feat(primordials): add @socketsecurity/lib/primordials export and migrate internals

Add a new public module at `./primordials` exposing safe references to
built-in constructors, static methods, and prototype methods — captured
at module load time so prototype-pollution attacks on the caller realm
can't redirect library internals.

The surface (~100 helpers) matches the Node.js-internal primordials
convention:
- Static methods retain their name: `ObjectKeys`, `ArrayIsArray`,
  `JSONParse`, `ReflectApply`.
- Prototype methods are uncurried via `uncurryThis` so callers write
  `StringPrototypeSlice(str, 0, 3)` instead of `str.slice(0, 3)`.
- Constructors get a `Ctor` suffix (`MapCtor`, `SetCtor`, …) to avoid
  shadowing the capital-case global.

Based on the primordials file socket-packageurl-js has shipped
privately; this makes the same surface available fleet-wide so other
security-sensitive consumers (registry manifest readers, CLI parsers,
SBOM ecosystem detectors) can stop hand-capturing and stop repeating
the tsgo-destructuring workaround.

Migrate six internal socket-lib files to the new module — strictly a
cleanup, no behavior change, -16 net lines:

- src/debug.ts, src/logger.ts, src/signal-exit.ts,
  src/suppress-warnings.ts: replace local `const ReflectApply =
  Reflect.apply` with `import { ReflectApply } from './primordials'`.
- src/errors.ts: switch isErrorShim to use the uncurried
  `ObjectPrototypeToString(value)` directly — drops the
  `ReflectApply(ObjectPrototypeToString, value, [])` plumbing.
- src/objects.ts: drop ~13 lines of ad-hoc Object.* captures in
  favour of the centralized imports; `__defineGetter__` stays local
  (it's deprecated-but-present, not in the primordials surface).

Add test/unit/primordials.test.mts (17 tests, 100% pass) covering
constructors, Array/Object/String/Reflect/RegExp/Symbol surfaces, the
prototype-pollution resilience scenario (`Array.prototype.map`
clobbered → captured reference still works), and the `uncurryThis`
helper for callers building their own primordials.

Bump to 5.25.0.

Author: jdalton

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.24.0",
+  "version": "5.25.0",
   "packageManager": "pnpm@11.0.0-rc.5",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
@@ -519,6 +519,10 @@
       "types": "./dist/performance.d.ts",
       "default": "./dist/performance.js"
     },
+    "./primordials": {
+      "types": "./dist/primordials.d.ts",
+      "default": "./dist/primordials.js"
+    },
     "./process-lock": {
       "types": "./dist/process-lock.d.ts",
       "default": "./dist/process-lock.js"

src/debug.ts

@@ -10,15 +10,10 @@ import debugJs from './external/debug'
 
 import { getDefaultLogger } from './logger'
 import { hasOwn } from './objects'
+import { ReflectApply } from './primordials'
 import { getDefaultSpinner } from './spinner'
 import { applyLinePrefix } from './strings'
 
-// IMPORTANT: Do not use destructuring here - use direct assignment instead.
-// tsgo has a bug that incorrectly transpiles destructured exports, resulting in
-// `exports.SomeName = void 0;` which causes runtime errors.
-// See: https://github.com/SocketDev/socket-packageurl-js/issues/3
-const ReflectApply = Reflect.apply
-
 const logger = getDefaultLogger()
 
 // Type definitions

src/errors.ts

@@ -15,13 +15,10 @@
 
 import { UNKNOWN_ERROR } from './constants/core'
 import { messageWithCauses, stackWithCauses } from './external/pony-cause'
+import { ObjectPrototypeToString } from './primordials'
 
 export { UNKNOWN_ERROR, messageWithCauses, stackWithCauses }
 
-// Capture built-ins so a later monkey-patch can't poison our checks.
-const ObjectPrototypeToString = Object.prototype.toString
-const ReflectApply = Reflect.apply
-
 /**
  * Spec-compliant [`Error.isError`](https://tc39.es/ecma262/#sec-error.iserror)
  * with a fallback shim for engines that don't ship it yet.
@@ -53,7 +50,7 @@ export function isErrorShim(value: unknown): value is Error {
   if (value === null || typeof value !== 'object') {
     return false
   }
-  return ReflectApply(ObjectPrototypeToString, value, []) === '[object Error]'
+  return ObjectPrototypeToString(value) === '[object Error]'
 }
 
