refactor: migrate to @socketsecurity/lib/primordials (#623)

Swaps direct global usage for primordials across the SDK source.
Primordials capture references to JavaScript built-ins (Object.keys,
Array.prototype.map, JSON.parse, ...) at module load time, before
user code can tamper with prototypes or globals — a hardening tool
for code that processes adversarial input.

Bumps @socketsecurity/lib 5.24.0 → 5.25.1 to pick up the
@socketsecurity/lib/primordials surface (added in 5.25.0).

Sites converted (audit found none remaining):

  src/constants.ts
    new Set(...)   → new SetCtor(...)
    new Map<...>(...) → new MapCtor(...) with type annotation

  src/http-client.ts
    Date.now()     → DateNow()  (9 sites)
    new Set(...)   → new SetCtor(...)
    str.trim()     → StringPrototypeTrim(str)

  src/quota-utils.ts
    new Error(...) → new ErrorCtor(...)  (5 sites)

  src/socket-sdk-class.ts
    new Error(...)     → new ErrorCtor(...)  (12 sites)
    new TypeError(...) → new TypeErrorCtor(...)  (2 sites)
    Array.isArray(x)   → ArrayIsArray(x)
    str.trim()         → StringPrototypeTrim(str)  (4 sites)

  src/utils.ts
    s.toLowerCase()         → StringPrototypeToLowerCase(s)
    new Set(...)            → new SetCtor(...)
    str.trim()              → StringPrototypeTrim(str)  (multiple)
    str.endsWith(...)       → StringPrototypeEndsWith(str, ...)
    Promise.withResolvers   → PromiseWithResolvers (with cast for generics)
    new URLSearchParams(...) → new URLSearchParamsCtor(...)  (2 sites)

  src/utils/header-sanitization.ts
    Array.isArray(x) → ArrayIsArray(x)  (2 sites)
    key.toLowerCase() → StringPrototypeToLowerCase(key)

prim audit: surface complete (no gaps), 0 sites remain.
prim audit run: \`node /path/to/socket-lib/tools/prim/bin/prim.mts audit --target . --dir src\`

Verification:
  pnpm install           ✓
  pnpm run check --all   ✓ (lint + typecheck pass)
  pnpm test              ✓ 565/565 tests pass

Author: jdalton

package.json

@@ -71,7 +71,7 @@
     "@babel/traverse": "7.26.4",
     "@babel/types": "7.26.3",
     "@oxlint/migrate": "1.52.0",
-    "@socketsecurity/lib": "5.24.0",
+    "@socketsecurity/lib": "5.25.1",
     "@sveltejs/acorn-typescript": "1.0.8",
     "@types/babel__traverse": "7.28.0",
     "@types/node": "24.9.2",

pnpm-lock.yaml

@@ -3,6 +3,8 @@
  * Provides default values, HTTP agents, and public policy configurations for API interactions.
  */
 
+import { MapCtor, SetCtor } from '@socketsecurity/lib/primordials'
+
 import rootPkgJson from '../package.json' with { type: 'json' }
 import { createUserAgentFromPkgJson } from './user-agent'
 
@@ -60,10 +62,10 @@ export const SOCKET_FIREWALL_API_URL = 'https://firewall-api.socket.dev/purl'
 
 // https://github.com/sindresorhus/got/blob/v14.4.6/documentation/2-options.md#agent
 // Valid HTTP agent names for Got-style agent configuration compatibility.
-export const httpAgentNames = new Set(['http', 'https', 'http2'])
+export const httpAgentNames = new SetCtor(['http', 'https', 'http2'])
 
 // Public security policy.
-export const publicPolicy = new Map<ALERT_TYPE, ALERT_ACTION>([
+export const publicPolicy: Map<ALERT_TYPE, ALERT_ACTION> = new MapCtor([
   // error (1):
   ['malware', 'error'],
   // warn (7):

src/constants.ts

@@ -3,6 +3,11 @@ import { isError } from '@socketsecurity/lib/errors'
 import { httpRequest } from '@socketsecurity/lib/http-request'
 import { jsonParse } from '@socketsecurity/lib/json/parse'
 import { perfTimer } from '@socketsecurity/lib/performance'
+import {
+  DateNow,
+  SetCtor,
+  StringPrototypeTrim,
+} from '@socketsecurity/lib/primordials'
 
