@socketsecurity/lib 5.6.0 → 5.7.0

package/CHANGELOG.md

@@ -5,6 +5,69 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.7.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.7.0) - 2026-02-12
+
+### Added
+
+- **env**: Added `isInEnv()` helper function to check if an environment variable key exists, regardless of its value
+  - Returns `true` even for empty strings, `"false"`, `"0"`, etc.
+  - Follows same override resolution order as `getEnvValue()` (isolated overrides → shared overrides → process.env)
+  - Useful for detecting presence of environment variables independent of their value
+
+- **dlx**: Added new exported helper functions
+  - `downloadBinaryFile()` - Downloads a binary file from a URL to the dlx cache directory
+  - `ensurePackageInstalled()` - Ensures an npm package is installed and cached via Arborist
+  - `getBinaryCacheMetadataPath()` - Gets the file path to dlx binary cache metadata (`.dlx-metadata.json`)
+  - `isBinaryCacheValid()` - Checks if a cached dlx binary is still valid based on TTL and timestamp
+  - `makePackageBinsExecutable()` - Makes npm package binaries executable on Unix systems
+  - `parsePackageSpec()` - Parses npm package spec strings (e.g., `pkg@1.0.0`) into name and version
+  - `resolveBinaryPath()` - Resolves the absolute path to a binary within an installed package
+  - `writeBinaryCacheMetadata()` - Writes dlx binary cache metadata with integrity, size, and source info
+
+- **releases**: Added `createAssetMatcher()` utility function for GitHub release asset pattern matching
+  - Creates matcher functions that test strings against glob patterns, prefix/suffix, or RegExp
+  - Used for dynamic asset discovery in GitHub releases (e.g., matching platform-specific binaries)
+
+### Changed
+
+- **env**: Updated `getCI()` to use `isInEnv()` for more accurate CI detection
+  - Now returns `true` whenever the `CI` key exists in the environment, not just when truthy
+  - Matches standard CI detection behavior where the presence of the key (not its value) indicates a CI environment
+
+### Fixed
+
+- **github**: Fixed JSON parsing crash vulnerability by adding try-catch around `JSON.parse()` in GitHub API responses
+  - Prevents crashes on malformed, incomplete, or binary responses
+  - Error messages now include the response URL for better debugging
+
+- **dlx/binary**: Fixed clock skew vulnerabilities in cache validation
+  - Cache entries with future timestamps (clock skew) are now treated as expired
+  - Metadata writes now use atomic write-then-rename pattern to prevent corruption
+  - Added TOCTOU race protection by re-checking binary existence after metadata read
+
+- **dlx/cache cleanup**: Fixed handling of future timestamps during cache cleanup
+  - Entries with future timestamps (due to clock skew) are now properly treated as expired
+
+- **dlx/package**: Fixed scoped package parsing bug where `@scope/package` was incorrectly parsed
+  - Changed condition from `startsWith('@')` to `atIndex === 0` for more precise detection
+  - Fixes installation failures for scoped packages like `@socketregistry/lib`
+
+- **cache-with-ttl**: Added clock skew detection to TTL cache
+  - Far-future `expiresAt` values (>2x TTL) are now treated as expired
+  - Protects against cache poisoning from clock skew
+
+- **packages/specs**: Fixed unconditional `.git` truncation in Git URL parsing
+  - Now only removes `.git` suffix when URL actually ends with `.git`
+  - Prevents incorrect truncation of URLs containing `.git` in the middle
+
+- **releases/github**: Fixed TOCTOU race condition in binary download verification
+  - Re-checks binary existence after reading version file
+  - Ensures binary is re-downloaded if missing despite version file presence
+
+- **provenance**: Fixed incorrect package name in provenance workflow
+  - Changed from `@socketregistry/lib` to `@socketsecurity/lib`
+
+
 ## [5.6.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.6.0) - 2026-02-08
 
