update, text, response

node_modules/resolve/.eslintrc

@@ -13,8 +13,8 @@
         "func-name-matching": 0,
         "func-style": 0,
         "global-require": 1,
-        "id-length": [2, { "min": 1, "max": 30 }],
-        "max-lines": [2, 350],
+        "id-length": [2, { "min": 1, "max": 40 }],
+        "max-lines": [2, 360],
         "max-lines-per-function": 0,
         "max-nested-callbacks": 0,
         "max-params": 0,

node_modules/resolve/.github/INCIDENT_RESPONSE_PROCESS.md

@@ -0,0 +1,119 @@
+# Incident Response Process for **resolve**
+
+## Reporting a Vulnerability
+
+We take the security of **resolve** very seriously. If you believe you’ve found a security vulnerability, please inform us responsibly through coordinated disclosure.
+
+### How to Report
+
+> **Do not** report security vulnerabilities through public GitHub issues, discussions, or social media.
+
+Instead, please use one of these secure channels:
+
+1. **GitHub Security Advisories**
+   Use the **Report a vulnerability** button in the Security tab of the [browserify/resolve repository](https://github.com/browserify/resolve).
+
+2. **Email**
+   Follow the posted [Security Policy](https://github.com/browserify/resolve/security/policy).
+
+### What to Include
+
+**Required Information:**
+- Brief description of the vulnerability type
+- Affected version(s) and components
+- Steps to reproduce the issue
+- Impact assessment (what an attacker could achieve)
+- Confirm the issue is not present in test files (in other words, only via the official entry points in `exports`)
+
+**Helpful Additional Details:**
+- Full paths of affected source files
+- Specific commit or branch where the issue exists
+- Required configuration to reproduce
+- Proof-of-concept code (if available)
+- Suggested mitigation or fix
+
+## Our Response Process
+
+**Timeline Commitments:**
+- **Initial acknowledgment**: Within 24 hours
+- **Detailed response**: Within 3 business days
+- **Status updates**: Every 7 days until resolved
+- **Resolution target**: 90 days for most issues
+
+**What We’ll Do:**
+1. Acknowledge your report and assign a tracking ID
+2. Assess the vulnerability and determine severity
+3. Develop and test a fix
+4. Coordinate disclosure timeline with you
+5. Release a security update and publish an advisory and CVE
+6. Credit you in our security advisory (if desired)
+
+## Disclosure Policy
+
+- **Coordinated disclosure**: We’ll work with you on timing
+- **Typical timeline**: 90 days from report to public disclosure
+- **Early disclosure**: If actively exploited
+- **Delayed disclosure**: For complex issues
+
+## Scope
+
+**In Scope:**
+- **resolve** package (all supported versions)
+- Official examples and documentation
+- Core resolution APIs
+- Dependencies with direct security implications
+
+**Out of Scope:**
+- Third-party wrappers or extensions
+- Bundler-specific integrations
+- Social engineering or physical attacks
+- Theoretical vulnerabilities without practical exploitation
+- Issues in non-production files
+
+## Security Measures
+
+**Our Commitments:**
+- Regular vulnerability scanning via `npm audit`
+- Automated security checks in CI/CD (GitHub Actions)
+- Secure coding practices and mandatory code review
+- Prompt patch releases for critical issues
+
+**User Responsibilities:**
+- Keep **resolve** updated
+- Monitor dependency vulnerabilities
+- Follow secure configuration guidelines for module resolution
+
+## Legal Safe Harbor
+
+**We will NOT:**
+- Initiate legal action
+- Contact law enforcement
+- Suspend or terminate your access
+
+**You must:**
+- Only test against your own installations
+- Not access, modify, or delete user data
+- Not degrade service availability
+- Not publicly disclose before coordinated disclosure
+- Act in good faith
+
+## Recognition
+
+- **Advisory Credits**: Credit in GitHub Security Advisories (unless anonymous)
+
+## Security Updates
+
+**Stay Informed:**
+- Subscribe to npm updates for **resolve**
+- Enable GitHub Security Advisory notifications
+
+**Update Process:**
+- Patch releases (e.g., 1.22.10 → 1.22.11)
+- Out-of-band releases for critical issues
+- Advisories via GitHub Security Advisories
+
+## Contact Information
+
+- **Security reports**: Security tab of [browserify/resolve](https://github.com/browserify/resolve/security)
+- **General inquiries**: GitHub Discussions or Issues
+

