 -2
- package/dist/fs/inspect.d.ts +2 -2
- package/dist/fs/read-file.js +3 -4
- package/dist/fs/safe.js +1 -1
- package/dist/git/_internal.js +5 -1
- package/dist/github/commit.d.ts +92 -0
- package/dist/github/commit.js +113 -0
- package/dist/github/ghsa.js +1 -1
- package/dist/github/refs-graphql.js +1 -1
- package/dist/github/request.js +1 -1
- package/dist/github/token.d.ts +5 -2
- package/dist/github/token.js +6 -4
- package/dist/github/workflow-runs.d.ts +107 -0
- package/dist/github/workflow-runs.js +98 -0
- package/dist/http-request/_internal.d.ts +1 -1
- package/dist/http-request/browser.d.ts +6 -0
- package/dist/http-request/browser.js +3 -2
- package/dist/http-request/download.js +2 -0
- package/dist/http-request/headers.d.ts +1 -1
- package/dist/http-request/headers.js +1 -1
- package/dist/http-request/request-attempt.js +6 -3
- package/dist/http-request/request-types.d.ts +10 -1
- package/dist/http-request/request.js +2 -2
- package/dist/http-request/user-agent.d.ts +23 -2
- package/dist/http-request/user-agent.js +48 -6
- package/dist/integrity.d.ts +3 -1
- package/dist/integrity.js +3 -1
- package/dist/json/format.js +4 -1
- package/dist/logger/_internal.d.ts +13 -15
- package/dist/logger/_internal.js +21 -21
- package/dist/logger/colors.d.ts +9 -3
- package/dist/logger/colors.js +6 -13
- package/dist/logger/console-methods.js +2 -2
- package/dist/logger/console.d.ts +1 -0
- package/dist/logger/console.js +9 -9
- package/dist/logger/node.js +2 -1
- package/dist/native-messaging/install.js +1 -1
- package/dist/native-messaging/rate-limit.d.ts +4 -1
- package/dist/native-messaging/rate-limit.js +4 -1
- package/dist/node/events.d.ts +3 -0
- package/dist/node/events.js +3 -0
- package/dist/node/fs.d.ts +1 -1
- package/dist/node/timers-promises.d.ts +3 -0
- package/dist/node/timers-promises.js +3 -0
- package/dist/node/url.d.ts +3 -0
- package/dist/node/url.js +3 -0
- package/dist/npm/meta-cache.d.ts +183 -0
- package/dist/npm/meta-cache.js +318 -0
- package/dist/npm/meta-slice.d.ts +27 -0
- package/dist/npm/meta-slice.js +68 -0
- package/dist/npm/meta-types.d.ts +282 -0
- package/dist/npm/meta-types.js +2 -0
- package/dist/npm/meta.d.ts +125 -0
- package/dist/npm/meta.js +347 -0
- package/dist/npm/registry.d.ts +212 -0
- package/dist/npm/registry.js +284 -0
- package/dist/objects/getters.d.ts +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/packages/manifest.js +6 -7
- package/dist/packages/metadata-extensions.js +2 -4
- package/dist/packages/provenance.d.ts +8 -0
- package/dist/packages/provenance.js +8 -0
- package/dist/packages/tarball.js +1 -2
- package/dist/packages/validation.d.ts +0 -10
- package/dist/packages/validation.js +0 -14
- package/dist/paths/exts.d.ts +30 -0
- package/dist/paths/exts.js +30 -0
- package/dist/paths/filenames.d.ts +6 -0
- package/dist/paths/filenames.js +6 -0
- package/dist/paths/globs.d.ts +6 -0
- package/dist/paths/globs.js +6 -0
- package/dist/paths/resolve.js +19 -14
- package/dist/paths/socket.d.ts +8 -8
- package/dist/paths/socket.js +8 -8
- package/dist/perf/report.js +4 -2
- package/dist/pkg-ext/data.js +0 -2
- package/dist/primordials/globals.d.ts +1 -1
- package/dist/primordials/globals.js +1 -1
- package/dist/primordials/headers.d.ts +13 -1
- package/dist/primordials/headers.js +13 -1
- package/dist/primordials/process.d.ts +1 -1
- package/dist/primordials/process.js +1 -1
- package/dist/primordials/url.d.ts +18 -0
- package/dist/primordials/url.js +18 -0
- package/dist/process/spawn/child.js +3 -5
- package/dist/promises/_internal.d.ts +1 -1
- package/dist/promises/_internal.js +1 -2
- package/dist/promises/options.js +3 -3
- package/dist/releases/socket-btm-binary-naming.js +12 -1
- package/dist/secrets/_internal.d.ts +1 -1