 ### Added
@@ -811,7 +874,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- **DLX binary metadata structure**: Updated `writeMetadata()` to use unified schema with additional fields
+- **DLX binary metadata structure**: Updated `writeBinaryCacheMetadata()` to use unified schema with additional fields
   - Now includes `cache_key` (first 16 chars of SHA-512 hash)
   - Added `size` field for cached binary size
   - Added `checksum_algorithm` field (currently "sha256")

package/dist/cache-with-ttl.js

@@ -54,7 +54,11 @@ function createTtlCache(options) {
     return `${opts.prefix}:${key}`;
   }
   function isExpired(entry) {
-    return Date.now() > entry.expiresAt;
+    const now = Date.now();
+    if (entry.expiresAt > now + ttl * 2) {
+      return true;
+    }
+    return now > entry.expiresAt;
   }
   function createMatcher(pattern) {
     const fullPattern = buildKey(pattern);

package/dist/dlx/binary.d.ts

@@ -123,6 +123,12 @@ export declare function downloadBinary(options: Omit<DlxBinaryOptions, 'spawnOpt
     binaryPath: string;
     downloaded: boolean;
 }>;
+/**
+ * Download a file from a URL with integrity checking and concurrent download protection.
+ * Uses processLock to prevent multiple processes from downloading the same binary simultaneously.
+ * Internal helper function for downloading binary files.
+ */
+export declare function downloadBinaryFile(url: string, destPath: string, integrity?: string | undefined): Promise<string>;
 /**
  * Execute a cached binary without re-downloading.
  * Similar to executePackage from dlx-package.
@@ -141,6 +147,14 @@ export declare function executeBinary(binaryPath: string, args: readonly string[
  * Uses same directory as dlx-package for unified DLX storage.
  */
 export declare function getDlxCachePath(): string;
+/**
+ * Get metadata file path for a cached binary.
+ */
+export declare function getBinaryCacheMetadataPath(cacheEntryPath: string): string;
+/**
+ * Check if a cached binary is still valid.
+ */
+export declare function isBinaryCacheValid(cacheEntryPath: string, cacheTtl: number): Promise<boolean>;
 /**
  * Get information about cached binaries.
  */
@@ -151,3 +165,9 @@ export declare function listDlxCache(): Promise<Array<{
     size: number;
     url: string;
 }>>;
+/**
+ * Write metadata for a cached binary.
+ * Uses unified schema shared with C++ decompressor and CLI dlxBinary.
+ * Schema documentation: See DlxMetadata interface in this file (exported).
+ */
+export declare function writeBinaryCacheMetadata(cacheEntryPath: string, cacheKey: string, url: string, integrity: string, size: number): Promise<void>;

