fix(build-externals): unstub pacote fetchers and related helpers

The bundled externals were stubbing pacote's dir/file/remote/git
fetchers on the assumption we only pass registry specs, but
packPackage()/extractPackage() routinely pass directory/tarball/url
specs and RegistryFetcher streams registry tarballs through
RemoteFetcher internally. Also unstub @npmcli/git (needed by
normalize.gitHead) and @npmcli/run-script (needed for prepack).

Also removes env/socket-cli-shadow, which no consumer references
after Socket CLI dropped its shadow infrastructure.

Adds regression tests covering each unstubbed fetcher plus
EditablePackageJson.prepare() gitHead and packPackage() prepack
paths.

Author: jdalton

.claude/hooks/check-new-deps/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@socketregistry/packageurl-js": "1.4.2",
-    "@socketsecurity/lib": "5.21.0",
+    "@socketsecurity/lib": "5.23.0",
     "@socketsecurity/sdk": "4.0.1"
   },
   "devDependencies": {

docs/api-index.md

@@ -124,30 +124,29 @@ Each entry links to the source module and shows the first sentence of its `@file
 
 ## env/
 
-| Subpath                                                                        | Description                                                    |
-| ------------------------------------------------------------------------------ | -------------------------------------------------------------- |
-| [`@socketsecurity/lib/env/ci`](../src/env/ci.ts)                               | CI environment variable getter.                                |
-| [`@socketsecurity/lib/env/debug`](../src/env/debug.ts)                         | DEBUG environment variable getter.                             |
-| [`@socketsecurity/lib/env/github`](../src/env/github.ts)                       | GitHub Actions environment variable getters.                   |
-| [`@socketsecurity/lib/env/helpers`](../src/env/helpers.ts)                     | Environment variable type conversion helpers.                  |
-| [`@socketsecurity/lib/env/home`](../src/env/home.ts)                           | HOME environment variable getter with Windows fallback.        |
-| [`@socketsecurity/lib/env/locale`](../src/env/locale.ts)                       | Locale and language environment variable getters.              |
-| [`@socketsecurity/lib/env/node-auth-token`](../src/env/node-auth-token.ts)     | NODE_AUTH_TOKEN environment variable getter.                   |
-| [`@socketsecurity/lib/env/node-env`](../src/env/node-env.ts)                   | NODE_ENV environment variable getter.                          |
-| [`@socketsecurity/lib/env/npm`](../src/env/npm.ts)                             | NPM environment variable getters.                              |
-| [`@socketsecurity/lib/env/package-manager`](../src/env/package-manager.ts)     | Package manager environment detection.                         |
-| [`@socketsecurity/lib/env/path`](../src/env/path.ts)                           | PATH environment variable getter.                              |
-| [`@socketsecurity/lib/env/pre-commit`](../src/env/pre-commit.ts)               | PRE_COMMIT environment variable getter.                        |
-| [`@socketsecurity/lib/env/rewire`](../src/env/rewire.ts)                       | Environment variable rewiring utilities for testing.           |
-| [`@socketsecurity/lib/env/shell`](../src/env/shell.ts)                         | SHELL environment variable getter.                             |
-| [`@socketsecurity/lib/env/socket`](../src/env/socket.ts)                       | Socket Security environment variable getters.                  |
-| [`@socketsecurity/lib/env/socket-cli`](../src/env/socket-cli.ts)               | Socket CLI environment variables.                              |
-| [`@socketsecurity/lib/env/socket-cli-shadow`](../src/env/socket-cli-shadow.ts) | Socket CLI shadow mode environment variables.                  |
-| [`@socketsecurity/lib/env/temp-dir`](../src/env/temp-dir.ts)                   | Temporary directory environment variable getters.              |
-| [`@socketsecurity/lib/env/term`](../src/env/term.ts)                           | TERM environment variable getter.                              |
-| [`@socketsecurity/lib/env/test`](../src/env/test.ts)                           | Test environment variable getters and detection.               |
-| [`@socketsecurity/lib/env/windows`](../src/env/windows.ts)                     | Windows environment variable getters.                          |
-| [`@socketsecurity/lib/env/xdg`](../src/env/xdg.ts)                             | XDG Base Directory Specification environment variable getters. |
+| Subpath                                                                    | Description                                                    |
+| -------------------------------------------------------------------------- | -------------------------------------------------------------- |
+| [`@socketsecurity/lib/env/ci`](../src/env/ci.ts)                           | CI environment variable getter.                                |
+| [`@socketsecurity/lib/env/debug`](../src/env/debug.ts)                     | DEBUG environment variable getter.                             |
+| [`@socketsecurity/lib/env/github`](../src/env/github.ts)                   | GitHub Actions environment variable getters.                   |
+| [`@socketsecurity/lib/env/helpers`](../src/env/helpers.ts)                 | Environment variable type conversion helpers.                  |
+| [`@socketsecurity/lib/env/home`](../src/env/home.ts)                       | HOME environment variable getter with Windows fallback.        |
+| [`@socketsecurity/lib/env/locale`](../src/env/locale.ts)                   | Locale and language environment variable getters.              |
+| [`@socketsecurity/lib/env/node-auth-token`](../src/env/node-auth-token.ts) | NODE_AUTH_TOKEN environment variable getter.                   |
+| [`@socketsecurity/lib/env/node-env`](../src/env/node-env.ts)               | NODE_ENV environment variable getter.                          |
+| [`@socketsecurity/lib/env/npm`](../src/env/npm.ts)                         | NPM environment variable getters.                              |
+| [`@socketsecurity/lib/env/package-manager`](../src/env/package-manager.ts) | Package manager environment detection.                         |
+| [`@socketsecurity/lib/env/path`](../src/env/path.ts)                       | PATH environment variable getter.                              |
+| [`@socketsecurity/lib/env/pre-commit`](../src/env/pre-commit.ts)           | PRE_COMMIT environment variable getter.                        |
+| [`@socketsecurity/lib/env/rewire`](../src/env/rewire.ts)                   | Environment variable rewiring utilities for testing.           |
+| [`@socketsecurity/lib/env/shell`](../src/env/shell.ts)                     | SHELL environment variable getter.                             |
+| [`@socketsecurity/lib/env/socket`](../src/env/socket.ts)                   | Socket Security environment variable getters.                  |
+| [`@socketsecurity/lib/env/socket-cli`](../src/env/socket-cli.ts)           | Socket CLI environment variables.                              |
+| [`@socketsecurity/lib/env/temp-dir`](../src/env/temp-dir.ts)               | Temporary directory environment variable getters.              |
+| [`@socketsecurity/lib/env/term`](../src/env/term.ts)                       | TERM environment variable getter.                              |
+| [`@socketsecurity/lib/env/test`](../src/env/test.ts)                       | Test environment variable getters and detection.               |
+| [`@socketsecurity/lib/env/windows`](../src/env/windows.ts)                 | Windows environment variable getters.                          |
+| [`@socketsecurity/lib/env/xdg`](../src/env/xdg.ts)                         | XDG Base Directory Specification environment variable getters. |
 