 /**

src/logger.ts

@@ -8,6 +8,7 @@ import process from 'node:process'
 import isUnicodeSupported from './external/@socketregistry/is-unicode-supported'
 import yoctocolorsCjs from './external/yoctocolors-cjs'
 
+import { ReflectApply, ReflectConstruct } from './primordials'
 import { applyLinePrefix, isBlankString } from './strings'
 import { getTheme, onThemeChange } from './themes/context'
 import { THEMES } from './themes/themes'
@@ -89,12 +90,6 @@ interface Task {
 export type { LogSymbols, LoggerMethods, Task }
 
 const globalConsole = console
-// IMPORTANT: Do not use destructuring here - use direct assignment instead.
-// tsgo has a bug that incorrectly transpiles destructured exports, resulting in
-// `exports.SomeName = void 0;` which causes runtime errors.
-// See: https://github.com/SocketDev/socket-packageurl-js/issues/3
-const ReflectApply = Reflect.apply
-const ReflectConstruct = Reflect.construct
 
 let _Console: typeof import('node:console').Console | undefined
 let _consoleSymbols: symbol[] | undefined

src/objects.ts

@@ -10,6 +10,20 @@ import {
 } from './constants/core'
 
 import { isArray } from './arrays'
+import {
+  ObjectDefineProperties,
+  ObjectDefineProperty,
+  ObjectFreeze,
+  ObjectFromEntries,
+  ObjectGetOwnPropertyDescriptors,
+  ObjectGetOwnPropertyNames,
+  ObjectGetPrototypeOf,
+  ObjectHasOwn,
+  ObjectKeys,
+  ObjectPrototype,
+  ObjectSetPrototypeOf,
+  ReflectOwnKeys,
+} from './primordials'
 import { localeCompare } from './sorts'
 
 // Type definitions
@@ -78,32 +92,14 @@ type SortedObject<T> = {
 
 export type { GetterDefObj, LazyGetterStats, ConstantsObjectOptions, Remap }
 
-// IMPORTANT: Do not use destructuring here - use direct assignment instead.
-// tsgo has a bug that incorrectly transpiles destructured exports, resulting in
-// `exports.SomeName = void 0;` which causes runtime errors.
-// See: https://github.com/SocketDev/socket-packageurl-js/issues/3
-const ObjectDefineProperties = Object.defineProperties
-const ObjectDefineProperty = Object.defineProperty
-const ObjectFreeze = Object.freeze
-const ObjectFromEntries = Object.fromEntries
-const ObjectGetOwnPropertyDescriptors = Object.getOwnPropertyDescriptors
-const ObjectGetOwnPropertyNames = Object.getOwnPropertyNames
-const ObjectGetPrototypeOf = Object.getPrototypeOf
-const ObjectHasOwn = Object.hasOwn
-const ObjectKeys = Object.keys
-const ObjectPrototype = Object.prototype
-const ObjectSetPrototypeOf = Object.setPrototypeOf
+// __defineGetter__ is not in the public primordials surface — it's
+// deprecated-but-present on Object.prototype. Capture locally.
 // @ts-expect-error - __defineGetter__ exists but not in type definitions.
 // IMPORTANT: Do not use destructuring here - use direct assignment instead.
 // tsgo has a bug that incorrectly transpiles destructured exports, resulting in
 // `exports.SomeName = void 0;` which causes runtime errors.
 // See: https://github.com/SocketDev/socket-packageurl-js/issues/3
 const __defineGetter__ = Object.prototype.__defineGetter__
-// IMPORTANT: Do not use destructuring here - use direct assignment instead.
-// tsgo has a bug that incorrectly transpiles destructured exports, resulting in
-// `exports.SomeName = void 0;` which causes runtime errors.
-// See: https://github.com/SocketDev/socket-packageurl-js/issues/3
-const ReflectOwnKeys = Reflect.ownKeys
 
 /**
  * Create a frozen constants object with lazy getters and internal properties.