fix: address security and documentation issues

jdalton · jdalton · commit 0955c7fc3342 · 2026-02-11T23:14:57.000-05:00
- Fix complex TOCTOU race in dlx/binary.ts by re-checking binary existence after metadata read
- Fix incorrect package name in provenance workflow (@socketregistry/lib → @socketsecurity/lib)
- Remove outdated src/index.ts reference from CLAUDE.md (file was removed in previous release)
- Update lint.mjs example to use src/logger.ts instead of non-existent src/index.ts
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
@@ -24,6 +24,6 @@ jobs:
     uses: SocketDev/socket-registry/.github/workflows/provenance.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
     with:
       debug: ${{ inputs.debug }}
-      package-name: '@socketregistry/lib'
+      package-name: '@socketsecurity/lib'
       setup-script: 'pnpm run build'
       use-trusted-publishing: true
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -357,10 +357,9 @@ Use `pnpm run build:watch` or `pnpm run dev` for development with automatic rebu
 1. Create utility in appropriate `src/` subdirectory
 2. Use path aliases for internal imports
 3. Add type definitions
-4. Add to `src/index.ts` if public API
-5. Update `package.json` exports if direct export needed
-6. Add tests in `test/` matching structure
-7. Update types and build
+4. Update `package.json` exports if direct export needed
+5. Add tests in `test/` matching structure
+6. Update types and build
 
 ### Common Patterns
 
diff --git a/scripts/lint.mjs b/scripts/lint.mjs
@@ -416,7 +416,7 @@ async function main() {
       logger.log('  pnpm lint --fix             # Fix issues in changed files')
       logger.log('  pnpm lint --all             # Lint all files')
       logger.log('  pnpm lint --staged --fix    # Fix issues in staged files')
-      logger.log('  pnpm lint src/index.ts      # Lint specific file(s)')
+      logger.log('  pnpm lint src/logger.ts     # Lint specific file(s)')
       process.exitCode = 0
       return
     }
diff --git a/src/dlx/binary.ts b/src/dlx/binary.ts
@@ -302,6 +302,11 @@ export async function dlxBinary(
         computedIntegrity = (metadata as Record<string, unknown>)[
           'integrity'
         ] as string
+        // Re-check binary exists after reading metadata (TOCTOU protection).
+        // Prevents race where binary is deleted between validity check and use.
+        if (!fs.existsSync(binaryPath)) {
+          downloaded = true
+        }
       } else {
         // If metadata is invalid, re-download.
         downloaded = true

Original file line number	Diff line number	Diff line change
`@@ -416,7 +416,7 @@ async function main() {`
`416`	`416`	`logger.log(' pnpm lint --fix # Fix issues in changed files')`
`417`	`417`	`logger.log(' pnpm lint --all # Lint all files')`
`418`	`418`	`logger.log(' pnpm lint --staged --fix # Fix issues in staged files')`
`419`		`- logger.log(' pnpm lint src/index.ts # Lint specific file(s)')`
	`419`	`+ logger.log(' pnpm lint src/logger.ts # Lint specific file(s)')`
`420`	`420`	`process.exitCode = 0`
`421`	`421`	`return`
`422`	`422`	`}`