package/dist/dlx/binary.js

@@ -22,9 +22,13 @@ __export(binary_exports, {
   cleanDlxCache: () => cleanDlxCache,
   dlxBinary: () => dlxBinary,
   downloadBinary: () => downloadBinary,
+  downloadBinaryFile: () => downloadBinaryFile,
   executeBinary: () => executeBinary,
+  getBinaryCacheMetadataPath: () => getBinaryCacheMetadataPath,
   getDlxCachePath: () => getDlxCachePath,
-  listDlxCache: () => listDlxCache
+  isBinaryCacheValid: () => isBinaryCacheValid,
+  listDlxCache: () => listDlxCache,
+  writeBinaryCacheMetadata: () => writeBinaryCacheMetadata
 });
 module.exports = __toCommonJS(binary_exports);
 var import_platform = require("../constants/platform");
@@ -61,95 +65,6 @@ function getPath() {
   }
   return _path;
 }
-function getMetadataPath(cacheEntryPath) {
-  return (/* @__PURE__ */ getPath()).join(cacheEntryPath, ".dlx-metadata.json");
-}
-async function isCacheValid(cacheEntryPath, cacheTtl) {
-  const fs = /* @__PURE__ */ getFs();
-  try {
-    const metaPath = getMetadataPath(cacheEntryPath);
-    if (!fs.existsSync(metaPath)) {
-      return false;
-    }
-    const metadata = await (0, import_fs.readJson)(metaPath, { throws: false });
-    if (!(0, import_objects.isObjectObject)(metadata)) {
-      return false;
-    }
-    const now = Date.now();
-    const timestamp = metadata["timestamp"];
-    if (typeof timestamp !== "number" || timestamp <= 0) {
-      return false;
-    }
-    const age = now - timestamp;
-    return age < cacheTtl;
-  } catch {
-    return false;
-  }
-}
-async function downloadBinaryFile(url, destPath, integrity) {
-  const crypto = /* @__PURE__ */ getCrypto();
-  const fs = /* @__PURE__ */ getFs();
-  const path = /* @__PURE__ */ getPath();
-  const cacheEntryDir = path.dirname(destPath);
-  const lockPath = path.join(cacheEntryDir, "concurrency.lock");
-  return await import_process_lock.processLock.withLock(
-    lockPath,
-    async () => {
-      if (fs.existsSync(destPath)) {
-        const stats = await fs.promises.stat(destPath);
-        if (stats.size > 0) {
-          const fileBuffer2 = await fs.promises.readFile(destPath);
-          const hash2 = crypto.createHash("sha512").update(fileBuffer2).digest("base64");
-          return `sha512-${hash2}`;
-        }
-      }
-      try {
-        await (0, import_http_request.httpDownload)(url, destPath);
-      } catch (e) {
-        throw new Error(
-          `Failed to download binary from ${url}
-Destination: ${destPath}
-Check your internet connection or verify the URL is accessible.`,
-          { cause: e }
-        );
-      }
-      const fileBuffer = await fs.promises.readFile(destPath);
-      const hash = crypto.createHash("sha512").update(fileBuffer).digest("base64");
-      const actualIntegrity = `sha512-${hash}`;
-      if (integrity && actualIntegrity !== integrity) {
-        await (0, import_fs.safeDelete)(destPath);
-        throw new Error(
-          `Integrity mismatch: expected ${integrity}, got ${actualIntegrity}`
-        );
-      }
-      if (!import_platform.WIN32) {
-        await fs.promises.chmod(destPath, 493);
-      }
-      return actualIntegrity;
-    },
-    {
-      // Align with npm npx locking strategy.
-      staleMs: 5e3,
-      touchIntervalMs: 2e3
-    }
-  );
-}
-async function writeMetadata(cacheEntryPath, cacheKey, url, integrity, size) {
-  const metaPath = getMetadataPath(cacheEntryPath);
-  const metadata = {
-    version: "1.0.0",
-    cache_key: cacheKey,
-    timestamp: Date.now(),
-    integrity,
-    size,
-    source: {
-      type: "download",
-      url
-    }
-  };
-  const fs = /* @__PURE__ */ getFs();
-  await fs.promises.writeFile(metaPath, JSON.stringify(metadata, null, 2));
-}
 async function cleanDlxCache(maxAge = import_time.DLX_BINARY_CACHE_TTL) {
   const cacheDir = getDlxCachePath();