- package/dist/secrets/_internal.js +1 -1
- package/dist/secrets/find.d.ts +2 -2
- package/dist/secrets/find.js +2 -2
- package/dist/secrets/keychain.d.ts +10 -1
- package/dist/secrets/keychain.js +10 -1
- package/dist/secrets/socket-api-token.d.ts +1 -1
- package/dist/secrets/socket-api-token.js +1 -1
- package/dist/secrets/types.d.ts +1 -1
- package/dist/smol/http.d.ts +2 -0
- package/dist/smol/http.js +2 -0
- package/dist/smol/https.d.ts +2 -0
- package/dist/smol/https.js +2 -0
- package/dist/sorts/_internal.d.ts +2 -3
- package/dist/sorts/_internal.js +1 -3
- package/dist/spinner/format.js +2 -4
- package/dist/stdio/footer.js +8 -7
- package/dist/stdio/prompts.d.ts +8 -15
- package/dist/stdio/prompts.js +18 -29
- package/dist/strings/predicates.d.ts +2 -2
- package/dist/strings/search.js +1 -1
- package/dist/strings/types.d.ts +4 -0
- package/dist/strings/width.d.ts +1 -0
- package/dist/strings/width.js +17 -8
- package/dist/themes/context.d.ts +13 -0
- package/dist/themes/context.js +23 -8
- package/dist/versions/_internal.d.ts +43 -13
- package/dist/versions/_internal.js +27 -15
- package/dist/versions/compare.d.ts +16 -10
- package/dist/versions/compare.js +36 -16
- package/dist/versions/parse.js +1 -1
- package/dist/versions/range.js +3 -2
- package/dist/words/pluralize.js +4 -1
- package/llms.txt +63 -750
- package/package.json +200 -35
package/dist/npm/meta.js
ADDED
|
@@ -0,0 +1,347 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
+
const require_errors_message = require('../errors/message.js');
|
|
6
|
+
const require_http_request_response_types = require('../http-request/response-types.js');
|
|
7
|
+
const require_promises_iterate = require('../promises/iterate.js');
|
|
8
|
+
const require_npm_meta_slice = require('./meta-slice.js');
|
|
9
|
+
const require_npm_meta_cache = require('./meta-cache.js');
|
|
10
|
+
const require_versions__internal = require('../versions/_internal.js');
|
|
11
|
+
|
|
12
|
+
//#region src/npm/meta.ts
|
|
13
|
+
/**
|
|
14
|
+
* @file Cached, batch-capable npm registry metadata client — the Socket-wide
|
|
15
|
+
* replacement for ad-hoc packument fetchers. Sibling of `./registry` (pure
|
|
16
|
+
* parsers + injectable HTTP): this module owns caching (`./meta-cache`),
|
|
17
|
+
* slimming (`./meta-slice`), and the derived helpers built on top
|
|
18
|
+
* (`getVersions`, `getLatestVersion`, `getPublishDate`,
|
|
19
|
+
* `getVersionTrustInfo`, `getBatch`) plus their `safe*` fail-open variants.
|
|
20
|
+
* Node-only (the cache layer is cacache-backed) — unlike `./registry`, this
|
|
21
|
+
* module is not browser-safe.
|
|
22
|
+
*/
|
|
23
|
+
/**
|
|
24
|
+
* Extract the HTTP status code from a caught error when it came from the
|
|
25
|
+
* `httpJson` adapter (`HttpResponseError`) or a synthesized
|
|
26
|
+
* `PackumentNotFoundError`; `undefined` for anything else (network failure,
|
|
27
|
+
* abort, a custom test-double error).
|
|
28
|
+
*/
|
|
29
|
+
function extractHttpStatus(error) {
|
|
30
|
+
if (error instanceof require_http_request_response_types.HttpResponseError) return error.response.status;
|
|
31
|
+
if (error instanceof require_npm_meta_cache.PackumentNotFoundError) return error.status;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Fetch `getPackumentSlim` for every name with bounded concurrency, returning
|
|
35
|
+
* an index-preserving array. Every item is attempted regardless of
|
|
36
|
+
* `throwOnError` — nothing is aborted in-flight. A per-item failure becomes a
|
|
37
|
+
* `PackageError` at that index; when `throwOnError` is `true`, once every
|
|
38
|
+
* item has settled the error from the LOWEST-INDEX failed item is thrown —
|
|
39
|
+
* deterministic regardless of settle order.
