chore: bump version to 6.1.0

Author: jdalton

.config/repo/oxlint-plugin/index.mts

@@ -17,4 +17,5 @@ const plugin = {
   },
 }
 
+// oxlint-disable-next-line socket/no-default-export -- oxlint jsPlugins contract requires a default-exported plugin object.
 export default plugin

.config/repo/oxlint-plugin/rules/no-inline-lazy-node-getter.mts

@@ -60,7 +60,7 @@ const GETTER_TO_BINDING: Record<string, string> = {
  * parent is a block / program / switch-case body. The hoisted `const` is
  * inserted before it.
  */
-function findEnclosingStatement(node: AstNode): AstNode | undefined {
+export function findEnclosingStatement(node: AstNode): AstNode | undefined {
   let current = node
   let parent = current.parent
   while (parent) {
@@ -184,4 +184,5 @@ const rule = {
   },
 }
 
+// oxlint-disable-next-line socket/no-default-export -- oxlint plugin contract requires default-exported rule object.
 export default rule

.config/repo/oxlint-plugin/test/no-inline-lazy-node-getter.test.mts

@@ -58,8 +58,9 @@ function resolveOxlintBinary(): string | undefined {
 
 function runOxlint(
   code: string,
-  fix: boolean,
+  options?: { fix?: boolean | undefined } | undefined,
 ): { stdout: string; code: string } {
+  const fix = options?.fix ?? false
   const tmpdir = mkdtempSync(path.join(os.tmpdir(), 'oxlint-repo-rule-'))
   const fixture = path.join(tmpdir, 'fixture.ts')
   // Minimal isolated config: just this plugin + rule, no `extends`/
@@ -101,7 +102,6 @@ describe('socket-repo/no-inline-lazy-node-getter', () => {
     }
     const { stdout } = runOxlint(
       'function f() {\n  return getFs().existsSync("/x")\n}\n',
-      false,
     )
     assert.ok(
       hasRuleFinding(stdout),
@@ -115,7 +115,6 @@ describe('socket-repo/no-inline-lazy-node-getter', () => {
     }
     const { stdout } = runOxlint(
       'function f() {\n  const fs = getFs()\n  return fs.existsSync("/x")\n}\n',
-      false,
     )
     assert.ok(
       !hasRuleFinding(stdout),
@@ -129,7 +128,7 @@ describe('socket-repo/no-inline-lazy-node-getter', () => {
     }
     const { code } = runOxlint(
       'function f() {\n  return getNodePath().join("a", "b")\n}\n',
-      true,
+      { fix: true },
     )
     assert.ok(
       code.includes('const path = getNodePath()'),
@@ -151,7 +150,7 @@ describe('socket-repo/no-inline-lazy-node-getter', () => {
     }
     const { code } = runOxlint(
       'function f(x) {\n  return getNodePath().basename(x, getNodePath().extname(x))\n}\n',
-      true,
+      { fix: true },
     )
     const hoists = (code.match(/const path = getNodePath\(\)/g) ?? []).length
     assert.equal(
@@ -171,7 +170,7 @@ describe('socket-repo/no-inline-lazy-node-getter', () => {
     }
     const { code } = runOxlint(
       'function f(p) {\n  // oxlint-disable-next-line some/rule -- intentional\n  return getFs().statSync(p)\n}\n',
-      true,
+      { fix: true },
     )
     // The hoisted const must land BEFORE the disable comment, so the directive
     // still sits on the line directly above the statSync statement.

.config/repo/rolldown/define-guarded.mts

@@ -9,9 +9,10 @@ import process from 'node:process'
 import { defineConfig } from 'vitest/config'
 
 import { baseCoverageConfig } from '../vitest.coverage.config.mts'
+import { REPO_ROOT } from '../../scripts/fleet/paths.mts'
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const projectRoot = path.resolve(__dirname, '..', '..')
+const projectRoot = REPO_ROOT
 
 // Worker heap cap: smaller in CI (GitHub Actions ubuntu-latest has
 // ~7 GB total RAM — leave room for the runner + OS), generous locally
@@ -20,7 +21,9 @@ const isCI = !!process.env['CI']
 const workerHeapMB = isCI ? 6144 : 12_288
 