   const fs = /* @__PURE__ */ getFs();
@@ -162,7 +77,7 @@ async function cleanDlxCache(maxAge = import_time.DLX_BINARY_CACHE_TTL) {
   const entries = await fs.promises.readdir(cacheDir);
   for (const entry of entries) {
     const entryPath = path.join(cacheDir, entry);
-    const metaPath = getMetadataPath(entryPath);
+    const metaPath = getBinaryCacheMetadataPath(entryPath);
     try {
       if (!await (0, import_fs.isDir)(entryPath)) {
         continue;
@@ -173,7 +88,7 @@ async function cleanDlxCache(maxAge = import_time.DLX_BINARY_CACHE_TTL) {
       }
       const timestamp = metadata["timestamp"];
       const age = typeof timestamp === "number" && timestamp > 0 ? now - timestamp : Number.POSITIVE_INFINITY;
-      if (age > maxAge) {
+      if (age < 0 || age > maxAge) {
         await (0, import_fs.safeDelete)(entryPath, { force: true, recursive: true });
         cleaned += 1;
       }
@@ -211,12 +126,15 @@ async function dlxBinary(args, options, spawnExtra) {
   const binaryPath = (0, import_normalize.normalizePath)(path.join(cacheEntryDir, binaryName));
   let downloaded = false;
   let computedIntegrity = integrity;
-  if (!force && fs.existsSync(cacheEntryDir) && await isCacheValid(cacheEntryDir, cacheTtl)) {
+  if (!force && fs.existsSync(cacheEntryDir) && await isBinaryCacheValid(cacheEntryDir, cacheTtl)) {
     try {
-      const metaPath = getMetadataPath(cacheEntryDir);
+      const metaPath = getBinaryCacheMetadataPath(cacheEntryDir);
       const metadata = await (0, import_fs.readJson)(metaPath, { throws: false });
       if (metadata && typeof metadata === "object" && !Array.isArray(metadata) && typeof metadata["integrity"] === "string") {
         computedIntegrity = metadata["integrity"];
+        if (!fs.existsSync(binaryPath)) {
+          downloaded = true;
+        }
       } else {
         downloaded = true;
       }
@@ -252,7 +170,7 @@ Ensure the filesystem is writable or set SOCKET_DLX_DIR to a writable location.`
     }
     computedIntegrity = await downloadBinaryFile(url, binaryPath, integrity);
     const stats = await fs.promises.stat(binaryPath);
-    await writeMetadata(
+    await writeBinaryCacheMetadata(
       cacheEntryDir,
       cacheKey,
       url,
@@ -293,7 +211,7 @@ async function downloadBinary(options) {
   const cacheEntryDir = path.join(cacheDir, cacheKey);
   const binaryPath = (0, import_normalize.normalizePath)(path.join(cacheEntryDir, binaryName));
   let downloaded = false;
-  if (!force && fs.existsSync(cacheEntryDir) && await isCacheValid(cacheEntryDir, cacheTtl)) {
+  if (!force && fs.existsSync(cacheEntryDir) && await isBinaryCacheValid(cacheEntryDir, cacheTtl)) {
     downloaded = false;
   } else {
     try {
@@ -325,7 +243,7 @@ Ensure the filesystem is writable or set SOCKET_DLX_DIR to a writable location.`
       integrity
     );
     const stats = await fs.promises.stat(binaryPath);
-    await writeMetadata(
+    await writeBinaryCacheMetadata(
       cacheEntryDir,
       cacheKey,
       url,
@@ -339,6 +257,54 @@ Ensure the filesystem is writable or set SOCKET_DLX_DIR to a writable location.`
     downloaded
   };
 }
+async function downloadBinaryFile(url, destPath, integrity) {
+  const crypto = /* @__PURE__ */ getCrypto();
+  const fs = /* @__PURE__ */ getFs();
+  const path = /* @__PURE__ */ getPath();
+  const cacheEntryDir = path.dirname(destPath);
+  const lockPath = path.join(cacheEntryDir, "concurrency.lock");
+  return await import_process_lock.processLock.withLock(
+    lockPath,
+    async () => {
+      if (fs.existsSync(destPath)) {
+        const stats = await fs.promises.stat(destPath);
+        if (stats.size > 0) {
+          const fileBuffer2 = await fs.promises.readFile(destPath);
+          const hash2 = crypto.createHash("sha512").update(fileBuffer2).digest("base64");