 import {
   MAX_RESPONSE_SIZE,
@@ -44,7 +49,7 @@ export async function createDeleteRequest(
   urlPath: string,
   options?: RequestOptionsWithHooks | undefined,
 ): Promise<HttpResponse> {
-  const startTime = Date.now()
+  const startTime = DateNow()
   const url = `${baseUrl}${urlPath}`
   const method = 'DELETE'
   const { hooks, ...rawOpts } = {
@@ -74,7 +79,7 @@ export async function createDeleteRequest(
       hooks.onResponse({
         method,
         url,
-        duration: Date.now() - startTime,
+        duration: DateNow() - startTime,
         status: response.status,
         statusText: response.statusText,
         headers: sanitizeHeaders(response.headers),
@@ -87,7 +92,7 @@ export async function createDeleteRequest(
       hooks.onResponse({
         method,
         url,
-        duration: Date.now() - startTime,
+        duration: DateNow() - startTime,
         error: e as Error,
       })
     }
@@ -101,7 +106,7 @@ export async function createGetRequest(
   urlPath: string,
   options?: RequestOptionsWithHooks | undefined,
 ): Promise<HttpResponse> {
-  const startTime = Date.now()
+  const startTime = DateNow()
   const url = `${baseUrl}${urlPath}`
   const method = 'GET'
   const stopTimer = perfTimer('http:get', { urlPath })
@@ -133,7 +138,7 @@ export async function createGetRequest(
       hooks.onResponse({
         method,
         url,
-        duration: Date.now() - startTime,
+        duration: DateNow() - startTime,
         status: response.status,
         statusText: response.statusText,
         headers: sanitizeHeaders(response.headers),
@@ -148,7 +153,7 @@ export async function createGetRequest(
       hooks.onResponse({
         method,
         url,
-        duration: Date.now() - startTime,
+        duration: DateNow() - startTime,
         error: e as Error,
       })
     }
@@ -164,7 +169,7 @@ export async function createRequestWithJson(
   json: unknown,
   options?: RequestOptionsWithHooks | undefined,
 ): Promise<HttpResponse> {
-  const startTime = Date.now()
+  const startTime = DateNow()
   const url = `${baseUrl}${urlPath}`
   const stopTimer = perfTimer(`http:${method.toLowerCase()}`, {
     urlPath,
@@ -203,7 +208,7 @@ export async function createRequestWithJson(
       hooks.onResponse({
         method,
         url,
-        duration: Date.now() - startTime,
+        duration: DateNow() - startTime,
         status: response.status,
         statusText: response.statusText,
         headers: sanitizeHeaders(response.headers),
@@ -218,7 +223,7 @@ export async function createRequestWithJson(
       hooks.onResponse({
         method,
         url,
-        duration: Date.now() - startTime,
+        duration: DateNow() - startTime,
         error: e as Error,
       })
     }
@@ -335,9 +340,10 @@ export function reshapeArtifactForPublicPolicy<
   policy?: Map<string, string> | undefined,
 ): T {
   if (!isAuthenticated) {
-    const allowedActions = actions?.trim()
-      ? new Set(actions.split(','))
-      : undefined
+    const allowedActions =
+      actions !== undefined && StringPrototypeTrim(actions)
+        ? new SetCtor(actions.split(','))
+        : undefined
     const resolvedPolicy = policy ?? defaultPublicPolicy
 
     const reshapeArtifact = (artifact: SocketArtifactWithExtras) => ({

src/http-client.ts

@@ -3,6 +3,7 @@ import { existsSync, readFileSync } from 'node:fs'
 import { join } from 'node:path'
 
 import { memoize, once } from '@socketsecurity/lib/memoization'
+import { ErrorCtor } from '@socketsecurity/lib/primordials'
 
 import type { SocketSdkOperations } from './types'
 
@@ -36,14 +37,14 @@ const loadRequirements = once((): Requirements => {
     // Check if the requirements file exists before attempting to read.
     /* c8 ignore next 3 - Error path tested in isolation but memoization prevents coverage in main test run */
     if (!existsSync(requirementsPath)) {
-      throw new Error(`Requirements file not found at: ${requirementsPath}`)
+      throw new ErrorCtor(`Requirements file not found at: ${requirementsPath}`)
     }
 
     const data = readFileSync(requirementsPath, 'utf8')
     return JSON.parse(data) as Requirements
   } catch (e) {
     /* c8 ignore next 2 - Error wrapping tested in isolation but memoization prevents coverage in main test run */
-    throw new Error('Failed to load SDK method requirements', { cause: e })
+    throw new ErrorCtor('Failed to load SDK method requirements', { cause: e })
   }
 })
 