node_modules/resolve/.github/THREAT_MODEL.md

@@ -0,0 +1,74 @@
+## Threat Model for resolve (module path resolution library)
+
+### 1. Library Overview
+
+- **Library Name:** resolve
+- **Brief Description:** Implements Node.js `require.resolve()` algorithm for synchronous and asynchronous file path resolution. Used to locate modules and files in Node.js projects.
+- **Key Public APIs/Functions:** `resolve.sync()` / `resolve/sync`, `resolve()` / `resolve/async`
+
+### 2. Define Scope
+
+This threat model focuses on the core path resolution algorithm, including filesystem interaction, option handling, and cache management.
+
+### 3. Conceptual System Diagram
+
+```
+Caller Application → resolve(id, options) → Resolution Algorithm → File System
+                           │
+                           └→ Options Handling
+                           └→ Cache System
+```
+
+**Trust Boundaries:**
+- **Input module IDs:** May come from untrusted sources (user input, configuration)
+- **Filesystem access:** The library interacts with the filesystem to resolve paths
+- **Options:** Provided by the caller
+- **Cache:** Used to improve performance, but could be a vector for tampering or information disclosure if not handled securely
+
+### 4. Identify Assets
+
+- **Integrity of resolution output:** Ensure correct and safe file path matching.
+- **Confidentiality of configuration:** Prevent sensitive path information from being leaked.
+- **Availability/performance for host application:** Prevent crashes or resource exhaustion.
+- **Security of host application:** Prevent path traversal or unintended filesystem access.
+- **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1][3][4].
+
+### 5. Identify Threats
+
+| Component / API / Interaction                       | S  | T  | R  | I  | D  | E  |
+|-----------------------------------------------------|----|----|----|----|----|----|
+| Public API Call (`resolve/async`, `resolve/sync`)   | ✓  | ✓  | –  | ✓  | –  | –  |
+| Filesystem Access                                   | –  | ✓  | –  | ✓  | ✓  | –  |
+| Options Handling                                    | ✓  | ✓  | –  | ✓  | –  | –  |
+| Cache System                                        | –  | ✓  | –  | ✓  | –  | –  |
+
+**Key Threats:**
+- **Spoofing:** Malicious module IDs mimicking legitimate packages, or spoofing configuration options[1].
+- **Tampering:** Caller-provided paths altering resolution order, or cache tampering leading to incorrect results[1][4].
+- **Information Disclosure:** Error messages revealing filesystem structure or sensitive paths[1].
+- **Denial of Service:** Recursive or excessive resolution exhausting filesystem handles or causing application crashes[1].
+- **Path Traversal:** Malicious input allowing access to files outside the intended directory[4].
+
+### 6. Mitigation/Countermeasures
+
+| Threat Identified                          | Proposed Mitigation |
+|--------------------------------------------|---------------------|
+| Spoofing (malicious module IDs/config)     | Sanitize input IDs; validate against known patterns; restrict `basedir` to app-controlled paths[1][4]. |
+| Tampering (path traversal, cache)          | Validate input IDs for directory escapes; secure cache reads/writes; restrict cache to trusted sources[1][4]. |
+| Information Disclosure (error messages)    | Generic "not found" errors without internal paths; avoid exposing sensitive configuration in errors[1]. |
+| Denial of Service (resource exhaustion)    | Limit recursive resolution depth; implement timeout; monitor for excessive filesystem operations[1]. |
+
+### 7. Risk Ranking
+
+- **High:** Path traversal via malicious IDs (if not properly mitigated)
+- **Medium:** Cache tampering or spoofing (if cache is not secured)
+- **Low:** Information disclosure in errors (if error handling is generic)
+
+### 8. Next Steps & Review
+
+1. **Implement input sanitization for module IDs and configuration.**
+2. **Add resolution depth limiting and timeout.**
+3. **Audit cache handling for race conditions and tampering.**
+4. **Regularly review dependencies for vulnerabilities.**
+5. **Keep documentation and threat model up to date.**
+6. **Monitor for new threats as the ecosystem and library evolve[1][3].**

node_modules/resolve/SECURITY.md

@@ -1,3 +1,11 @@
 # Security
 
-Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
+Please file a private vulnerability via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
+
+## Incident Response
+
+See our [Incident Response Process](.github/INCIDENT_RESPONSE_PROCESS.md).
+
+## Threat Model
+
+See [THREAT_MODEL.md](./THREAT_MODEL.md).