|
|
40
|
+
*/
|
|
41
|
+
async function getBatch(names, options) {
|
|
42
|
+
const opts = {
|
|
43
|
+
__proto__: null,
|
|
44
|
+
concurrency: 8,
|
|
45
|
+
throwOnError: false,
|
|
46
|
+
...options
|
|
47
|
+
};
|
|
48
|
+
const results = Array.from({ length: names.length });
|
|
49
|
+
const failures = [];
|
|
50
|
+
await require_promises_iterate.pEach(names.map((name, index) => ({
|
|
51
|
+
index,
|
|
52
|
+
name
|
|
53
|
+
})), async (item) => {
|
|
54
|
+
try {
|
|
55
|
+
results[item.index] = await require_npm_meta_cache.getPackumentSlim(item.name, opts);
|
|
56
|
+
} catch (e) {
|
|
57
|
+
failures.push({
|
|
58
|
+
error: e,
|
|
59
|
+
index: item.index
|
|
60
|
+
});
|
|
61
|
+
results[item.index] = {
|
|
62
|
+
error: require_errors_message.errorMessage(e),
|
|
63
|
+
name: item.name,
|
|
64
|
+
status: extractHttpStatus(e)
|
|
65
|
+
};
|
|
66
|
+
}
|
|
67
|
+
}, opts.concurrency);
|
|
68
|
+
if (opts.throwOnError && failures.length > 0) {
|
|
69
|
+
let lowest = failures[0];
|
|
70
|
+
for (let i = 0, { length } = failures; i < length; i += 1) {
|
|
71
|
+
const failure = failures[i];
|
|
72
|
+
if (failure.index < lowest.index) lowest = failure;
|
|
73
|
+
}
|
|
74
|
+
throw lowest.error;
|
|
75
|
+
}
|
|
76
|
+
return results;
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Resolve the latest version — `distTags.latest` when no `range` is given, or
|
|
80
|
+
* (when `range` is given) the same dist-tag / exact-version / semver-range
|
|
81
|
+
* resolution `getVersions` uses (`resolveRequestedVersions`), narrowed to a
|
|
82
|
+
* single version. There is no silent fallback to `distTags.latest`: a
|
|
83
|
+
* dist-tag or exact version that doesn't resolve throws (same contract as
|
|
84
|
+
* `getVersions`), and a range matching nothing throws too — an unsatisfiable
|
|
85
|
+
* range must never return a version outside what the caller asked for.
|
|
86
|
+
*
|
|
87
|
+
* @throws {PackumentNotFoundError} When `range` names an exact version or
|
|
88
|
+
* dist-tag that isn't present in the packument, or a semver range that no
|
|
89
|
+
* version satisfies.
|
|
90
|
+
*/
|
|
91
|
+
async function getLatestVersion(name, options) {
|
|
92
|
+
const opts = {
|
|
93
|
+
__proto__: null,
|
|
94
|
+
...options
|
|
95
|
+
};
|
|
96
|
+
const meta = await require_npm_meta_cache.getPackumentSlim(name, opts);
|
|
97
|
+
if (!opts.range) {
|
|
98
|
+
const version = meta.distTags["latest"] ?? "";
|
|
99
|
+
return {
|
|
100
|
+
distTags: meta.distTags,
|
|
101
|
+
publishedAt: meta.versions[version]?.time || void 0,
|
|
102
|
+
version
|
|
103
|
+
};
|
|
104
|
+
}
|
|
105
|
+
const candidates = resolveRequestedVersions(name, meta, opts);
|
|
106
|
+
const version = require_versions__internal.getSemver().maxSatisfying(candidates, "*", {
|
|
107
|
+
includePrerelease: true,
|
|
108
|
+
loose: !!opts.loose
|
|
109
|
+
});
|
|
110
|
+
if (!version) throw new require_npm_meta_cache.PackumentNotFoundError(name, 404, `getLatestVersion: no version of "${name}" satisfies "${opts.range}".`);
|
|
111
|
+
return {
|
|
112
|
+
distTags: meta.distTags,
|
|
113
|
+
publishedAt: meta.versions[version]?.time || void 0,
|
|
114
|
+
version
|
|
115
|
+
};
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Look up a single version's publish time (ISO string), or `undefined` when
|
|
119
|
+
* the version isn't in the packument.
|
|
120
|
+
*/
|
|
121
|
+
async function getPublishDate(name, version, options) {
|
|
122
|
+
return (await require_npm_meta_cache.getPackumentSlim(name, options)).versions[version]?.time || void 0;
|
|
123
|
+
}
|
|
124
|
+
/**
|
|
125
|
+
* Per-version trust signals (forces `variant: 'full'` — `_npmUser` is absent
|
|
126
|
+
* from the abbreviated packument).
|
|
127
|
+
*/
|
|
128
|
+
async function getVersionTrustInfo(name, options) {
|
|
129
|
+
const meta = await require_npm_meta_cache.getPackumentSlim(name, {
|
|
130
|
+
__proto__: null,
|
|
131
|
+
...options,
|
|
132
|
+
variant: "full"
|
|
133
|
+
});
|
|
134
|
+
const result = {};
|
|
135
|
+
const versions = Object.keys(meta.versions);
|
|
136
|
+
for (let i = 0, { length } = versions; i < length; i += 1) {
|
|
137
|
+
const version = versions[i];
|
|
138
|
+
const entry = meta.versions[version];
|
|
139
|
+
result[version] = {
|
|
140
|
+
approver: entry.staged,
|
|
141
|
+
attestations: entry.attestations,
|
|
142
|
+
integrity: entry.integrity,
|
|
143
|
+
shasum: entry.shasum,
|
|
144
|
+
trustedPublisher: entry.trustedPublisher
|
|
145
|
+
};
|
|
146
|
+
}
|
|
147
|
+
return result;
|
|
148
|
+
}
|
|
149
|
+
/**
|
|
150
|
+
* List versions, optionally filtered by `range` (a semver range, an exact
|
|
151
|
+
* version, or a dist-tag name — see `GetVersionsOptions.range`), an `after`
|
|
152
|
+
* time floor, and/or a `minAgeDays` maturity window. See `GetVersionsOptions`
|
|
153
|
+
* for the `minAgeDays` end-of-UTC-day anchor semantics.
