chore: bump version to 6.0.7

Author: jdalton

.config/fleet/oxlint-plugin/index.mts

@@ -49,7 +49,6 @@ import preferEllipsisChar from './rules/prefer-ellipsis-char.mts'
 import preferEnvAsBoolean from './rules/prefer-env-as-boolean.mts'
 import preferErrorMessage from './rules/prefer-error-message.mts'
 import preferExistsSync from './rules/prefer-exists-sync.mts'
-import preferFindUpPackageJson from './rules/prefer-find-up-package-json.mts'
 import preferFunctionDeclaration from './rules/prefer-function-declaration.mts'
 import preferMockImport from './rules/prefer-mock-import.mts'
 import preferNodeBuiltinImports from './rules/prefer-node-builtin-imports.mts'
@@ -124,7 +123,6 @@ const plugin = {
     'prefer-env-as-boolean': preferEnvAsBoolean,
     'prefer-error-message': preferErrorMessage,
     'prefer-exists-sync': preferExistsSync,
-    'prefer-find-up-package-json': preferFindUpPackageJson,
     'prefer-function-declaration': preferFunctionDeclaration,
     'prefer-mock-import': preferMockImport,
     'prefer-node-builtin-imports': preferNodeBuiltinImports,

.config/fleet/oxlint-plugin/rules/prefer-find-up-package-json.mts

@@ -5,17 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [6.0.7](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.7) - 2026-06-02
+## [6.0.7](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.7) - 2026-06-03
 
 ### Added
 
+- **`external-tools/python` — zero-host-dependency Python.** `resolvePython` (PATH → python-build-standalone download), `downloadPipPackage` (bundle-safe `pip install --target`), `resolvePipPackagePin` (hash-pinned closure), and the `dlxPipInstall` / `dlxPipPin` one-call wrappers. Removes the unused `external-tools/uv`.
+- **`constants/platform` — `getOs`, `getLibc`, `getTarget`.** OS, libc (`glibc`/`musl`/`undefined`), and the pnpm `pack-app` host token `<os>-<arch>[-<libc>]`.
 - **`http-request` decompresses `gzip` / `br` response bodies.** Buffered requests advertise `Accept-Encoding: gzip, br` and now decode the body by its `Content-Encoding` before resolving. 6.0.6 sent the header but never decompressed, so a compressed response reached callers as raw deflated bytes. Streamed requests (`stream: true`, e.g. `httpDownload`) skip the header so piped-to-disk payloads stay raw and checksum cleanly. Callers can override with `'identity'`.
 - **`crypto/hash` blob content-address helpers.** `blobHashOf(bytes)` returns Socket's content-addressed blob hash (`Q` + base64url(sha256)), and `verifyBlobHash(hash, bytes)` throws when bytes don't hash to the expected address. Both build on the fast one-shot `hash()`; the `S` file-stream discriminator verifies against the same digest body. Lets blob consumers (the SDK, MCP server) verify integrity against one canonical implementation instead of re-deriving the scheme.
 - **`integrity` — unified checksum/integrity surface.** `checksumToIntegrity(hex, algorithm?)` and `integrityToChecksum(sri)` convert between the two named hash flavors and are idempotent on the destination format (pass an SRI to `checksumToIntegrity`, get it back unchanged). `isIntegrity(s)` and `isChecksum(s)` are the predicates. `parseIntegrity(s)` returns `{ algorithm, body }` for the SRI structure. Replaces the `src/ssri/` directory (`hexToSsri`, `ssriToHex`, `isValidHex`, `isValidSsri`, `parseSsri`) — SSRI is just another name for Subresource Integrity, so the duplication confused readers. `isIntegrity` now accepts the full W3C SRI set (`sha256` / `sha384` / `sha512`) — the previous predicate hardcoded `sha512` only, which mismatched the contract `external-tools/manifest.ts` already promised and rejected the fleet's `sha256-<base64>` integrity strings.
 - **`process/spawn/kill-tree` — cross-platform process-tree termination.** `killProcessTree(target, { detached?, signal? })` walks and signals the whole descendant tree of a `pid` or `ChildProcess`: POSIX uses `process.kill(-pid, signal)` against the detached child's process group; Windows shells out to `taskkill /T /F /pid <pid>`. `isProcessAlive(pid)` probes liveness with `process.kill(pid, 0)`. Both helpers are best-effort and never throw — `ESRCH` (process gone) or `EPERM` (not ours) returns `false` so cleanup kills can't mask the caller's control flow.
 
