Skip to content

Add TypeScript schema library to npm wrapper#35

Merged
mikolalysenko merged 3 commits intomainfrom
add-typescript-schema-lib
Mar 5, 2026
Merged

Add TypeScript schema library to npm wrapper#35
mikolalysenko merged 3 commits intomainfrom
add-typescript-schema-lib

Conversation

@mikolalysenko
Copy link
Contributor

@mikolalysenko mikolalysenko commented Mar 5, 2026

Summary

  • Add pared-down TypeScript library to npm/socket-patch/ for use by depscan
  • Includes schema validation (zod), git-compatible SHA256 hashing, manifest operations/recovery, and package-json postinstall detection
  • Adds exports field to package.json matching the old TypeScript package's API surface (./schema, ./hash, ./constants, ./manifest/operations, ./manifest/recovery, ./package-json)
  • Cross-validation tests for the zod schemas

Context

The socket-patch codebase was rewritten in Rust (v1.6.3), but depscan still needs the TypeScript schema/utility library for server-side operations (manifest parsing, blob hashing, postinstall injection). This PR adds just the library code to the npm wrapper package — no CLI code, crawlers, or repo manipulation.

Test plan

  • tsc compiles without errors
  • node --test dist/**/*.test.js — all 7 schema tests pass
  • depscan builds with updated submodule pointer
  • depscan e2e tests pass with Rust CLI binary

🤖 Generated with Claude Code

@mikolalysenko @claude
feat: add TypeScript schema library to npm wrapper package
f46314c 
Add pared-down TypeScript library to npm/socket-patch/ for use by
depscan. Includes schema validation (zod), git-compatible hashing,
manifest operations, recovery, and package-json postinstall helpers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security-staging
Copy link

socket-security-staging bot commented Mar 5, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: npm typescript

License: LicenseRef-W3C-Community-Final-Specification-Agreement - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt)

From: npm/socket-patch/package.jsonnpm/typescript@5.9.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/typescript@5.9.3. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

mikolalysenko and others added 2 commits March 5, 2026 14:02
@mikolalysenko @claude
fix: normalize path separators in Go crawler PURLs on Windows
651344c 
On Windows, `Path::strip_prefix` + `to_string_lossy()` produces
backslashes in the relative path, which get embedded in the PURL
(e.g., `pkg:golang/github.com\\gin-gonic\\gin@v1.9.1`). Replace
backslashes with forward slashes to produce correct PURLs on all
platforms.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikolalysenko @claude
refactor: remove depscan-specific TS utilities, keep only schema
79e56c1 
Move operational code (constants, hashing, manifest operations,
recovery, postinstall detection) back to depscan. Only the Zod
schema and its tests remain in the npm wrapper package.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security
Copy link

socket-security bot commented Mar 5, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​types/​node@​20.19.351001008196100
Addednpm/​typescript@​5.9.31001009010090
Addednpm/​zod@​3.25.769810010093100

View full report

@socket-security-staging
Copy link

socket-security-staging bot commented Mar 5, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​types/​node@​20.19.351001008196100
Addednpm/​typescript@​5.9.31001009010090
Addednpm/​zod@​3.25.769810010093100

View full report

@mikolalysenko mikolalysenko merged commit a913b2f into main Mar 5, 2026
17 checks passed
@mikolalysenko mikolalysenko deleted the add-typescript-schema-lib branch March 5, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mikolalysenko