refactor: migrate to @socketsecurity/lib/primordials#623
Merged
John-David Dalton (jdalton) merged 1 commit intomainfrom Apr 27, 2026
Merged
refactor: migrate to @socketsecurity/lib/primordials#623John-David Dalton (jdalton) merged 1 commit intomainfrom
John-David Dalton (jdalton) merged 1 commit intomainfrom
Conversation
Swaps direct global usage for primordials across the SDK source.
Primordials capture references to JavaScript built-ins (Object.keys,
Array.prototype.map, JSON.parse, ...) at module load time, before
user code can tamper with prototypes or globals — a hardening tool
for code that processes adversarial input.
Bumps @socketsecurity/lib 5.24.0 → 5.25.1 to pick up the
@socketsecurity/lib/primordials surface (added in 5.25.0).
Sites converted (audit found none remaining):
src/constants.ts
new Set(...) → new SetCtor(...)
new Map<...>(...) → new MapCtor(...) with type annotation
src/http-client.ts
Date.now() → DateNow() (9 sites)
new Set(...) → new SetCtor(...)
str.trim() → StringPrototypeTrim(str)
src/quota-utils.ts
new Error(...) → new ErrorCtor(...) (5 sites)
src/socket-sdk-class.ts
new Error(...) → new ErrorCtor(...) (12 sites)
new TypeError(...) → new TypeErrorCtor(...) (2 sites)
Array.isArray(x) → ArrayIsArray(x)
str.trim() → StringPrototypeTrim(str) (4 sites)
src/utils.ts
s.toLowerCase() → StringPrototypeToLowerCase(s)
new Set(...) → new SetCtor(...)
str.trim() → StringPrototypeTrim(str) (multiple)
str.endsWith(...) → StringPrototypeEndsWith(str, ...)
Promise.withResolvers → PromiseWithResolvers (with cast for generics)
new URLSearchParams(...) → new URLSearchParamsCtor(...) (2 sites)
src/utils/header-sanitization.ts
Array.isArray(x) → ArrayIsArray(x) (2 sites)
key.toLowerCase() → StringPrototypeToLowerCase(key)
prim audit: surface complete (no gaps), 0 sites remain.
prim audit run: \`node /path/to/socket-lib/tools/prim/bin/prim.mts audit --target . --dir src\`
Verification:
pnpm install ✓
pnpm run check --all ✓ (lint + typecheck pass)
pnpm test ✓ 565/565 tests pass
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Contributor
Author
|
bugbot run |
Bill Li (billxinli)
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Swaps direct global usage for primordials across the SDK source. Primordials capture references to JavaScript built-ins (
Object.keys,Array.prototype.map,JSON.parse, ...) at module load time, before user code can tamper with prototypes or globals — a hardening tool for code that processes adversarial input.Bumps
@socketsecurity/libfrom 5.24.0 → 5.25.1 to pick up the@socketsecurity/lib/primordialssurface (added in 5.25.0).Audit
Used
prim audit(thesocket-lib/tools/primtool):node /path/to/socket-lib/tools/prim/bin/prim.mts audit --target . --dir srcInitial audit: 20 sites across 7 files, 11 distinct primordials, surface complete (no gaps — every primordial sdk-js needs is already in
@socketsecurity/lib/primordials).After conversion: 0 sites remain.
Sites converted
src/constants.tsSet→SetCtor,Map<>→MapCtorwith type annotationsrc/http-client.tsDate.now()→DateNow()(9×),Set→SetCtor,.trim()→StringPrototypeTrimsrc/quota-utils.tsError→ErrorCtor(5×)src/socket-sdk-class.tsError→ErrorCtor(12×),TypeError→TypeErrorCtor(2×),Array.isArray→ArrayIsArray,.trim()→StringPrototypeTrim(4×)src/utils.ts.toLowerCase()→StringPrototypeToLowerCase,Set→SetCtor,.trim()→StringPrototypeTrim(multi),.endsWith→StringPrototypeEndsWith,Promise.withResolvers→PromiseWithResolvers,URLSearchParams→URLSearchParamsCtor(2×)src/utils/header-sanitization.tsArray.isArray→ArrayIsArray(2×),.toLowerCase()→StringPrototypeToLowerCaseNote:
primaudit reports unique-per-block sites. Manually swept all instances of each pattern within touched files for full coverage.Verification
Test plan
Ctorsuffix correctly when type-annotated;MapCtorcast inline where generic type args are needed)