+### Changed
+
+- **dlx + pin API renamed (breaking).** `downloadPackage` → `downloadNpmPackage`, `generatePackagePin` → `resolveNpmPackagePin`, the `package` option → `spec`. `downloadNpmPackage` gains an optional `hash` for tarball integrity.
+- **`packages/operations` split by concern (breaking).** The grab-bag `@socketsecurity/lib/packages/operations` export is gone; its members move to focused subpaths: `readPackageJson`/`readPackageJsonSync` → `packages/read`, the fetcher + GitHub tarball resolver → `packages/fetch`, `extractPackage`/`packPackage` → `packages/tarball`, the dependency-metadata override lookup → `packages/metadata-extensions`, and the name/spec helpers → `packages/specs`. `findUpPackageJson` now lives at `packages/find` (the `packages/find-up` subpath is removed). The `fs/find-up` subpath is renamed `fs/find`, and `fs/path-cache` is renamed `fs/allowed-dirs-cache` (it caches the safe-delete allowed-directories set, not arbitrary paths).
+
 ### Fixed
 
+- **Python downloads now work on Windows and Alpine.** python-build-standalone resolution previously returned no asset on `win32` and musl hosts; both now resolve.
 - **`debug` — namespace `SOCKET_DEBUG` values enable debug output.** `envAsBoolean(getSocketDebug())` returned false for `SOCKET_DEBUG=*` or `SOCKET_DEBUG=socket:foo` — those aren't boolean literals, so debug output was silently suppressed for the common namespace-selection shape. The new `isSocketDebugEnabled()` helper treats any non-empty value other than `0`/`false`/`no` (case-insensitive) as enabled.
 - **`external-tools/skillspector` pipx detection on Windows.** The PATH-tier resolver normalizes the resolved binary path with `normalizePath` and matches a forward-slash-only `pipx/venvs/` pattern, instead of `path.normalize` plus a dual-separator regex. On Windows the old form left backslashes in the path and missed pipx-installed binaries, tagging them `source: 'path'` rather than `source: 'pipx'`.
 