 ## json/
 

pnpm-lock.yaml

@@ -30,10 +30,6 @@ const requireResolve = createRequire(import.meta.url)
  * to also match (used to scope relative-path stubs to a specific package).
  */
 const STUB_MAP: Record<string, string | [RegExp, string]> = {
-  // Git-based package specs (`git://`, `github:`, `gitlab:`). We only
-  // pass registry specs (`name@version`); pacote/lib/git.js and
-  // @npmcli/git are unreachable.
-  '^@npmcli/git$': 'empty.cjs',
   // Vulnerability calculator — arb.audit() path only.
   '^@npmcli/metavuln-calculator$': 'empty.cjs',
   // Arborist CSS-selector query API — unused.
@@ -45,10 +41,6 @@ const STUB_MAP: Record<string, string | [RegExp, string]> = {
   // value is consumed but never acted on. Stub returns falsy =>
   // isGyp=false => branch skipped.
   '^@npmcli/node-gyp$': 'npmcli-node-gyp.cjs',
-  // Lifecycle scripts — we always pass ignoreScripts: true, so every
-  // runScript(...) call site in arborist/reify.js and arborist/rebuild.js
-  // is guarded out.
-  '^@npmcli/run-script$': 'empty.cjs',
   // Sigstore attestation — reachable only via arb.audit(), unused.
   '^@sigstore/(bundle|core|protobuf-specs|sign|tuf|verify)$': 'empty.cjs',
   // TUF root-of-trust — Sigstore-only dependency.
@@ -62,16 +54,25 @@ const STUB_MAP: Record<string, string | [RegExp, string]> = {
   '^proggy$': 'proggy.cjs',
   '^sigstore$': 'empty.cjs',
   '^tuf-js$': 'empty.cjs',
-  // Pacote non-registry fetchers — eagerly required at the top of
-  // pacote/lib/fetcher.js but only instantiated when the parsed spec
-  // type matches. We only pass registry specs (name@version/range/tag)
-  // → RegistryFetcher is the only one that ever fires. Scope each
-  // stub to imports coming from inside pacote/lib so unrelated ./dir
-  // etc. imports elsewhere aren't caught.
-  '^\\./dir\\.js$': [/pacote[\\/]lib[\\/]/, 'pacote-fetcher-throw.cjs'],
-  '^\\./file\\.js$': [/pacote[\\/]lib[\\/]/, 'pacote-fetcher-throw.cjs'],
-  '^\\./git\\.js$': [/pacote[\\/]lib[\\/]/, 'pacote-fetcher-throw.cjs'],
-  '^\\./remote\\.js$': [/pacote[\\/]lib[\\/]/, 'pacote-fetcher-throw.cjs'],
+  // Pacote fetchers were previously stubbed on the assumption that
+  // our API surface only passes registry specs. That assumption is
+  // false:
+  //   - `./dir.js`    is reached for directory specs that
+  //                   `packPackage(path)` / `extractPackage(path)`
+  //                   routinely pass.
+  //   - `./file.js`   is reached for local tarball specs.
+  //   - `./remote.js` is reached for http(s) tarball specs AND
+  //                   internally from registry.js's
+  //                   `_tarballFromResolved()` which streams every
+  //                   registry tarball as a remote fetch.
+  //   - `./git.js`    is reached for `git+https://`, `github:`,
+  //                   `gitlab:`, etc. specs. We don't test that
+  //                   path, but our API surface doesn't forbid it,
+  //                   and stubbing silently turns a valid spec into
+  //                   "this pacote fetcher is stubbed out" at
+  //                   runtime.
+  // None of them can be safely stubbed at the API boundary we
+  // expose, so leave all four fetchers real.
   // Arborist AuditReport — load() is gated on options.audit !== false
   // and we always pass audit: false. The require is eager but the
   // class is never instantiated.