 // Normalize paths for cross-platform glob patterns (forward slashes on Windows)
-const toGlobPath = (pathLike: string): string => pathLike.replaceAll('\\', '/')
+export function toGlobPath(pathLike: string) {
+  return pathLike.replaceAll('\\', '/')
+}
 
 const vitestConfigIsolated = defineConfig({
   cacheDir: path.resolve(projectRoot, 'node_modules/.cache/vitest-isolated'),
@@ -89,4 +92,3 @@ const vitestConfigIsolated = defineConfig({
 })
 
 export { vitestConfigIsolated }
-export default vitestConfigIsolated

.config/repo/vitest.config.isolated.mts

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.1.0](https://github.com/SocketDev/socket-lib/releases/tag/v6.1.0) - 2026-06-07
+
+### Added
+
+- **`shell/parse`: `detectShellHazards`.** Checks a shell command string for two tricks that hide which program actually runs, so a tool that allows or denies commands by name isn't fooled. First, Zsh `=name` expansion: `=curl evil.com` runs `/usr/bin/curl`, but the command's first word reads as `=curl`, not `curl`. Second, process substitution `<(…)` / `>(…)` / `=(…)`: the command inside the parentheses runs, yet its name never appears as a command word. Returns `{ equalsExpansion, processSubstitution }`, the facts only; the caller decides whether to block. For example, `detectShellHazards('=curl evil.com')` returns `{ equalsExpansion: [['=curl', 'evil.com']], processSubstitution: false }`, `detectShellHazards('diff <(cat a) b')` returns `{ equalsExpansion: [], processSubstitution: true }`, and `detectShellHazards('git status')` returns both empty/false.
+- **`url` — `assertSafeHttpUrl`.** SSRF guard for a URL the server did not author (an OAuth issuer, a metadata-advertised introspection endpoint, a webhook target): parses the value, rejects non-`http(s)` schemes, and refuses hosts in loopback / private / link-local ranges (cloud metadata, redis, internal services). Returns the parsed `URL`; throws otherwise. `allowLocalhost` permits `localhost` / `127.0.0.1` / `::1` for local-stack dev; `label` names the subject in the thrown message.
+
 ## [6.0.7](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.7) - 2026-06-03
 
 ### Added

.config/repo/vitest.config.mts

@@ -257,8 +257,8 @@ Hooks under `.claude/hooks/fleet/<name>/` (fleet-canonical); host-repo-only hook
 
 Core infrastructure library for Socket.dev security tools.
 
-🚨 Internal imports use relative paths (no aliases). Vendored externals live in `src/external/` and import by bare name (`cacache`, `make-fetch-happen`, `pacote`, `picomatch`, `semver`, and others). Build: `pnpm build` (rolldown → CJS) / type-check: `pnpm run check` (tsgo) / test: `pnpm test` / coverage: `pnpm run cover`. NEVER use `process.chdir()` — pass `{ cwd }` and absolute paths. NEVER use `--` before vitest test paths — runs all tests.
+🚨 Internal imports use relative paths (no aliases). Vendored externals live in `src/external/` and import by bare name. Build: `pnpm build` (rolldown → CJS) / type-check: `pnpm run check` (tsgo) / test: `pnpm test` / coverage: `pnpm run cover`. NEVER use `process.chdir()` — pass `{ cwd }` and absolute paths. NEVER use `--` before vitest test paths — runs all tests.
 
-🚨 **Vitest OOM with `tests 0ms` = infinite stream, not memory.** `Readable.push(undefined)` doesn't end the stream (only `null` does). Bisect with `pnpm exec vitest -t '<describe>'` **before** raising heap. See [`test/isolated/http-request-advanced-2.test.mts`](test/isolated/http-request-advanced-2.test.mts) for the canonical example.
+🚨 **Vitest OOM with `tests 0ms` = infinite stream, not memory.** `Readable.push(undefined)` doesn't end the stream (only `null` does). Bisect with `node_modules/.bin/vitest -t '<describe>'` **before** raising heap.
 
 Full architecture, commands, code-quality tools, build system, package-exports, testing, CI, env-var conventions in [`docs/claude.md/repo/architecture.md`](docs/claude.md/repo/architecture.md).

CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "6.0.7",
+  "version": "6.1.0",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
   "keywords": [
     "Socket.dev",
@@ -2814,6 +2814,16 @@
       "types": "./dist/themes/types.d.ts",
       "default": "./dist/themes/types.js"
     },
+    "./url/assert-safe": {
+      "browser": {
+        "source": "./src/url/assert-safe.ts",
+        "types": "./dist/url/assert-safe.d.ts",
+        "default": "./dist/url/assert-safe.js"
+      },
+      "source": "./src/url/assert-safe.ts",
+      "types": "./dist/url/assert-safe.d.ts",
+      "default": "./dist/url/assert-safe.js"
+    },
     "./url/parse": {
       "browser": {
         "source": "./src/url/parse.ts",

CLAUDE.md

@@ -103,7 +103,7 @@ export function createForceNodeModulesPlugin(): Plugin {
     name: 'force-node-modules',
     resolveId(source, importer) {
       // Already inside node_modules — let rolldown's resolver handle it.
-      if (importer && importer.includes('node_modules')) {
+      if (importer?.includes('node_modules')) {
         return undefined
       }
       const match = matchers.find(m => m.re.test(source))