.config/fleet/oxlint-plugin/test/prefer-find-up-package-json.test.mts

@@ -1385,26 +1385,26 @@
       "types": "./dist/fs/access.d.ts",
       "default": "./dist/fs/access.js"
     },
+    "./fs/allowed-dirs-cache": {
+      "source": "./src/fs/allowed-dirs-cache.ts",
+      "types": "./dist/fs/allowed-dirs-cache.d.ts",
+      "default": "./dist/fs/allowed-dirs-cache.js"
+    },
     "./fs/encoding": {
       "source": "./src/fs/encoding.ts",
       "types": "./dist/fs/encoding.d.ts",
       "default": "./dist/fs/encoding.js"
     },
-    "./fs/find-up": {
-      "source": "./src/fs/find-up.ts",
-      "types": "./dist/fs/find-up.d.ts",
-      "default": "./dist/fs/find-up.js"
+    "./fs/find": {
+      "source": "./src/fs/find.ts",
+      "types": "./dist/fs/find.d.ts",
+      "default": "./dist/fs/find.js"
     },
     "./fs/inspect": {
       "source": "./src/fs/inspect.ts",
       "types": "./dist/fs/inspect.d.ts",
       "default": "./dist/fs/inspect.js"
     },
-    "./fs/path-cache": {
-      "source": "./src/fs/path-cache.ts",
-      "types": "./dist/fs/path-cache.d.ts",
-      "default": "./dist/fs/path-cache.js"
-    },
     "./fs/read-dir": {
       "source": "./src/fs/read-dir.ts",
       "types": "./dist/fs/read-dir.d.ts",
@@ -2016,6 +2016,16 @@
       "types": "./dist/packages/exports.d.ts",
       "default": "./dist/packages/exports.js"
     },
+    "./packages/fetch": {
+      "source": "./src/packages/fetch.ts",
+      "types": "./dist/packages/fetch.d.ts",
+      "default": "./dist/packages/fetch.js"
+    },
+    "./packages/find": {
+      "source": "./src/packages/find.ts",
+      "types": "./dist/packages/find.d.ts",
+      "default": "./dist/packages/find.js"
+    },
     "./packages/isolation": {
       "source": "./src/packages/isolation.ts",
       "types": "./dist/packages/isolation.d.ts",
@@ -2031,26 +2041,36 @@
       "types": "./dist/packages/manifest.d.ts",
       "default": "./dist/packages/manifest.js"
     },
+    "./packages/metadata-extensions": {
+      "source": "./src/packages/metadata-extensions.ts",
+      "types": "./dist/packages/metadata-extensions.d.ts",
+      "default": "./dist/packages/metadata-extensions.js"
+    },
     "./packages/normalize": {
       "source": "./src/packages/normalize.ts",
       "types": "./dist/packages/normalize.d.ts",
       "default": "./dist/packages/normalize.js"
     },
-    "./packages/operations": {
-      "source": "./src/packages/operations.ts",
-      "types": "./dist/packages/operations.d.ts",
-      "default": "./dist/packages/operations.js"
-    },
     "./packages/provenance": {
       "source": "./src/packages/provenance.ts",
       "types": "./dist/packages/provenance.d.ts",
       "default": "./dist/packages/provenance.js"
     },
+    "./packages/read": {
+      "source": "./src/packages/read.ts",
+      "types": "./dist/packages/read.d.ts",
+      "default": "./dist/packages/read.js"
+    },
     "./packages/specs": {
       "source": "./src/packages/specs.ts",
       "types": "./dist/packages/specs.d.ts",
       "default": "./dist/packages/specs.js"
     },
+    "./packages/tarball": {
+      "source": "./src/packages/tarball.ts",
+      "types": "./dist/packages/tarball.d.ts",
+      "default": "./dist/packages/tarball.js"
+    },
     "./packages/types": {
       "source": "./src/packages/types.ts",
       "types": "./dist/packages/types.d.ts",

.config/fleet/oxlintrc.json

@@ -13,6 +13,9 @@ import fastGlob from 'fast-glob'
 
 import { getDefaultLogger } from '@socketsecurity/lib-stable/logger/default'
 import { toSortedObject } from '@socketsecurity/lib-stable/objects/sort'
+// Scripts run against the RELEASED `-stable` surface (never src/). readPackageJson
+// lives at `packages/operations` in the released version; the WIP src/ rename to
+// `packages/read` only applies after 6.0.7 ships, at which point this bumps too.
 import { readPackageJson } from '@socketsecurity/lib-stable/packages/operations'
 
 const logger = getDefaultLogger()

CHANGELOG.md

@@ -13,7 +13,7 @@
  */
 
 import { isInSocketDlx } from './paths'
-import { findUpSync } from '../fs/find-up'
+import { findUpSync } from '../fs/find'
 import { getSocketDlxDir } from '../paths/socket'
 
 import { DateNow } from '../primordials/date'

package.json

@@ -25,7 +25,7 @@ import {
   getNodeNoWarningsFlags,
   supportsNodeRun,
 } from '../../constants/node'
-import { findUpSync } from '../../fs/find-up'
+import { findUpSync } from '../../fs/find'
 import { getOwn } from '../../objects/inspect'
 import { ArrayIsArray } from '../../primordials/array'
 import { ErrorCtor } from '../../primordials/error'