node_modules/resolve/bin/resolve

@@ -11,7 +11,7 @@ if (
         !process.argv
         || process.argv.length < 2
         || (process.argv[1] !== __filename && fs.statSync(process.argv[1]).ino !== fs.statSync(__filename).ino)
-        || (process.env._ && path.resolve(process.env._) !== __filename)
+        || (process.env.npm_lifecycle_event !== 'npx' && process.env._ && fs.realpathSync(path.resolve(process.env._)) !== __filename)
     )
 ) {
     console.error('Error: `resolve` must be run directly as an executable');

node_modules/resolve/lib/async.js

@@ -8,6 +8,10 @@ var isCore = require('is-core-module');
 
 var realpathFS = process.platform !== 'win32' && fs.realpath && typeof fs.realpath.native === 'function' ? fs.realpath.native : fs.realpath;
 
+var relativePathRegex = /^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/;
+var windowsDriveRegex = /^\w:[/\\]*$/;
+var nodeModulesRegex = /[/\\]node_modules[/\\]*$/;
+
 var homedir = getHomedir();
 var defaultPaths = function () {
     return [
@@ -124,10 +128,10 @@ module.exports = function resolve(x, options, callback) {
 
     var res;
     function init(basedir) {
-        if ((/^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/).test(x)) {
+        if (relativePathRegex.test(x)) {
             res = path.resolve(basedir, x);
             if (x === '.' || x === '..' || x.slice(-1) === '/') res += '/';
-            if ((/\/$/).test(x) && res === basedir) {
+            if (x.slice(-1) === '/' && res === basedir) {
                 loadAsDirectory(res, opts.package, onfile);
             } else loadAsFile(res, opts.package, onfile);
         } else if (includeCoreModules && isCore(x)) {
@@ -215,10 +219,10 @@ module.exports = function resolve(x, options, callback) {
 
     function loadpkg(dir, cb) {
         if (dir === '' || dir === '/') return cb(null);
-        if (process.platform === 'win32' && (/^\w:[/\\]*$/).test(dir)) {
+        if (process.platform === 'win32' && windowsDriveRegex.test(dir)) {
             return cb(null);
         }
-        if ((/[/\\]node_modules[/\\]*$/).test(dir)) return cb(null);
+        if (nodeModulesRegex.test(dir)) return cb(null);
 
         maybeRealpath(realpath, dir, opts, function (unwrapErr, pkgdir) {
             if (unwrapErr) return loadpkg(path.dirname(dir), cb);

node_modules/resolve/lib/core.json

@@ -89,7 +89,9 @@
 	"node:readline/promises": ">= 17",
 	"repl": true,
 	"node:repl": [">= 14.18 && < 15", ">= 16"],
+	"node:sea": [">= 20.12 && < 21", ">= 21.7"],
 	"smalloc": ">= 0.11.5 && < 3",
+	"node:sqlite": [">= 22.13 && < 23", ">= 23.4"],
 	"_stream_duplex": ">= 0.9.4",
 	"node:_stream_duplex": [">= 14.18 && < 15", ">= 16"],
 	"_stream_transform": ">= 0.9.4",
@@ -116,6 +118,8 @@
 	"node:sys": [">= 14.18 && < 15", ">= 16"],
 	"test/reporters": ">= 19.9 && < 20.2",
 	"node:test/reporters": [">= 18.17 && < 19", ">= 19.9", ">= 20"],
+	"test/mock_loader": ">= 22.3 && < 22.7",
+	"node:test/mock_loader": ">= 22.3 && < 22.7",
 	"node:test": [">= 16.17 && < 17", ">= 18"],
 	"timers": true,
 	"node:timers": [">= 14.18 && < 15", ">= 16"],

node_modules/resolve/lib/node-modules-paths.js

@@ -1,11 +1,14 @@
 var path = require('path');
 var parse = path.parse || require('path-parse'); // eslint-disable-line global-require
 