|
|
154
|
+
*
|
|
155
|
+
* @throws {PackumentNotFoundError} When `range` names an exact version or
|
|
156
|
+
* dist-tag that isn't present in the packument.
|
|
157
|
+
*/
|
|
158
|
+
async function getVersions(name, options) {
|
|
159
|
+
const opts = {
|
|
160
|
+
__proto__: null,
|
|
161
|
+
...options
|
|
162
|
+
};
|
|
163
|
+
const meta = await require_npm_meta_cache.getPackumentSlim(name, opts);
|
|
164
|
+
const time = {};
|
|
165
|
+
const versionKeys = Object.keys(meta.versions);
|
|
166
|
+
for (let i = 0, { length } = versionKeys; i < length; i += 1) {
|
|
167
|
+
const version = versionKeys[i];
|
|
168
|
+
time[version] = meta.versions[version].time;
|
|
169
|
+
}
|
|
170
|
+
let versions = resolveRequestedVersions(name, meta, opts);
|
|
171
|
+
if (opts.after !== void 0) {
|
|
172
|
+
const floorMs = toEpochMs(opts.after);
|
|
173
|
+
versions = versions.filter((v) => {
|
|
174
|
+
const publishedAt = time[v];
|
|
175
|
+
return !!publishedAt && Date.parse(publishedAt) >= floorMs;
|
|
176
|
+
});
|
|
177
|
+
}
|
|
178
|
+
if (opts.minAgeDays !== void 0) {
|
|
179
|
+
const minAgeDays = opts.minAgeDays;
|
|
180
|
+
const now = Date.now();
|
|
181
|
+
versions = versions.filter((v) => {
|
|
182
|
+
const publishedAt = time[v];
|
|
183
|
+
return !!publishedAt && isMatured(publishedAt, minAgeDays, now);
|
|
184
|
+
});
|
|
185
|
+
}
|
|
186
|
+
return {
|
|
187
|
+
distTags: meta.distTags,
|
|
188
|
+
time,
|
|
189
|
+
versions
|
|
190
|
+
};
|
|
191
|
+
}
|
|
192
|
+
/**
|
|
193
|
+
* `true` when `publishedAt` is at least `minAgeDays` days old, anchored to the
|
|
194
|
+
* END of `publishedAt`'s UTC day (Socket soak-window semantics) — a version
|
|
195
|
+
* published at any point during a UTC day matures at the same wall-clock
|
|
196
|
+
* instant, `minAgeDays` later at 23:59:59.999 UTC. Returns `false` for an
|
|
197
|
+
* unparseable `publishedAt`.
|
|
198
|
+
*/
|
|
199
|
+
function isMatured(publishedAt, minAgeDays, now = Date.now()) {
|
|
200
|
+
const publishedMs = Date.parse(publishedAt);
|
|
201
|
+
if (Number.isNaN(publishedMs)) return false;
|
|
202
|
+
const published = new Date(publishedMs);
|
|
203
|
+
return now >= Date.UTC(published.getUTCFullYear(), published.getUTCMonth(), published.getUTCDate(), 23, 59, 59, 999) + minAgeDays * 24 * 60 * 60 * 1e3;
|
|
204
|
+
}
|
|
205
|
+
/**
|
|
206
|
+
* Resolve `options.range` against a packument's dist-tags / version set.
|
|
207
|
+
* Exported standalone so its resolution order is independently testable. See
|
|
208
|
+
* `GetVersionsOptions.range` for the full priority-order contract (dist-tag →
|
|
209
|
+
* exact version → semver range filter).
|
|
210
|
+
*
|
|
211
|
+
* @throws {PackumentNotFoundError} When `range` names a dist-tag or exact
|
|
212
|
+
* version that isn't present in the packument.
|
|
213
|
+
*/
|
|
214
|
+
function resolveRequestedVersions(name, meta, options) {
|
|
215
|
+
const opts = {
|
|
216
|
+
__proto__: null,
|
|
217
|
+
...options
|
|
218
|
+
};
|
|
219
|
+
const allVersions = Object.keys(meta.versions);
|
|
220
|
+
const { range } = opts;
|
|
221
|
+
if (!range) return allVersions;
|
|
222
|
+
if (Object.hasOwn(meta.distTags, range)) {
|
|
223
|
+
const tagged = meta.distTags[range];
|
|
224
|
+
if (!Object.hasOwn(meta.versions, tagged)) throw new require_npm_meta_cache.PackumentNotFoundError(name, 404, `getVersions: dist-tag "${range}" on "${name}" points to version "${tagged}", which is not in the packument.`);
|
|
225
|
+
return [tagged];
|
|
226
|
+
}
|
|
227
|
+
const semver = require_versions__internal.getSemver();
|
|
228
|
+
const normalized = semver.valid(range, { loose: !!opts.loose });
|
|
229
|
+
if (normalized) {
|
|
230
|
+
const resolvedVersion = Object.hasOwn(meta.versions, normalized) ? normalized : range;
|
|
231
|
+
if (!Object.hasOwn(meta.versions, resolvedVersion)) throw new require_npm_meta_cache.PackumentNotFoundError(name, 404, `getVersions: version "${range}" not found for "${name}".`);
|
|
232
|
+
return [resolvedVersion];
|
|
233
|
+
}
|
|
234
|
+
const semverOptions = {
|
|
235
|
+
includePrerelease: !!opts.includePrerelease,
|
|
236
|
+
loose: !!opts.loose
|
|
237
|
+
};
|
|
238
|
+
return allVersions.filter((v) => semver.satisfies(v, range, semverOptions));
|
|
239
|
+
}
|
|
240
|
+
/**
|
|
241
|
+
* Fail-open `getLatestVersion` — `undefined` on any error.