@@ -89,7 +90,7 @@ export const getMethodRequirements = memoize(
     const requirement = reqs.api[methodName as string]
 
     if (!requirement) {
-      throw new Error(`Unknown SDK method: "${String(methodName)}"`)
+      throw new ErrorCtor(`Unknown SDK method: "${String(methodName)}"`)
     }
 
     return {
@@ -149,7 +150,7 @@ export const getQuotaCost = memoize(
     const requirement = reqs.api[methodName as string]
 
     if (!requirement) {
-      throw new Error(`Unknown SDK method: "${String(methodName)}"`)
+      throw new ErrorCtor(`Unknown SDK method: "${String(methodName)}"`)
     }
 
     return requirement.quota
@@ -198,7 +199,7 @@ export const getRequiredPermissions = memoize(
     const requirement = reqs.api[methodName as string]
 
     if (!requirement) {
-      throw new Error(`Unknown SDK method: "${String(methodName)}"`)
+      throw new ErrorCtor(`Unknown SDK method: "${String(methodName)}"`)
     }
 
     return [...requirement.permissions]

src/quota-utils.ts

@@ -13,6 +13,12 @@ import { debugLog, isDebugNs } from '@socketsecurity/lib/debug'
 import { validateFiles } from '@socketsecurity/lib/fs'
 import { jsonParse } from '@socketsecurity/lib/json/parse'
 import { getOwn, isObjectObject } from '@socketsecurity/lib/objects'
+import {
+  ArrayIsArray,
+  ErrorCtor,
+  StringPrototypeTrim,
+  TypeErrorCtor,
+} from '@socketsecurity/lib/primordials'
 import { pRetry } from '@socketsecurity/lib/promises'
 import { setMaxEventTargetListeners } from '@socketsecurity/lib/suppress-warnings'
 import { urlSearchParamAsBoolean } from '@socketsecurity/lib/url'
@@ -144,14 +150,14 @@ export class SocketSdk {
     // Input validation for API token.
     const MAX_API_TOKEN_LENGTH = 1024
     if (typeof apiToken !== 'string') {
-      throw new TypeError('"apiToken" is required and must be a string')
+      throw new TypeErrorCtor('"apiToken" is required and must be a string')
     }
-    const trimmedToken = apiToken.trim()
+    const trimmedToken = StringPrototypeTrim(apiToken)
     if (!trimmedToken) {
-      throw new Error('"apiToken" cannot be empty or whitespace-only')
+      throw new ErrorCtor('"apiToken" cannot be empty or whitespace-only')
     }
     if (trimmedToken.length > MAX_API_TOKEN_LENGTH) {
-      throw new Error(
+      throw new ErrorCtor(
         `"apiToken" exceeds maximum length of ${MAX_API_TOKEN_LENGTH} characters`,
       )
     }
@@ -177,7 +183,7 @@ export class SocketSdk {
         timeout < MIN_HTTP_TIMEOUT ||
         timeout > MAX_HTTP_TIMEOUT
       ) {
-        throw new TypeError(
+        throw new TypeErrorCtor(
           `"timeout" must be a number between ${MIN_HTTP_TIMEOUT} and ${MAX_HTTP_TIMEOUT} milliseconds`,
         )
       }
@@ -252,7 +258,7 @@ export class SocketSdk {
     // Validate response before processing.
     /* c8 ignore next 3 - c8 ignored: because #executeWithRetry always returns a value or throws; res is never undefined in practice */
     if (!res) {
-      throw new Error('Failed to get response from batch PURL request')
+      throw new ErrorCtor('Failed to get response from batch PURL request')
     }
     // Parse the newline delimited JSON response.
     const isPublicToken = this.#apiToken === SOCKET_PUBLIC_API_TOKEN
@@ -330,15 +336,15 @@ export class SocketSdk {
 
       const preview = responseText.slice(0, 100) || ''
       return {
-        cause: `Please report this. JSON.parse threw an error over the following response: \`${preview.trim()}${responseText.length > 100 ? '…' : ''}\``,
+        cause: `Please report this. JSON.parse threw an error over the following response: \`${StringPrototypeTrim(preview)}${responseText.length > 100 ? '…' : ''}\``,
         data: undefined,
         error: 'Server returned invalid JSON',
         status: 0,
         success: false,
       }
     }
 