+var driveLetterRegex = /^([A-Za-z]:)/;
+var uncPathRegex = /^\\\\/;
+
 var getNodeModulesDirs = function getNodeModulesDirs(absoluteStart, modules) {
     var prefix = '/';
-    if ((/^([A-Za-z]:)/).test(absoluteStart)) {
+    if (driveLetterRegex.test(absoluteStart)) {
         prefix = '';
-    } else if ((/^\\\\/).test(absoluteStart)) {
+    } else if (uncPathRegex.test(absoluteStart)) {
         prefix = '\\\\';
     }
 

node_modules/resolve/lib/sync.js

@@ -8,6 +8,10 @@ var normalizeOptions = require('./normalize-options');
 
 var realpathFS = process.platform !== 'win32' && fs.realpathSync && typeof fs.realpathSync.native === 'function' ? fs.realpathSync.native : fs.realpathSync;
 
+var relativePathRegex = /^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/;
+var windowsDriveRegex = /^\w:[/\\]*$/;
+var nodeModulesRegex = /[/\\]node_modules[/\\]*$/;
+
 var homedir = getHomedir();
 var defaultPaths = function () {
     return [
@@ -96,7 +100,7 @@ module.exports = function resolveSync(x, options) {
     // ensure that `basedir` is an absolute path at this point, resolving against the process' current working directory
     var absoluteStart = maybeRealpathSync(realpathSync, path.resolve(basedir), opts);
 
-    if ((/^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/).test(x)) {
+    if (relativePathRegex.test(x)) {
         var res = path.resolve(absoluteStart, x);
         if (x === '.' || x === '..' || x.slice(-1) === '/') res += '/';
         var m = loadAsFileSync(res) || loadAsDirectorySync(res);
@@ -137,10 +141,10 @@ module.exports = function resolveSync(x, options) {
 
     function loadpkg(dir) {
         if (dir === '' || dir === '/') return;
-        if (process.platform === 'win32' && (/^\w:[/\\]*$/).test(dir)) {
+        if (process.platform === 'win32' && windowsDriveRegex.test(dir)) {
             return;
         }
-        if ((/[/\\]node_modules[/\\]*$/).test(dir)) return;
+        if (nodeModulesRegex.test(dir)) return;
 
         var pkgfile = path.join(maybeRealpathSync(realpathSync, dir, opts), 'package.json');
 

node_modules/resolve/package.json

@@ -1,10 +1,10 @@
 {
 	"name": "resolve",
 	"description": "resolve like require.resolve() on behalf of files asynchronously and synchronously",
-	"version": "1.22.4",
+	"version": "1.22.11",
 	"repository": {
 		"type": "git",
-		"url": "git://github.com/browserify/resolve.git"
+		"url": "ssh://github.com/browserify/resolve.git"
 	},
 	"bin": {
 		"resolve": "./bin/resolve"
@@ -26,26 +26,25 @@
 		"tests-only": "tape test/*.js",
 		"pretest": "npm run lint",
 		"test": "npm run --silent tests-only",
-		"posttest": "npm run test:multirepo && aud --production",
+		"posttest": "npm run test:multirepo && npx npm@'>= 10.2' audit --production",
 		"test:multirepo": "cd ./test/resolver/multirepo && npm install && npm test"
 	},
 	"devDependencies": {
-		"@ljharb/eslint-config": "^21.1.0",
-		"array.prototype.map": "^1.0.5",
-		"aud": "^2.0.3",
+		"@ljharb/eslint-config": "^21.2.0",
+		"array.prototype.map": "^1.0.8",
 		"copy-dir": "^1.3.0",
 		"eclint": "^2.8.1",
 		"eslint": "=8.8.0",
 		"in-publish": "^2.0.1",
 		"mkdirp": "^0.5.5",
 		"mv": "^2.1.1",
-		"npmignore": "^0.3.0",
+		"npmignore": "^0.3.1",
 		"object-keys": "^1.1.1",
 		"rimraf": "^2.7.1",
 		"safe-publish-latest": "^2.0.0",
 		"semver": "^6.3.1",
 		"tap": "0.4.13",
-		"tape": "^5.6.6",
+		"tape": "^5.9.0",
 		"tmp": "^0.0.31"
 	},
 	"license": "MIT",
@@ -58,14 +57,19 @@
 		"url": "https://github.com/sponsors/ljharb"
 	},
 	"dependencies": {
-		"is-core-module": "^2.13.0",
+		"is-core-module": "^2.16.1",
 		"path-parse": "^1.0.7",
 		"supports-preserve-symlinks-flag": "^1.0.0"
 	},
 	"publishConfig": {
 		"ignore": [
 			".github/workflows",
-			"appveyor.yml"
+			"appveyor.yml",
+			"test/resolver/malformed_package_json",
+			"test/list-exports"
 		]
+	},
+	"engines": {
+		"node": ">= 0.4"
 	}
 }

node_modules/resolve/test/resolver.js

@@ -1,4 +1,5 @@
 var path = require('path');
+var fs = require('fs');
 var test = require('tape');
 var resolve = require('../');
 var async = require('../async');
@@ -539,14 +540,15 @@ test('absolute paths', function (t) {
     });
 });
 
