v5.7.0

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

5.7.0 - 2026-02-12

Added

• env: Added isInEnv() helper function to check if an environment variable key exists, regardless of its value

  • Returns true even for empty strings, "false", "0", etc.
  • Follows same override resolution order as getEnvValue() (isolated overrides → shared overrides → process.env)
  • Useful for detecting presence of environment variables independent of their value

• dlx: Added new exported helper functions

  • downloadBinaryFile() - Downloads a binary file from a URL to the dlx cache directory
  • ensurePackageInstalled() - Ensures an npm package is installed and cached via Arborist
  • getBinaryCacheMetadataPath() - Gets the file path to dlx binary cache metadata (.dlx-metadata.json)
  • isBinaryCacheValid() - Checks if a cached dlx binary is still valid based on TTL and timestamp
  • makePackageBinsExecutable() - Makes npm package binaries executable on Unix systems
  • parsePackageSpec() - Parses npm package spec strings (e.g., pkg@1.0.0) into name and version
  • resolveBinaryPath() - Resolves the absolute path to a binary within an installed package
  • writeBinaryCacheMetadata() - Writes dlx binary cache metadata with integrity, size, and source info

• releases: Added createAssetMatcher() utility function for GitHub release asset pattern matching

  • Creates matcher functions that test strings against glob patterns, prefix/suffix, or RegExp
  • Used for dynamic asset discovery in GitHub releases (e.g., matching platform-specific binaries)

Changed

• env: Updated getCI() to use isInEnv() for more accurate CI detection
  • Now returns true whenever the CI key exists in the environment, not just when truthy
  • Matches standard CI detection behavior where the presence of the key (not its value) indicates a CI environment

Fixed

• github: Fixed JSON parsing crash vulnerability by adding try-catch around JSON.parse() in GitHub API responses

  • Prevents crashes on malformed, incomplete, or binary responses
  • Error messages now include the response URL for better debugging

• dlx/binary: Fixed clock skew vulnerabilities in cache validation

  • Cache entries with future timestamps (clock skew) are now treated as expired
  • Metadata writes now use atomic write-then-rename pattern to prevent corruption
  • Added TOCTOU race protection by re-checking binary existence after metadata read

• dlx/cache cleanup: Fixed handling of future timestamps during cache cleanup

  • Entries with future timestamps (due to clock skew) are now properly treated as expired

• dlx/package: Fixed scoped package parsing bug where @scope/package was incorrectly parsed

  • Changed condition from startsWith('@') to atIndex === 0 for more precise detection
  • Fixes installation failures for scoped packages like @socketregistry/lib

• cache-with-ttl: Added clock skew detection to TTL cache

  • Far-future expiresAt values (>2x TTL) are now treated as expired
  • Protects against cache poisoning from clock skew

• packages/specs: Fixed unconditional .git truncation in Git URL parsing

  • Now only removes .git suffix when URL actually ends with .git
  • Prevents incorrect truncation of URLs containing .git in the middle

• releases/github: Fixed TOCTOU race condition in binary download verification

  • Re-checks binary existence after reading version file
  • Ensures binary is re-downloaded if missing despite version file presence

• provenance: Fixed incorrect package name in provenance workflow

  • Changed from @socketregistry/lib to @socketsecurity/lib

5.6.0 - 2026-02-08

Added

• http-request: Added automatic default headers for JSON and text requests
  • httpJson() now automatically sets Accept: application/json header
  • httpJson() automatically sets Content-Type: application/json when body is present
  • httpText() now automatically sets Accept: text/plain header
  • httpText() automatically sets Content-Type: text/plain when body is present
  • User-provided headers always override defaults
  • Simplifies API usage - no need to manually set common headers

Changed

• http-request: Renamed HTTP helper functions to support all HTTP methods (BREAKING CHANGE)
  • httpGetJson() → httpJson() - Now supports GET, POST, PUT, DELETE, PATCH, etc.
  • httpGetText() → httpText() - Now supports all HTTP methods via method option
  • Functions now accept method parameter in options (defaults to 'GET')
  • More flexible API that matches modern fetch-style conventions
  • Migration: Replace httpGetJson() calls with httpJson() and httpGetText() with httpText()

