chore: cascade bump — socket-registry refs + @socketsecurity/lib 5.19.1 + register .claude/hooks/* + lib-stub expansion

.claude/hooks/check-new-deps/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@socketregistry/packageurl-js": "1.4.2",
-    "@socketsecurity/lib": "5.18.2",
+    "@socketsecurity/lib": "5.20.1",
     "@socketsecurity/sdk": "4.0.1"
   },
   "devDependencies": {

.config/esbuild.config.mts

@@ -241,8 +241,21 @@ function createNodeProtocolPlugin() {
  *     minimal lookup covering just those types.
  */
 function createLibStubPlugin() {
+  // Heavy lib modules that are eagerly required but never exercised
+  // by the SDK's actual code paths.
+  //
+  // Never-reached by SDK gateway modules:
+  //   - globs.js / sorts.js → only used by fs helpers the SDK skips
+  //   - external/npm-pack.js / pico-pack.js → Arborist/pacote/fast-glob,
+  //     SDK only needs validateFiles() from fs
+  //
+  // Never-reached transitive external shims:
+  //   - external/cacache.js → destructures from npm-pack (already stubbed),
+  //     SDK's cache-with-ttl path degrades gracefully
+  //   - external/del.js → pulled in by fs's lazy getDel() for safeDelete,
+  //     SDK never calls safeDelete/safeDeleteSync
   const libStubPattern =
-    /@socketsecurity\/lib\/dist\/(globs|sorts|external\/(npm-pack|pico-pack))\.js$/
+    /@socketsecurity\/lib\/dist\/(globs|sorts|external\/(npm-pack|pico-pack|cacache|del))\.js$/
 
   const mimeDbPattern = /mime-db\/db\.json$/
 

.github/workflows/ci.yml

@@ -21,6 +21,6 @@ concurrency:
 jobs:
   ci:
     name: Run CI Pipeline
-    uses: SocketDev/socket-registry/.github/workflows/ci.yml@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+    uses: SocketDev/socket-registry/.github/workflows/ci.yml@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
     with:
       test-script: 'pnpm run test --all --skip-build'

.github/workflows/generate.yml

@@ -46,14 +46,14 @@ jobs:
           echo "Sleeping for $delay seconds..."
           sleep $delay
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
 
       - name: Configure push credentials
         env:
           GH_TOKEN: ${{ github.token }}
         run: git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -145,5 +145,5 @@ jobs:
           > \`\`\`
           EOF
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
         if: always()

.github/workflows/provenance.yml

@@ -30,7 +30,7 @@ jobs:
     permissions:
       contents: write # To create GitHub releases
       id-token: write # For npm trusted publishing via OIDC
-    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
     with:
       debug: ${{ inputs.debug }}
       dist-tag: ${{ inputs.dist-tag }}