chore: release v5.11.0

jdalton · jdalton · commit bdc007836530 · 2026-03-23T23:27:08.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.11.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.11.0) - 2026-03-23
+
+### Added
+
+- **http-request**: Checksum verification for secure downloads
+  - `parseChecksums(text)`: Parse checksums file text into filename→hash map
+    - Supports GNU style (`hash  filename`), BSD style (`SHA256 (file) = hash`), and single-space format
+    - Handles Windows CRLF and Unix LF line endings
+    - Returns null-prototype object to prevent prototype pollution
+  - `fetchChecksums(url, options?)`: Fetch and parse checksums from URL
+    - Supports `headers` and `timeout` options
+  - `httpDownload` now accepts `sha256` option to verify downloaded files
+    - Verification happens before atomic rename (file not saved if hash mismatches)
+    - Accepts uppercase hashes (normalized to lowercase internally)
+
 ## [5.10.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.10.0) - 2026-03-14
 
 ### Changed
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.10.0",
+  "version": "5.11.0",
   "packageManager": "pnpm@10.32.1",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@socketsecurity/lib",`
`3`		`- "version": "5.10.0",`
	`3`	`+ "version": "5.11.0",`
`4`	`4`	`"packageManager": "pnpm@10.32.1",`
`5`	`5`	`"license": "MIT",`
`6`	`6`	`"description": "Core utilities and infrastructure for Socket.dev security tools",`