feat(dlx): align cache key generation with npm/npx pattern

- Changed from SHA-256 (64 chars) to SHA-512 truncated to 16 chars
- Optimized for Windows MAX_PATH compatibility (260 character limit)
- Accepts collision risk for shorter paths (~1 in 18 quintillion)
- Added support for PURL-style package specifications
- Documented Socket's shorthand format (without pkg: prefix)
- References npm/cli v11.6.2 implementation

Author: jdalton

CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.8.0](https://github.com/SocketDev/socket-lib/releases/tag/v2.8.0) - 2025-10-29
+
+### Changed
+
+- **Enhanced DLX cache key generation with npm/npx compatibility**: Updated cache key strategy to align with npm/npx ecosystem patterns
+  - Changed from SHA-256 (64 chars) to SHA-512 truncated to 16 chars (matching npm/npx)
+  - Optimized for Windows MAX_PATH compatibility (260 character limit)
+  - Accepts collision risk for shorter paths (~1 in 18 quintillion with 1000 entries)
+  - Added support for PURL-style package specifications (e.g., `npm:prettier@3.0.0`, `pypi:requests@2.31.0`)
+  - Documented Socket's shorthand format (without `pkg:` prefix) handled by `@socketregistry/packageurl-js`
+  - References npm/cli v11.6.2 implementation for consistency
+
 ## [2.7.0](https://github.com/SocketDev/socket-lib/releases/tag/v2.7.0) - 2025-10-28
 
 ### Added

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "2.7.0",
+  "version": "2.8.0",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
   "keywords": [

src/dlx-binary.ts

@@ -40,13 +40,31 @@ export interface DlxBinaryResult {
 }
 
 /**
- * Generate a cache directory name from URL and binary name.
- * Uses SHA256 hash to create content-addressed storage.
- * Includes binary name to prevent collisions when multiple binaries
- * are downloaded from the same URL with different names.
+ * Generate a cache directory name using npm/npx approach.
+ * Uses first 16 characters of SHA-512 hash (like npm/npx).
+ *
+ * Rationale for SHA-512 truncated (vs full SHA-256):
+ * - Matches npm/npx ecosystem behavior
+ * - Shorter paths for Windows MAX_PATH compatibility (260 chars)
+ * - 16 hex chars = 64 bits = acceptable collision risk for local cache
+ * - Collision probability ~1 in 18 quintillion with 1000 entries
+ *
+ * Input strategy (aligned with npx):
+ * - npx uses package spec strings (e.g., '@scope/pkg@1.0.0', 'prettier')
+ * - For package installs: Use PURL-style spec with version
+ *   Examples: 'npm:prettier@3.0.0', 'pypi:requests@2.31.0', 'gem:rails@7.0.0'
+ *   Note: Socket uses shorthand format without 'pkg:' prefix
+ *   (handled by @socketregistry/packageurl-js)
+ * - For binary downloads: Use URL + binary name for uniqueness
+ *
+ * Reference: npm/cli v11.6.2 libnpmexec/lib/index.js#L233-L244
+ * https://github.com/npm/cli/blob/v11.6.2/workspaces/libnpmexec/lib/index.js#L233-L244
+ * Implementation: packages.map().sort().join('\n') → SHA-512 → slice(0,16)
+ * npx hashes the package spec (name@version), not just name
  */
 function generateCacheKey(url: string, name: string): string {
-  return createHash('sha256').update(`${url}:${name}`).digest('hex')
+  const input = `${url}:${name}`
+  return createHash('sha512').update(input).digest('hex').substring(0, 16)
 }
 
 /**