@socketsecurity/lib 5.11.0 → 5.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/dist/dlx/binary.d.ts +13 -1
  3. package/dist/dlx/binary.js +12 -4
  4. package/package.json +3 -3
package/CHANGELOG.md CHANGED
@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [5.11.1](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.1) - 2026-03-24
9
+
10
+ ### Added
11
+
12
+ - **dlx/binary**: Added `sha256` option to `dlxBinary()`, `downloadBinary()`, and `downloadBinaryFile()`
13
+ - Enables SHA-256 checksum verification for binary downloads via httpDownload
14
+ - Verification happens during download (fails early if checksum mismatches)
15
+ - Complements existing `integrity` option (SRI sha512 format, verified post-download)
16
+
8
17
  ## [5.11.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.0) - 2026-03-23
9
18
 
10
19
  ### Added
package/dist/dlx/binary.d.ts CHANGED
@@ -13,6 +13,12 @@ export interface DlxBinaryOptions {
13
13
  * Expected SRI integrity hash (sha512-<base64>) for verification.
14
14
  */
15
15
  integrity?: string | undefined;
16
+ /**
17
+ * Expected SHA-256 hex checksum for verification.
18
+ * Passed to httpDownload for inline verification during download.
19
+ * This is more secure than post-download verification as it fails early.
20
+ */
21
+ sha256?: string | undefined;
16
22
  /**
17
23
  * Cache TTL in milliseconds (default: 7 days).
18
24
  */
@@ -127,8 +133,14 @@ export declare function downloadBinary(options: Omit<DlxBinaryOptions, 'spawnOpt
127
133
  * Download a file from a URL with integrity checking and concurrent download protection.
128
134
  * Uses processLock to prevent multiple processes from downloading the same binary simultaneously.
129
135
  * Internal helper function for downloading binary files.
136
+ *
137
+ * Supports two integrity verification methods:
138
+ * - sha256: Hex SHA-256 checksum (verified inline during download via httpDownload)
139
+ * - integrity: SRI format sha512-<base64> (verified post-download)
140
+ *
141
+ * The sha256 option is preferred as it fails early during download if the checksum doesn't match.
130
142
  */
131
- export declare function downloadBinaryFile(url: string, destPath: string, integrity?: string | undefined): Promise<string>;
143
+ export declare function downloadBinaryFile(url: string, destPath: string, integrity?: string | undefined, sha256?: string | undefined): Promise<string>;
132
144
  /**
133
145
  * Execute a cached binary without re-downloading.
134
146
  * Similar to executePackage from dlx-package.
package/dist/dlx/binary.js CHANGED
@@ -111,6 +111,7 @@ async function dlxBinary(args, options, spawnExtra) {
111
111
  force: userForce = false,
112
112
  integrity,
113
113
  name,
114
+ sha256,
114
115
  spawnOptions,
115
116
  url,
116
117
  yes
@@ -168,7 +169,12 @@ Ensure the filesystem is writable or set SOCKET_DLX_DIR to a writable location.`
168
169
  { cause: e }
169
170
  );
170
171
  }
171
- computedIntegrity = await downloadBinaryFile(url, binaryPath, integrity);
172
+ computedIntegrity = await downloadBinaryFile(
173
+ url,
174
+ binaryPath,
175
+ integrity,
176
+ sha256
177
+ );
172
178
  const stats = await fs.promises.stat(binaryPath);
173
179
  await writeBinaryCacheMetadata(
174
180
  cacheEntryDir,
@@ -200,6 +206,7 @@ async function downloadBinary(options) {
200
206
  force = false,
201
207
  integrity,
202
208
  name,
209
+ sha256,
203
210
  url
204
211
  } = { __proto__: null, ...options };
205
212
  const fs = /* @__PURE__ */ getFs();
@@ -240,7 +247,8 @@ Ensure the filesystem is writable or set SOCKET_DLX_DIR to a writable location.`
240
247
  const computedIntegrity = await downloadBinaryFile(
241
248
  url,
242
249
  binaryPath,
243
- integrity
250
+ integrity,
251
+ sha256
244
252
  );
245
253
  const stats = await fs.promises.stat(binaryPath);
246
254
  await writeBinaryCacheMetadata(
@@ -257,7 +265,7 @@ Ensure the filesystem is writable or set SOCKET_DLX_DIR to a writable location.`
257
265
  downloaded
258
266
  };
259
267
  }
260
- async function downloadBinaryFile(url, destPath, integrity) {
268
+ async function downloadBinaryFile(url, destPath, integrity, sha256) {
261
269
  const crypto = /* @__PURE__ */ getCrypto();
262
270
  const fs = /* @__PURE__ */ getFs();
263
271
  const path = /* @__PURE__ */ getPath();
@@ -275,7 +283,7 @@ async function downloadBinaryFile(url, destPath, integrity) {
275
283
  }
276
284
  }
277
285
  try {
278
- await (0, import_http_request.httpDownload)(url, destPath);
286
+ await (0, import_http_request.httpDownload)(url, destPath, sha256 ? { sha256 } : void 0);
279
287
  } catch (e) {
280
288
  throw new Error(
281
289
  `Failed to download binary from ${url}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@socketsecurity/lib",
3
- "version": "5.11.0",
4
- "packageManager": "pnpm@10.32.1",
3
+ "version": "5.11.1",
4
+ "packageManager": "pnpm@10.33.0",
5
5
  "license": "MIT",
6
6
  "description": "Core utilities and infrastructure for Socket.dev security tools",
7
7
  "keywords": [
@@ -734,7 +734,7 @@
734
734
  "@socketregistry/is-unicode-supported": "1.0.5",
735
735
  "@socketregistry/packageurl-js": "1.3.5",
736
736
  "@socketregistry/yocto-spinner": "1.0.25",
737
- "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.9.0",
737
+ "@socketsecurity/lib-stable": "npm:@socketsecurity/lib@5.11.0",
738
738
  "@types/node": "24.9.2",
739
739
  "@typescript/native-preview": "7.0.0-dev.20250920.1",
740
740
  "@vitest/coverage-v8": "4.0.3",