Fixed

• http-request: Fixed Content-Type header incorrectly sent with empty string body
  • Empty string body ("") no longer triggers Content-Type header
  • Changed condition from if (body !== undefined) to if (body) for semantic correctness
  • Empty string represents "no content" and should not declare a Content-Type
  • Affects httpJson() and httpText() functions
  • Fixes potential API compatibility issues with servers expecting no Content-Type for empty bodies
  • Added comprehensive test coverage for empty string edge case

5.5.3 - 2026-01-20

Fixed

• deps: Added patch for execa@2.1.0 to fix signal-exit v4 compatibility. The package was using default import syntax with signal-exit v4, which now exports onExit as a named export.

5.5.2 - 2026-01-20

Changed

• dlx/package: Use getSocketCacacheDir() instead of getPacoteCachePath() for Arborist cache configuration
  • Ensures consistent use of Socket's shared cacache directory (~/.socket/_cacache)
  • Removes dependency on pacote cache path extraction which could fail
  • Simplifies cache configuration by using reliable Socket path utility

5.5.1 - 2026-01-12

Fixed

• Fixed dotenvx compatibility with pre-commit hooks
• Fixed empty releases being returned when finding latest release

5.5.0 - 2026-01-12

Added

• dlx/detect: Executable type detection utilities for DLX cache and local file paths
  • detectDlxExecutableType(): Detects Node.js packages vs native binaries in DLX cache by checking for node_modules/ directory
  • detectExecutableType(): Generic entry point that routes to appropriate detection strategy
  • detectLocalExecutableType(): Detects executables on local filesystem by checking package.json bin field or file extension
  • isJsFilePath(): Validates if a file path has .js, .mjs, or .cjs extension
  • isNativeBinary(): Simplified helper that returns true for native binary executables
  • isNodePackage(): Simplified helper that returns true for Node.js packages

Fixed

• releases/github: Sort releases by published_at to reliably find latest release instead of relying on creation order

5.4.1 - 2026-01-10

Fixed

• build: Removed debug module stub to bundle real debug package. The stub was missing enable() and disable() methods, causing errors when downstream projects re-bundled the lib.

5.4.0 - 2026-01-07

Added

• releases/github: Extended release functions to accept glob patterns for asset discovery

  • getReleaseAssetUrl() now accepts glob patterns: 'yoga-sync-*.mjs', 'models-*.tar.gz'
  • downloadReleaseAsset() now accepts glob patterns for automatic asset discovery
  • getLatestRelease() now accepts asset patterns to find releases with matching assets
  • Supports wildcards, brace expansion, RegExp patterns, and prefix/suffix objects
  • Uses picomatch for robust glob pattern matching

• releases/socket-btm: Extended downloadSocketBtmRelease() to accept glob patterns

  • asset parameter now accepts wildcards: 'yoga-sync-*.mjs', 'models-*.tar.gz'
  • Automatically discovers and downloads latest matching asset
  • Eliminates need for hardcoded asset names in build scripts

5.3.0 - 2026-01-07

Added

• releases/socket-btm: Exported helper functions for external use

  • detectLibc(): Detect musl vs glibc on Linux systems
  • getBinaryAssetName(): Get GitHub asset name for platform/arch
  • getBinaryName(): Get binary filename with platform-appropriate extension
  • getPlatformArch(): Get platform-arch identifier for directory structure

• releases/github: Exported getAuthHeaders() for GitHub API authentication

  • Returns headers with Accept, X-GitHub-Api-Version, and optional Authorization
  • Checks GH_TOKEN and GITHUB_TOKEN environment variables

5.2.1 - 2026-01-06

Fixed

• releases: Fixed "Text file busy" errors when executing downloaded binaries
  • Changed downloadGitHubRelease() to use synchronous chmodSync() instead of async chmod()
  • Ensures file system operations complete before binary execution
  • Prevents race conditions in CI/CD environments where async operations may not fully flush to disk

5.2.0 - 2026-01-06

Added

• releases: Added GitHub release download uti...