+          return `sha512-${hash2}`;
+        }
+      }
+      try {
+        await (0, import_http_request.httpDownload)(url, destPath);
+      } catch (e) {
+        throw new Error(
+          `Failed to download binary from ${url}
+Destination: ${destPath}
+Check your internet connection or verify the URL is accessible.`,
+          { cause: e }
+        );
+      }
+      const fileBuffer = await fs.promises.readFile(destPath);
+      const hash = crypto.createHash("sha512").update(fileBuffer).digest("base64");
+      const actualIntegrity = `sha512-${hash}`;
+      if (integrity && actualIntegrity !== integrity) {
+        await (0, import_fs.safeDelete)(destPath);
+        throw new Error(
+          `Integrity mismatch: expected ${integrity}, got ${actualIntegrity}`
+        );
+      }
+      if (!import_platform.WIN32) {
+        await fs.promises.chmod(destPath, 493);
+      }
+      return actualIntegrity;
+    },
+    {
+      // Align with npm npx locking strategy.
+      staleMs: 5e3,
+      touchIntervalMs: 2e3
+    }
+  );
+}
 function executeBinary(binaryPath, args, spawnOptions, spawnExtra) {
   const needsShell = import_platform.WIN32 && /\.(?:bat|cmd|ps1)$/i.test(binaryPath);
   const path = /* @__PURE__ */ getPath();
@@ -356,6 +322,34 @@ function executeBinary(binaryPath, args, spawnOptions, spawnExtra) {
 function getDlxCachePath() {
   return (0, import_socket.getSocketDlxDir)();
 }
+function getBinaryCacheMetadataPath(cacheEntryPath) {
+  return (/* @__PURE__ */ getPath()).join(cacheEntryPath, ".dlx-metadata.json");
+}
+async function isBinaryCacheValid(cacheEntryPath, cacheTtl) {
+  const fs = /* @__PURE__ */ getFs();
+  try {
+    const metaPath = getBinaryCacheMetadataPath(cacheEntryPath);
+    if (!fs.existsSync(metaPath)) {
+      return false;
+    }
+    const metadata = await (0, import_fs.readJson)(metaPath, { throws: false });
+    if (!(0, import_objects.isObjectObject)(metadata)) {
+      return false;
+    }
+    const now = Date.now();
+    const timestamp = metadata["timestamp"];
+    if (typeof timestamp !== "number" || timestamp <= 0) {
+      return false;
+    }
+    const age = now - timestamp;
+    if (age < 0) {
+      return false;
+    }
+    return age < cacheTtl;
+  } catch {
+    return false;
+  }
+}
 async function listDlxCache() {
   const cacheDir = getDlxCachePath();
   const fs = /* @__PURE__ */ getFs();
@@ -372,7 +366,7 @@ async function listDlxCache() {
       if (!await (0, import_fs.isDir)(entryPath)) {
         continue;
       }
-      const metaPath = getMetadataPath(entryPath);
+      const metaPath = getBinaryCacheMetadataPath(entryPath);
       const metadata = await (0, import_fs.readJson)(metaPath, { throws: false });
       if (!metadata || typeof metadata !== "object" || Array.isArray(metadata)) {
         continue;
@@ -398,12 +392,34 @@ async function listDlxCache() {
   }
   return results;
 }
+async function writeBinaryCacheMetadata(cacheEntryPath, cacheKey, url, integrity, size) {
+  const metaPath = getBinaryCacheMetadataPath(cacheEntryPath);
+  const metadata = {
+    version: "1.0.0",
+    cache_key: cacheKey,
+    timestamp: Date.now(),
+    integrity,
+    size,
+    source: {
+      type: "download",
+      url
+    }
+  };
+  const fs = /* @__PURE__ */ getFs();
+  const tmpPath = `${metaPath}.tmp.${process.pid}`;
+  await fs.promises.writeFile(tmpPath, JSON.stringify(metadata, null, 2));
+  await fs.promises.rename(tmpPath, metaPath);
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   cleanDlxCache,
   dlxBinary,
   downloadBinary,
+  downloadBinaryFile,
   executeBinary,
+  getBinaryCacheMetadataPath,
   getDlxCachePath,
-  listDlxCache
+  isBinaryCacheValid,
+  listDlxCache,
+  writeBinaryCacheMetadata
 });

