chore(release): 5.27.1

Patch over 5.27.0 to ship the publishConfig pinning that landed on
main earlier today. No source-code changes; the publishConfig adds
attestation as a property of the package manifest instead of a
property of the workflow's --provenance CLI flag, so emergency
local publishes (or any future direct path) get provenance for
free.

Notes from the prim audit (`node tools/prim/bin/prim.mts audit
--target . --dir src --coverage`):
  - 12 source-level migration candidates surfaced (StringPrototype-
    TrimEnd, RegExpEscape, ObjectAssign, etc.). All are .ts source
    rewrites that prim mod refuses to auto-apply (.js only). Held
    for a separate review-and-migrate PR rather than rolled into
    this patch — none are correctness issues.

Author: jdalton

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.27.1](https://github.com/SocketDev/socket-lib/releases/tag/v5.27.1) - 2026-05-01
+
+### Changed
+
+- `package.json` — pin `publishConfig: {access: "public", provenance: true}` so attestation is a property of the package, not a property of the workflow's `--provenance` CLI flag. Survives any direct-publish path that bypasses `provenance.yml`. `access: "public"` also load-bears for first-publish of `@scoped` packages on a fresh npm registry session.
+
 ## [5.27.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.27.0) - 2026-05-01
 
 ### Added

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.27.0",
+  "version": "5.27.1",
   "packageManager": "pnpm@11.0.3",
   "license": "MIT",
   "publishConfig": {