Skip to content

Commit 8e5db59

Browse files
committed
chore: bump version to 6.0.7
1 parent 93cc1f1 commit 8e5db59

4 files changed

Lines changed: 27 additions & 4 deletions

File tree

CHANGELOG.md

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,16 +5,30 @@ All notable changes to this project will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
66
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
77

8-
## [6.0.7](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.7) - 2026-06-01
8+
## [6.0.7](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.7) - 2026-06-02
99

1010
### Added
1111

1212
- **`http-request` decompresses `gzip` / `br` response bodies.** Buffered requests advertise `Accept-Encoding: gzip, br` and now decode the body by its `Content-Encoding` before resolving. 6.0.6 sent the header but never decompressed, so a compressed response reached callers as raw deflated bytes. Streamed requests (`stream: true`, e.g. `httpDownload`) skip the header so piped-to-disk payloads stay raw and checksum cleanly. Callers can override with `'identity'`.
1313
- **`crypto/hash` blob content-address helpers.** `blobHashOf(bytes)` returns Socket's content-addressed blob hash (`Q` + base64url(sha256)), and `verifyBlobHash(hash, bytes)` throws when bytes don't hash to the expected address. Both build on the fast one-shot `hash()`; the `S` file-stream discriminator verifies against the same digest body. Lets blob consumers (the SDK, MCP server) verify integrity against one canonical implementation instead of re-deriving the scheme.
14+
- **`integrity` — unified checksum/integrity surface.** `checksumToIntegrity(hex, algorithm?)` and `integrityToChecksum(sri)` convert between the two named hash flavors and are idempotent on the destination format (pass an SRI to `checksumToIntegrity`, get it back unchanged). `isIntegrity(s)` and `isChecksum(s)` are the predicates. `parseIntegrity(s)` returns `{ algorithm, body }` for the SRI structure. Replaces the `src/ssri/` directory (`hexToSsri`, `ssriToHex`, `isValidHex`, `isValidSsri`, `parseSsri`) — SSRI is just another name for Subresource Integrity, so the duplication confused readers. `isIntegrity` now accepts the full W3C SRI set (`sha256` / `sha384` / `sha512`) — the previous predicate hardcoded `sha512` only, which mismatched the contract `external-tools/manifest.ts` already promised and rejected the fleet's `sha256-<base64>` integrity strings.
15+
- **`process/spawn/kill-tree` — cross-platform process-tree termination.** `killProcessTree(target, { detached?, signal? })` walks and signals the whole descendant tree of a `pid` or `ChildProcess`: POSIX uses `process.kill(-pid, signal)` against the detached child's process group; Windows shells out to `taskkill /T /F /pid <pid>`. `isProcessAlive(pid)` probes liveness with `process.kill(pid, 0)`. Both helpers are best-effort and never throw — `ESRCH` (process gone) or `EPERM` (not ours) returns `false` so cleanup kills can't mask the caller's control flow.
16+
- **`arrays/joinList` — generalized Intl list joiner.** `joinList(items, { with: 'and' | 'or' })` wraps `Intl.ListFormat` for narrow conjunction/disjunction joins. `joinAnd` and `joinOr` keep their old call shapes but delegate to `joinList` so the locale-aware joining lives in one place.
17+
- **`primordials/intl` — frozen `Intl` constructor captures.** `IntlListFormat`, `IntlPluralRules`, `IntlCollator`, `IntlDateTimeFormat`, `IntlNumberFormat`, `IntlRelativeTimeFormat`, `IntlSegmenter`, and `IntlLocale` are pinned at module load. Lets internal callers reach Intl without paying a property-lookup cost on every call and without being affected by userland prototype tampering.
18+
- **`constants/node``supportsNodeStripTypes()` + `supportsNodeStripTypesDefault()`.** Two feature-detection helpers for runtimes that strip TypeScript types: stable-with-flag in Node 22.6 (`--strip-types`, accepted alias `--experimental-strip-types`), default-on in Node 24. Pair lets tooling pick the right wrapper-script shape per runtime without re-deriving the matrix.
19+
- **`env/node-version-managers` — detect the active Node manager + emit upgrade hint.** `detectActiveNodeManager()` resolves to one of `'nvm' | 'fnm' | 'volta' | 'asdf' | 'n' | 'corepack' | 'system'` by inspecting `process.execPath` (path-shape regexes are precedence-first) then falling back to manager env vars. `nodeManagerUpgradeHint(manager, version)` returns the exact one-liner a user should paste to install/activate the named version (`nvm install <v> && nvm use <v>`, `volta install node@<v>`, etc.). Used by tools that need Node ≥ X to give an actionable error instead of "install newer Node".
20+
- **`native-messaging` — Chrome native messaging host scaffold.** New `src/native-messaging/` subpath provides `installNativeHost({ allowedOrigins, wrapperDir? })`, which writes the per-OS `dev.socket.trusted_publisher_host.json` manifest plus a length-prefixed-protocol stdin/stdout loop (`runHost()`). macOS lands the manifest under `~/Library/Application Support/Google/Chrome/NativeMessagingHosts/`, Linux under `~/.config/google-chrome/NativeMessagingHosts/`, Windows under `%APPDATA%\Google\Chrome\User Data\NativeMessagingHosts\` + an `HKCU` registry pointer. The wrapper script bakes in `--strip-types` only when needed (Node 22.6 – 23.x); Node 24+ ships flag-free. Refuses to install on Node < 22.6 with a manager-aware error.
1421