|
|
242
|
+
*
|
|
243
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
244
|
+
*/
|
|
245
|
+
async function safeGetLatestVersion(name, options) {
|
|
246
|
+
try {
|
|
247
|
+
return await getLatestVersion(name, options);
|
|
248
|
+
} catch {
|
|
249
|
+
return;
|
|
250
|
+
}
|
|
251
|
+
}
|
|
252
|
+
/**
|
|
253
|
+
* Fail-open `getPackumentSlim` — `undefined` on any error.
|
|
254
|
+
*
|
|
255
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
256
|
+
*/
|
|
257
|
+
async function safeGetPackumentSlim(name, options) {
|
|
258
|
+
try {
|
|
259
|
+
return await require_npm_meta_cache.getPackumentSlim(name, options);
|
|
260
|
+
} catch {
|
|
261
|
+
return;
|
|
262
|
+
}
|
|
263
|
+
}
|
|
264
|
+
/**
|
|
265
|
+
* Fail-open `getPublishDate` — `undefined` on any error.
|
|
266
|
+
*
|
|
267
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
268
|
+
*/
|
|
269
|
+
async function safeGetPublishDate(name, version, options) {
|
|
270
|
+
try {
|
|
271
|
+
return await getPublishDate(name, version, options);
|
|
272
|
+
} catch {
|
|
273
|
+
return;
|
|
274
|
+
}
|
|
275
|
+
}
|
|
276
|
+
/**
|
|
277
|
+
* Fail-open `getVersionTrustInfo` — an empty record on any error.
|
|
278
|
+
*
|
|
279
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
280
|
+
*/
|
|
281
|
+
async function safeGetVersionTrustInfo(name, options) {
|
|
282
|
+
try {
|
|
283
|
+
return await getVersionTrustInfo(name, options);
|
|
284
|
+
} catch {
|
|
285
|
+
return {};
|
|
286
|
+
}
|
|
287
|
+
}
|
|
288
|
+
/**
|
|
289
|
+
* Fail-open `getVersions` — an empty result on any error.
|
|
290
|
+
*
|
|
291
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
292
|
+
*/
|
|
293
|
+
async function safeGetVersions(name, options) {
|
|
294
|
+
try {
|
|
295
|
+
return await getVersions(name, options);
|
|
296
|
+
} catch {
|
|
297
|
+
return {
|
|
298
|
+
distTags: {},
|
|
299
|
+
time: {},
|
|
300
|
+
versions: []
|
|
301
|
+
};
|
|
302
|
+
}
|
|
303
|
+
}
|
|
304
|
+
const ALL_DIGITS_RE = /^\d+$/;
|
|
305
|
+
/**
|
|
306
|
+
* Resolve an `after` filter value to epoch milliseconds. A `number` is used
|
|
307
|
+
* as-is. A string is treated as an epoch ONLY when it is entirely digits
|
|
308
|
+
* (`/^\d+$/`) — never by trying `Number()` first, which would also accept
|
|
309
|
+
* whitespace, exponents, and other numeric-ish forms `Date.parse` should get
|
|
310
|
+
* a chance at instead. Anything not all-digits is parsed via `Date.parse`.
|
|
311
|
+
*
|
|
312
|
+
* @throws {RangeError} When `after` cannot be resolved to a valid epoch —
|
|
313
|
+
* silently skipping the `after` filter on an unparseable value is the exact
|
|
314
|
+
* reference-implementation bug this module exists to avoid.