package/dist/dlx/detect.d.ts

@@ -5,6 +5,14 @@ export interface ExecutableDetectionResult {
     packageJsonPath?: string;
     inDlxCache?: boolean;
 }
+/**
+ * Detect executable type for paths in DLX cache.
+ * Uses filesystem structure (node_modules/ presence).
+ *
+ * @param filePath - Path within DLX cache (~/.socket/_dlx/)
+ * @returns Detection result
+ */
+export declare function detectDlxExecutableType(filePath: string): ExecutableDetectionResult;
 /**
  * Detect if a path is a Node.js package or native binary executable.
  * Works for both DLX cache paths and local filesystem paths.
@@ -27,14 +35,6 @@ export interface ExecutableDetectionResult {
  * ```
  */
 export declare function detectExecutableType(filePath: string): ExecutableDetectionResult;
-/**
- * Detect executable type for paths in DLX cache.
- * Uses filesystem structure (node_modules/ presence).
- *
- * @param filePath - Path within DLX cache (~/.socket/_dlx/)
- * @returns Detection result
- */
-export declare function detectDlxExecutableType(filePath: string): ExecutableDetectionResult;
 /**
  * Detect executable type for local filesystem paths.
  * Uses package.json and file extension checks.

package/dist/dlx/detect.js

@@ -46,11 +46,19 @@ function getPath() {
   return _path;
 }
 const NODE_JS_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".mjs", ".cjs"]);
-function detectExecutableType(filePath) {
-  if ((0, import_paths.isInSocketDlx)(filePath)) {
-    return detectDlxExecutableType(filePath);
+function findPackageJson(filePath) {
+  const fs = /* @__PURE__ */ getFs();
+  const path = /* @__PURE__ */ getPath();
+  let currentDir = path.dirname(path.resolve(filePath));
+  const root = path.parse(currentDir).root;
+  while (currentDir !== root) {
+    const packageJsonPath = path.join(currentDir, "package.json");
+    if (fs.existsSync(packageJsonPath)) {
+      return packageJsonPath;
+    }
+    currentDir = path.dirname(currentDir);
   }
-  return detectLocalExecutableType(filePath);
+  return void 0;
 }
 function detectDlxExecutableType(filePath) {
   const fs = /* @__PURE__ */ getFs();
@@ -73,6 +81,12 @@ function detectDlxExecutableType(filePath) {
     inDlxCache: true
   };
 }
+function detectExecutableType(filePath) {
+  if ((0, import_paths.isInSocketDlx)(filePath)) {
+    return detectDlxExecutableType(filePath);
+  }
+  return detectLocalExecutableType(filePath);
+}
 function detectLocalExecutableType(filePath) {
   const fs = /* @__PURE__ */ getFs();
   const packageJsonPath = findPackageJson(filePath);
@@ -103,20 +117,6 @@ function detectLocalExecutableType(filePath) {
     inDlxCache: false
   };
 }
-function findPackageJson(filePath) {
-  const fs = /* @__PURE__ */ getFs();
-  const path = /* @__PURE__ */ getPath();
-  let currentDir = path.dirname(path.resolve(filePath));
-  const root = path.parse(currentDir).root;
-  while (currentDir !== root) {
-    const packageJsonPath = path.join(currentDir, "package.json");
-    if (fs.existsSync(packageJsonPath)) {
-      return packageJsonPath;
-    }
-    currentDir = path.dirname(currentDir);
-  }
-  return void 0;
-}
 function isJsFilePath(filePath) {
   const path = /* @__PURE__ */ getPath();
   const ext = path.extname(filePath).toLowerCase();

package/dist/dlx/manifest.d.ts

@@ -41,18 +41,6 @@ export interface ManifestEntry {
     timestamp: number;
     details: PackageDetails | BinaryDetails;
 }
-/**
- * Type guard for package entries.
- */
-export declare function isPackageEntry(entry: ManifestEntry): entry is ManifestEntry & {
-    details: PackageDetails;
-};
-/**
- * Type guard for binary entries.
- */
-export declare function isBinaryEntry(entry: ManifestEntry): entry is ManifestEntry & {
-    details: BinaryDetails;
-};
 /**
  * Legacy store record format (deprecated, for migration).
  */
@@ -67,6 +55,18 @@ export interface DlxManifestOptions {
      */
     manifestPath?: string;
 }
+/**
+ * Type guard for binary entries.
+ */
+export declare function isBinaryEntry(entry: ManifestEntry): entry is ManifestEntry & {
+    details: BinaryDetails;
+};
+/**
+ * Type guard for package entries.
+ */
+export declare function isPackageEntry(entry: ManifestEntry): entry is ManifestEntry & {
+    details: PackageDetails;
+};
 /**
  * DLX manifest storage manager with atomic operations.
  * Supports both legacy format (package name keys) and new unified manifest format (spec keys).
@@ -77,47 +77,48 @@ export declare class DlxManifest {
     constructor(options?: DlxManifestOptions);
     /**
      * Read the entire manifest file.
+     * @private
      */
     private readManifest;
+    private writeManifest;
     /**
-     * Get a manifest entry by spec (e.g., "@socketsecurity/cli@^2.0.11").
+     * Clear cached data for a specific entry.
      */
-    getManifestEntry(spec: string): ManifestEntry | undefined;
+    clear(name: string): Promise<void>;
+    /**
+     * Clear all cached data.
+     */
+    clearAll(): Promise<void>;
     /**
      * Get cached update information for a package (legacy format).
      * @deprecated Use getManifestEntry() for new code.
      */
     get(name: string): StoreRecord | undefined;
     /**
-     * Set a package manifest entry.
+     * Get all cached package names.
      */
-    setPackageEntry(spec: string, cacheKey: string, details: PackageDetails): Promise<void>;
+    getAllPackages(): string[];
     /**
-     * Set a binary manifest entry.
+     * Get a manifest entry by spec (e.g., "@socketsecurity/cli@^2.0.11").
      */
-    setBinaryEntry(spec: string, cacheKey: string, details: BinaryDetails): Promise<void>;
-    private writeManifest;
+    getManifestEntry(spec: string): ManifestEntry | undefined;
+    /**
+     * Check if cached data is fresh based on TTL.
+     */
+    isFresh(record: StoreRecord | undefined, ttlMs: number): boolean;
     /**
      * Store update information for a package (legacy format).
      * @deprecated Use setPackageEntry() for new code.
      */
     set(name: string, record: StoreRecord): Promise<void>;
     /**
-     * Clear cached data for a specific entry.
-     */
-    clear(name: string): Promise<void>;
-    /**
-     * Clear all cached data.
-     */
-    clearAll(): Promise<void>;
-    /**
-     * Check if cached data is fresh based on TTL.
+     * Set a binary manifest entry.
      */
-    isFresh(record: StoreRecord | undefined, ttlMs: number): boolean;
+    setBinaryEntry(spec: string, cacheKey: string, details: BinaryDetails): Promise<void>;
     /**
-     * Get all cached package names.
+     * Set a package manifest entry.
      */
-    getAllPackages(): string[];
+    setPackageEntry(spec: string, cacheKey: string, details: PackageDetails): Promise<void>;
 }
 // Export singleton instance using default manifest location.
 export declare const dlxManifest: DlxManifest;