chore: cascade bump — socket-registry refs + @socketsecurity/lib 5.19.1 + register .claude/hooks/* + lib-stub expansion#596
Open
John-David Dalton (jdalton) wants to merge 6 commits intomainfrom
Conversation
…date Update all SocketDev/socket-registry action/workflow SHA pins in .github/workflows/ to d54c36d0bed05ffffbe8b14e7663927eaa19d5df (the current propagation SHA per socket-registry's _local-not-for-reuse-*.yml pins). Also: .github/workflows/weekly-update.yml is now a thin delegator to SocketDev/socket-registry/.github/workflows/weekly-update.yml — the shared Layer 3 reusable that invokes the /updating skill umbrella via Claude Code. Drops ~340 lines of inline update logic; same behavior.
John-David Dalton (jdalton)
force-pushed
the
chore/ci-cascade-main-34fef52b
branch
from
3917f67 to
c98d145
Compare
John-David Dalton (jdalton)
changed the title
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
John-David Dalton (jdalton)
changed the title
3 tasks
…nals The current createLibStubPlugin already stubs socket-lib's globs.js, sorts.js, and the npm-pack / pico-pack external bundles since none of their code paths are exercised by the SDK's runtime. Extend the same pattern to two more transitive externals: - @socketsecurity/lib/dist/external/del.js — pulled in by fs.js's lazy getDel() for safeDelete/safeDeleteSync. The SDK only uses validateFiles() from fs and never deletes. - @socketsecurity/lib/dist/external/cacache.js — destructures from npm-pack (already stubbed), so the eager require would already yield undefined. Stubbing makes the intent explicit. Result on dist/index.js: 712,442 → 711,934 bytes (−508 bytes). Modest gain since socket-lib's own stubs (v5.19.0 +) cascade here automatically once the lib dep bumps. Full vitest suite runs with same pass/fail counts as main (739 passing; 1 pre-existing .claude/hooks failure unrelated to this change).
John-David Dalton (jdalton)
changed the title
John-David Dalton (jdalton)
changed the title
John-David Dalton (jdalton)
changed the title
`npm publish --provenance` requires the GitHub Actions OIDC id-token endpoint — running the script locally (non-dry-run) fails with "Provenance generation in GitHub Actions requires 'id-token: write' permission". Guarded the flag behind `process.env.GITHUB_ACTIONS === 'true'` so local emergency publishes still work. CI runs unchanged. Same fix landed in stuie + socket-registry + socket-packageurl-js in parallel commits.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Multi-repo cascade sync:
1. socket-registry refs (SHA pin bump)
SocketDev/socket-registry/.github/...@<SHA>refs in.github/workflows/→@d54c36d0bed05ffffbe8b14e7663927eaa19d5df.2. weekly-update delegation
.github/workflows/weekly-update.ymlreduced to a thin 20-line delegator callingSocketDev/socket-registry/.github/workflows/weekly-update.yml@d54c36d0.3. @socketsecurity/lib 5.19.1 bump
package.jsondev dep@socketsecurity/libbumped from5.18.2→5.19.1. Hook manifest.claude/hooks/check-new-deps/package.jsonalso bumped.lib 5.19.x brings:
dlx/integrity,dlx/arborist,dlx/lockfile) withgeneratePackagePin()+ default 7-day minimum-release-agepacoteshim exposestarball/manifest/packument(fixes latent runtime crash infetchPackageManifest/fetchPackagePackument)DlxBinaryOptions.hash?/DlxPackageOptions.hash?/DlxPackageOptions.lockfile?optionsdist/external/via stub coverage of sigstore/tuf/arborist internals + zod v4 locales + debug/browserstdio/{prompts,progress,clear}+ vendored@inquirer/*shims that 5.19.0 accidentally removedFixes pre-existing
printFooterimports inscripts/build.mts+scripts/check.mtsthat pulled fromlib/stdio/header(whereprintFooternever lived). 5.18.2's loose subpath exports hid the bug; 5.19.x surfaces it.4. Register
.claude/hooks/*as workspace packagespnpm-workspace.yamlpackages:glob now includes.claude/hooks/*. Taze (run viapnpm run update) now sees and bumps the hook manifests automatically, so they stay in lockstep with the root without manual sed.5. Expand SDK's libStubPlugin pattern
createLibStubPluginin.config/esbuild.config.mtsnow also stubsexternal/del.js+external/cacache.js. Both are eagerly loaded by@socketsecurity/lib/dist/fs.js(lazygetDel()) and@socketsecurity/lib/dist/cacache.js, but SDK never callssafeDelete/safeDeleteSyncandcache-with-ttldegrades gracefully.Cascade
Test plan
grep -rn "SocketDev/socket-registry" .github/ | grep "@" | grep -v d54c36d0returns nothinggrep @socketsecurity/lib package.json .claude/hooks/check-new-deps/package.jsonshows 5.19.1pnpm run updatenow traverses.claude/hooks/*package.jsons too