|
|
315
|
+
*/
|
|
316
|
+
function toEpochMs(after) {
|
|
317
|
+
const epochMs = typeof after === "number" ? after : ALL_DIGITS_RE.test(after) ? Number(after) : Date.parse(after);
|
|
318
|
+
if (Number.isNaN(epochMs)) throw new require_primordials_error.RangeErrorCtor(`toEpochMs: "${after}" is not a valid ISO 8601 date string or numeric epoch`);
|
|
319
|
+
return epochMs;
|
|
320
|
+
}
|
|
321
|
+
|
|
322
|
+
//#endregion
|
|
323
|
+
exports.PackumentNotFoundError = require_npm_meta_cache.PackumentNotFoundError;
|
|
324
|
+
exports.buildMetaCacheKey = require_npm_meta_cache.buildMetaCacheKey;
|
|
325
|
+
exports.createNpmMetaCache = require_npm_meta_cache.createNpmMetaCache;
|
|
326
|
+
exports.extractHttpStatus = extractHttpStatus;
|
|
327
|
+
exports.fetchPackumentSlim = require_npm_meta_cache.fetchPackumentSlim;
|
|
328
|
+
exports.getBatch = getBatch;
|
|
329
|
+
exports.getDefaultMetaCache = require_npm_meta_cache.getDefaultMetaCache;
|
|
330
|
+
exports.getLatestVersion = getLatestVersion;
|
|
331
|
+
exports.getPackumentSlim = require_npm_meta_cache.getPackumentSlim;
|
|
332
|
+
exports.getPublishDate = getPublishDate;
|
|
333
|
+
exports.getStaleMeta = require_npm_meta_cache.getStaleMeta;
|
|
334
|
+
exports.getVersionTrustInfo = getVersionTrustInfo;
|
|
335
|
+
exports.getVersions = getVersions;
|
|
336
|
+
exports.isMatured = isMatured;
|
|
337
|
+
exports.rememberStaleMeta = require_npm_meta_cache.rememberStaleMeta;
|
|
338
|
+
exports.resolveRequestedVersions = resolveRequestedVersions;
|
|
339
|
+
exports.safeGetLatestVersion = safeGetLatestVersion;
|
|
340
|
+
exports.safeGetPackumentSlim = safeGetPackumentSlim;
|
|
341
|
+
exports.safeGetPublishDate = safeGetPublishDate;
|
|
342
|
+
exports.safeGetVersionTrustInfo = safeGetVersionTrustInfo;
|
|
343
|
+
exports.safeGetVersions = safeGetVersions;
|
|
344
|
+
exports.sliceOneVersion = require_npm_meta_slice.sliceOneVersion;
|
|
345
|
+
exports.slicePackument = require_npm_meta_slice.slicePackument;
|
|
346
|
+
exports.sliceVersionMeta = require_npm_meta_slice.sliceVersionMeta;
|
|
347
|
+
exports.toEpochMs = toEpochMs;
|
|
@@ -0,0 +1,212 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file Browser-safe npm registry client — pure parsers + injectable-fetch
|
|
3
|
+
* shell. Safe for Chrome MV3 service workers, content scripts, and any
|
|
4
|
+
* environment without `node:*` builtins. The HTTP adapter is injected by the
|
|
5
|
+
* caller (`{ http: { json } }`) so Node callers pass `httpJson` from
|
|
6
|
+
* `@socketsecurity/lib/http-request` and browser callers pass `httpJson` from
|
|
7
|
+
* `@socketsecurity/lib/http-request/browser`. No network dependency at module
|
|
8
|
+
* load time.
|
|
9
|
+
*
|
|
10
|
+
* ## Endpoints covered
|
|
11
|
+
*
|
|
12
|
+
* - Packument: `registry.npmjs.org/<pkg>`
|
|
13
|
+
* - Version manifest (package.json):
|
|
14
|
+
* `cdn.jsdelivr.net/npm/<pkg>@<ver>/package.json`
|
|
15
|
+
* - Weekly downloads: `api.npmjs.org/downloads/point/last-week/<pkg>`
|
|
16
|
+
* - Attestation bundle: `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`
|
|
17
|
+
* - Org packages: `registry.npmjs.org/-/org/<org>/package`
|
|
18
|
+
*
|
|
19
|
+
* ## URL encoding
|
|
20
|
+
*
|
|
21
|
+
* Registry endpoints (`registry.npmjs.org`, `api.npmjs.org`): scoped names
|
|
22
|
+
* encode to `@scope%2Fname` (one `encodeURIComponent` call that encodes the
|
|
23
|
+
* slash, then `%40` is restored to `@`).
|
|
24
|
+
* CDN endpoint (`cdn.jsdelivr.net`): scope and name are encoded separately,
|
|
25
|
+
* preserving the literal `/` between them. A prior extension bug sent
|
|
26
|
+
* `@scope%2Fname` to the CDN which returned 400; the fix is this split-encode
|
|
27
|
+
* path.
|
|
28
|
+
*
|
|
29
|
+
* ## Trusted Publisher detection
|
|
30
|
+
*
|
|
31
|
+
* From the packument alone, only `!!dist.attestations` is detectable —
|
|
32
|
+
* proving provenance was signed but not identifying which repo or workflow is
|
|
33
|
+
* configured as the TP. To get repo + workflow call `getAttestations()` then
|
|
34
|
+
* `parseProvenancePredicate()` to parse the SLSA
|
|
35
|
+
* `externalParameters.workflow` field. The npm access page
|
|
36
|
+
* (`/package/<name>/access`) is session-only HTML and is out of scope for
|
|
37
|
+
* this public client.
|
|
38
|
+
*/
|
|
39
|
+
/**
|
|
40
|
+
* Injectable HTTP adapter. Pass `httpJson` from
|
|
41
|
+
* `@socketsecurity/lib/http-request` (Node) or
|
|
42
|
+
* `@socketsecurity/lib/http-request/browser` (browser / extension).