-    const errStr = e ? String(e).trim() : ''
+    const errStr = e ? StringPrototypeTrim(String(e)) : ''
     return {
       cause: errStr || UNKNOWN_ERROR,
       data: undefined,
@@ -386,7 +392,7 @@ export class SocketSdk {
     })
     /* c8 ignore next 3 - c8 ignored: because pRetry always returns a value or throws; undefined is only possible if the abort signal fires between attempts, which requires precise timing */
     if (result === undefined) {
-      throw new Error('Request aborted')
+      throw new ErrorCtor('Request aborted')
     }
     return result
   }
@@ -480,14 +486,14 @@ export class SocketSdk {
       }
     }
     if (!(error instanceof ResponseError)) {
-      throw new Error('Unexpected Socket API error', {
+      throw new ErrorCtor('Unexpected Socket API error', {
         cause: error,
       })
     }
     const { status: statusCode } = error.response
     // Throw server errors (5xx) immediately - these are not recoverable client-side.
     if (statusCode && statusCode >= 500) {
-      throw new Error(`Socket API server error (${statusCode})`, {
+      throw new ErrorCtor(`Socket API server error (${statusCode})`, {
         cause: error,
       })
     }
@@ -523,7 +529,8 @@ export class SocketSdk {
     let errorMessage =
       error.message ??
       /* c8 ignore next - fallback for missing error message */ UNKNOWN_ERROR
-    const trimmedBody = body?.trim()
+    const trimmedBody =
+      body !== undefined ? StringPrototypeTrim(body) : undefined
     if (trimmedBody && !errorMessage.includes(trimmedBody)) {
       // Replace generic status message with actual error body if present,
       // otherwise append the body to the error message.
@@ -656,7 +663,7 @@ export class SocketSdk {
     }
 
     // Handle array of values (take first).
-    const value = Array.isArray(retryAfterValue)
+    const value = ArrayIsArray(retryAfterValue)
       ? retryAfterValue[0]
       : retryAfterValue
 
@@ -748,7 +755,7 @@ export class SocketSdk {
     // Validate response before processing.
     /* c8 ignore next 3 - c8 ignored: because #executeWithRetry always returns a value or throws; res is never undefined in practice */
     if (!res) {
-      throw new Error('Failed to get response from batch PURL request')
+      throw new ErrorCtor('Failed to get response from batch PURL request')
     }
     // Parse the newline delimited JSON response.
     const results: SocketArtifact[] = []
@@ -795,7 +802,7 @@ export class SocketSdk {
     // Validate response before processing.
     /* c8 ignore next 3 - c8 ignored: because #executeWithRetry always returns a value or throws; res is never undefined in practice */
     if (!res) {
-      throw new Error('Failed to get response from batch PURL request')
+      throw new ErrorCtor('Failed to get response from batch PURL request')
     }
     // Parse the newline delimited JSON response.
     const isPublicToken = this.#apiToken === SOCKET_PUBLIC_API_TOKEN
@@ -2066,7 +2073,7 @@ export class SocketSdk {
         '→ Verify: The blob hash is correct.',
         '→ Note: Blob URLs may expire after a certain time period.',
       ].join('\n')
-      throw new Error(message)
+      throw new ErrorCtor(message)
     }
     if (res.status !== 200) {
       const message = [
@@ -2078,7 +2085,7 @@ export class SocketSdk {
           ? '→ Try: Retry the download after a short delay.'
           : '→ Verify: The blob hash and URL are correct.',
       ].join('\n')
-      throw new Error(message)
+      throw new ErrorCtor(message)
     }
 
     return res.text()
@@ -4400,7 +4407,7 @@ export class SocketSdk {
       return data as PatchViewResponse
     } catch (e) {
       const result = await this.#handleApiError<never>(e)
-      throw new Error(result.error, { cause: result.cause })
+      throw new ErrorCtor(result.error, { cause: result.cause })
     }
   }
 }