-test('malformed package.json', function (t) {
+var malformedDir = path.join(__dirname, 'resolver/malformed_package_json');
+test('malformed package.json', { skip: !fs.existsSync(malformedDir) }, function (t) {
     /* eslint operator-linebreak: ["error", "before"], function-paren-newline: "off" */
     t.plan(
         (3 * 3) // 3 sets of 3 assertions in the final callback
         + 2 // 1 readPackage call with malformed package.json
     );
 
-    var basedir = path.join(__dirname, 'resolver/malformed_package_json');
+    var basedir = malformedDir;
     var expected = path.join(basedir, 'index.js');
 
     resolve('./index.js', { basedir: basedir }, function (err, res, pkg) {

node_modules/resolve/test/resolver/malformed_package_json/package.json

@@ -1 +0,0 @@
-{

node_modules/resolve/test/resolver/multirepo/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "monorepo-symlink-test",
+  "name": "ljharb-monorepo-symlink-test",
   "private": true,
   "version": "0.0.0",
   "description": "",

node_modules/resolve/test/resolver_sync.js

@@ -8,6 +8,9 @@ var sync = require('../sync');
 var requireResolveSupportsPaths = require.resolve.length > 1
     && !(/^v12\.[012]\./).test(process.version); // broken in v12.0-12.2, see https://github.com/nodejs/node/issues/27794
 
+var requireResolveDefaultPathsBroken = (/^v8\.9\.|^v9\.[01]\.0|^v9\.2\./).test(process.version);
+// broken in node v8.9.x, v9.0, v9.1, v9.2.x. see https://github.com/nodejs/node/pull/17113
+
 test('`./sync` entry point', function (t) {
     t.equal(resolve.sync, sync, '`./sync` entry point is the same as `.sync` on `main`');
     t.end();
@@ -75,7 +78,7 @@ test('bar', function (t) {
         path.join(dir, 'bar/node_modules/foo/index.js'),
         'foo in bar'
     );
-    if (requireResolveSupportsPaths) {
+    if (!requireResolveDefaultPathsBroken && requireResolveSupportsPaths) {
         t.equal(
             resolve.sync('foo', { basedir: basedir }),
             require.resolve('foo', { paths: [basedir] }),
@@ -125,7 +128,7 @@ test('biz', function (t) {
         resolve.sync('tiv', { basedir: tivDir }),
         path.join(dir, 'tiv/index.js')
     );
-    if (requireResolveSupportsPaths) {
+    if (!requireResolveDefaultPathsBroken && requireResolveSupportsPaths) {
         t.equal(
             resolve.sync('tiv', { basedir: tivDir }),
             require.resolve('tiv', { paths: [tivDir] }),
@@ -138,7 +141,7 @@ test('biz', function (t) {
         resolve.sync('grux', { basedir: gruxDir }),
         path.join(dir, 'grux/index.js')
     );
-    if (requireResolveSupportsPaths) {
+    if (!requireResolveDefaultPathsBroken && requireResolveSupportsPaths) {
         t.equal(
             resolve.sync('grux', { basedir: gruxDir }),
             require.resolve('grux', { paths: [gruxDir] }),
@@ -667,10 +670,11 @@ test('absolute paths', function (t) {
     t.end();
 });
 
-test('malformed package.json', function (t) {
+var malformedDir = path.join(__dirname, 'resolver/malformed_package_json');
+test('malformed package.json', { skip: !fs.existsSync(malformedDir) }, function (t) {
     t.plan(5 + (requireResolveSupportsPaths ? 1 : 0));
 
-    var basedir = path.join(__dirname, 'resolver/malformed_package_json');
+    var basedir = malformedDir;
     var expected = path.join(basedir, 'index.js');
 
     t.equal(