|
|
43
|
+
*/
|
|
44
|
+
export interface NpmHttpOptions {
|
|
45
|
+
http: {
|
|
46
|
+
json<T>(url: string): Promise<T>;
|
|
47
|
+
};
|
|
48
|
+
}
|
|
49
|
+
export interface AttestationBundleEntry {
|
|
50
|
+
predicateType?: string | undefined;
|
|
51
|
+
bundle?: unknown | undefined;
|
|
52
|
+
}
|
|
53
|
+
export interface AttestationBundle {
|
|
54
|
+
attestations?: AttestationBundleEntry[] | undefined;
|
|
55
|
+
}
|
|
56
|
+
export interface DownloadsRecord {
|
|
57
|
+
downloads: number;
|
|
58
|
+
package: string;
|
|
59
|
+
}
|
|
60
|
+
export interface OrgPackagesRecord {
|
|
61
|
+
[packageName: string]: string;
|
|
62
|
+
}
|
|
63
|
+
export interface PackumentVersionDist {
|
|
64
|
+
attestations?: {
|
|
65
|
+
url?: string | undefined;
|
|
66
|
+
} | undefined;
|
|
67
|
+
tarball?: string | undefined;
|
|
68
|
+
}
|
|
69
|
+
export interface PackumentVersion {
|
|
70
|
+
deprecated?: string | undefined;
|
|
71
|
+
dist?: PackumentVersionDist | undefined;
|
|
72
|
+
[field: string]: unknown;
|
|
73
|
+
}
|
|
74
|
+
export interface PackumentRecord {
|
|
75
|
+
'dist-tags': Record<string, string>;
|
|
76
|
+
distTags: Record<string, string>;
|
|
77
|
+
name: string;
|
|
78
|
+
time?: Record<string, string> | undefined;
|
|
79
|
+
versions: Record<string, PackumentVersion>;
|
|
80
|
+
}
|
|
81
|
+
export interface ProvenancePredicate {
|
|
82
|
+
buildDefinition?: {
|
|
83
|
+
externalParameters?: {
|
|
84
|
+
workflow?: {
|
|
85
|
+
path?: string | undefined;
|
|
86
|
+
ref?: string | undefined;
|
|
87
|
+
repository?: string | undefined;
|
|
88
|
+
} | undefined;
|
|
89
|
+
} | undefined;
|
|
90
|
+
} | undefined;
|
|
91
|
+
runDetails?: {
|
|
92
|
+
builder?: {
|
|
93
|
+
id?: string | undefined;
|
|
94
|
+
} | undefined;
|
|
95
|
+
} | undefined;
|
|
96
|
+
}
|
|
97
|
+
/**
|
|
98
|
+
* Result of Trusted Publisher detection from a version entry.
|
|
99
|
+
*
|
|
100
|
+
* When `configured` is true, `repo` and `workflow` are populated only if the
|
|
101
|
+
* attestation bundle was fetched and parsed — `detectTrustedPublisher()` alone
|
|
102
|
+
* (from packument data) cannot provide them. Call `getAttestations()` +
|
|
103
|
+
* `parseProvenancePredicate()` to obtain those fields.
|
|
104
|
+
*/
|
|
105
|
+
export interface TrustedPublisherResult {
|
|
106
|
+
configured: boolean;
|
|
107
|
+
repo?: string | undefined;
|
|
108
|
+
workflow?: string | undefined;
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Build the CDN path `<encoded-name>@<encoded-version>/package.json`.
|
|
112
|
+
* Exposed as a pure function so callers can construct the full URL themselves.
|
|
113
|
+
*/
|
|
114
|
+
export declare function buildCdnPath(name: string, version: string): string;
|
|
115
|
+
/**
|
|
116
|
+
* Detect Trusted Publisher configuration from a packument version entry.
|
|
117
|
+
*
|
|
118
|
+
* From the packument alone, only the presence of `dist.attestations` is
|
|
119
|
+
* detectable (`configured: true` means provenance was signed; it does NOT
|
|
120
|
+
* confirm that a TP source is configured on npmjs.com). To get `repo` and
|
|
121
|
+
* `workflow`, fetch the attestation bundle with `getAttestations()` and parse
|
|
122
|
+
* it with `parseProvenancePredicate()`.
|
|
123
|
+
*/
|
|
124
|
+
export declare function detectTrustedPublisher(versionEntry: PackumentVersion): TrustedPublisherResult;
|
|
125
|
+
/**
|
|
126
|
+
* Encode a package name for use in registry CDN URLs.
|
|
127
|
+
* Scope and name are encoded individually, preserving the literal `/`.
|
|
128
|
+
* Use this for `cdn.jsdelivr.net` URLs — fixes the `@scope%2Fname` → 400 bug.
|
|
129
|
+
*/
|
|
130
|
+
export declare function encodeCdnName(name: string): string;
|
|
131
|
+
/**
|
|
132
|
+
* Encode a package name for use in registry / download-API URLs.
|
|
133
|
+
*
|
|
134
|
+
* Registry form (`cdn: false`, the default): `encodeURIComponent` then restore
|
|
135
|
+
* the leading `@` so `@scope/name` → `@scope%2Fname`.