1522
### Fixed
1623

24+
- **`debug` — namespace `SOCKET_DEBUG` values enable debug output.** `envAsBoolean(getSocketDebug())` returned false for `SOCKET_DEBUG=*` or `SOCKET_DEBUG=socket:foo` — those aren't boolean literals, so debug output was silently suppressed for the common namespace-selection shape. The new `isSocketDebugEnabled()` helper treats any non-empty value other than `0`/`false`/`no` (case-insensitive) as enabled.
1725
- **`external-tools/skillspector` pipx detection on Windows.** The PATH-tier resolver normalizes the resolved binary path with `normalizePath` and matches a forward-slash-only `pipx/venvs/` pattern, instead of `path.normalize` plus a dual-separator regex. On Windows the old form left backslashes in the path and missed pipx-installed binaries, tagging them `source: 'path'` rather than `source: 'pipx'`.
26+
- **`arrays/joinAnd` + `joinOr` — restore `string[] | readonly string[]` on params.** The 6.0.6 refactor narrowed the type to plain `string[]` and broke callers passing readonly arrays.
27+
- **`secrets/keychain` service rename `socket-cli``socketsecurity`.** Reads check the new name first then fall back to the legacy `socket-cli` slot, so existing installs keep finding their token. Writes go to the new name only. Callers that wrote tokens via prior versions can re-read them transparently; on next write the value migrates.
28+
29+
### Removed
30+
31+
- **`@socketsecurity/lib/ssri/{convert,parse,validate}` package exports.** Folded into `@socketsecurity/lib/integrity` (see Added). No fleet consumers were using the `ssri` subpath imports — verified by grep across socket-\* fleet repos.
1832

1933
## [6.0.6](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.6) - 2026-06-01
2034

src/paths/_internal.ts

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,12 @@ export const CHAR_UPPERCASE_A = 65
3636
// 'Z'
3737
export const CHAR_UPPERCASE_Z = 90
3838

39-
export const msysDriveRegExp = /^\/(?:[a-zA-Z])(?:$|\/)/
39+
// Captures the drive letter (group 1) and the trailing separator if any
40+
// (group 2). The replace callback in paths/normalize.ts:msysDriveToNative
41+
// reads both — non-capturing groups would leave `letter` undefined and
42+
// `.toUpperCase()` would throw on Windows MSYS-style paths like `/c/foo`.
43+
// oxlint-disable-next-line socket/prefer-non-capturing-group -- both groups are read by the replace callback in paths/normalize.ts:msysDriveToNative
44+
export const msysDriveRegExp = /^\/([a-zA-Z])($|\/)/
4045
export const nodeModulesPathRegExp = /(?:[/\\]|^)node_modules(?:$|[/\\])/
4146
export const slashRegExp = /[/\\]/
4247

src/paths/conversion.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,8 +95,12 @@ export function toUnixPath(pathLike: string | Buffer | URL): string {
9595
// Windows drive-letter conversion; tested on Windows runners.
9696
/* c8 ignore start */
9797
if (WIN32) {
98+
// Capture the drive letter so the replace callback can lowercase it —
99+
// non-capturing groups would leave `letter` undefined and the call
100+
// would throw on Windows.
98101
return normalized.replace(
99-
/^(?:[A-Z]):/i,
102+
// oxlint-disable-next-line socket/prefer-non-capturing-group -- captured group is read by the replace callback below
103+
/^([A-Z]):/i,
100104
(_, letter) => `/${letter.toLowerCase()}`,
101105
)
102106
}

test/unit/ai/discover.test.mts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ afterEach(() => {
4444
})
4545

4646
describe.sequential('cachePathFor', () => {
47-
test('joins repo root + node_modules/.cache/agent-discovery.json', () => {
47+
test('places cache under the node_modules cache dir', () => {
4848
const result = cachePathFor('/foo')
4949
expect(path.isAbsolute(result)).toBe(true)
5050
expect(path.relative('/foo', result).split(path.sep)).toEqual([

0 commit comments

Comments
 (0)