|
|
136
|
+
*
|
|
137
|
+
* CDN form (`cdn: true`): scope and name are encoded individually so the
|
|
138
|
+
* literal `/` separator is preserved: `@scope/name` → `@scope/name` (each
|
|
139
|
+
* segment encoded separately). This fixes the `@scope%2Fname` → 400 bug on
|
|
140
|
+
* `cdn.jsdelivr.net`.
|
|
141
|
+
*
|
|
142
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
143
|
+
*/
|
|
144
|
+
export declare function encodePackageName(name: string, options?: {
|
|
145
|
+
cdn?: boolean | undefined;
|
|
146
|
+
} | undefined): string;
|
|
147
|
+
/**
|
|
148
|
+
* Encode a package name for use in registry / download-API URLs.
|
|
149
|
+
* Applies `encodeURIComponent` then restores `@` so scoped names become
|
|
150
|
+
* `@scope%2Fname`.
|
|
151
|
+
*/
|
|
152
|
+
export declare function encodeRegistryName(name: string): string;
|
|
153
|
+
/**
|
|
154
|
+
* Fetch the attestation bundle for a package version from the npm transparency
|
|
155
|
+
* log. Returns `undefined` when no attestations entry is present in the
|
|
156
|
+
* packument (404 is treated as absent rather than an error).
|
|
157
|
+
*/
|
|
158
|
+
export declare function getAttestations(name: string, version: string, options: NpmHttpOptions): Promise<AttestationBundle | undefined>;
|
|
159
|
+
/**
|
|
160
|
+
* Fetch the list of packages belonging to an npm org.
|
|
161
|
+
* Returns package names as a string array.
|
|
162
|
+
*/
|
|
163
|
+
export declare function getOrgPackages(org: string, options: NpmHttpOptions): Promise<string[]>;
|
|
164
|
+
/**
|
|
165
|
+
* Fetch and parse the full packument for a package.
|
|
166
|
+
*/
|
|
167
|
+
export declare function getPackument(name: string, options: NpmHttpOptions): Promise<PackumentRecord>;
|
|
168
|
+
/**
|
|
169
|
+
* Fetch a version's package.json via the jsDelivr CDN.
|
|
170
|
+
*
|
|
171
|
+
* Uses split-encode for scoped names so `cdn.jsdelivr.net` receives the literal
|
|
172
|
+
* `/` between scope and name (not `%2F` which causes 400s).
|
|
173
|
+
*
|
|
174
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
175
|
+
*/
|
|
176
|
+
export declare function getVersionManifest(name: string, version: string, options: NpmHttpOptions): Promise<Record<string, unknown>>;
|
|
177
|
+
/**
|
|
178
|
+
* Fetch last-week download counts for a package from the npm downloads API.
|
|
179
|
+
*
|
|
180
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
181
|
+
*/
|
|
182
|
+
export declare function getWeeklyDownloads(name: string, options: NpmHttpOptions): Promise<DownloadsRecord>;
|
|
183
|
+
/**
|
|
184
|
+
* Return true when `versionEntry.dist.attestations` is present — indicating a
|
|
185
|
+
* SLSA provenance attestation was produced for this version.
|
|
186
|
+
*/
|
|
187
|
+
export declare function hasProvenance(versionEntry: PackumentVersion): boolean;
|
|
188
|
+
/**
|
|
189
|
+
* Return `true` when `version` of `name` is already published to the registry.
|
|
190
|
+
* Authoritative — reads the packument's `versions` map rather than a CDN, so a
|
|
191
|
+
* pre-publish guard never false-negatives on CDN lag (the asymmetric-cost case:
|
|
192
|
+
* a wrong "not published" invites a duplicate-version publish attempt). Returns
|
|
193
|
+
* `false` when the package does not exist or the packument fetch fails.
|
|
194
|
+
*
|
|
195
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
196
|
+
*/
|
|
197
|
+
export declare function isVersionPublished(name: string, version: string, options: NpmHttpOptions): Promise<boolean>;
|
|
198
|
+
/**
|
|
199
|
+
* Parse a raw packument JSON response into a typed `PackumentRecord`.
|
|
200
|
+
* Adds the `distTags` alias for `dist-tags` so callers don't need bracket
|
|
201
|
+
* notation. Returns `undefined` when the input is not a valid packument shape.
|
|
202
|
+
*/
|
|
203
|
+
export declare function parsePackument(raw: unknown): PackumentRecord | undefined;
|
|
204
|
+
/**
|
|
205
|
+
* Parse an npm transparency-log attestation bundle (the JSON returned from
|
|
206
|
+
* `registry.npmjs.org/-/npm/v1/attestations/<pkg>@<ver>`) and extract the
|
|
207
|
+
* SLSA provenance predicate.
|
|
208
|
+
*
|
|
209
|
+
* Returns the first SLSA provenance v1 predicate found, or `undefined` when
|
|
210
|
+
* none is present or the bundle is malformed.
|
|
211
|
+
*/
|
|
212
|
+
export declare function parseProvenancePredicate(bundle: unknown): ProvenancePredicate | undefined;
|