chore: cascade bump — socket-registry refs + @socketsecurity/lib 5.21.0 + register .claude/hooks/*

.claude/hooks/check-new-deps/package.json

@@ -10,9 +10,9 @@
     "test": "node --test test/*.test.mts"
   },
   "dependencies": {
-    "@socketregistry/packageurl-js": "1.4.2",
-    "@socketsecurity/lib": "5.18.2",
-    "@socketsecurity/sdk": "4.0.1"
+    "@socketregistry/packageurl-js": "catalog:",
+    "@socketsecurity/lib": "catalog:",
+    "@socketsecurity/sdk": "catalog:"
   },
   "devDependencies": {
     "@types/node": "24.9.2"

.claude/hooks/setup-security-tools/package.json

@@ -4,6 +4,6 @@
   "type": "module",
   "main": "./index.mts",
   "dependencies": {
-    "@socketsecurity/lib": "5.18.2"
+    "@socketsecurity/lib": "catalog:"
   }
 }

.github/workflows/ci.yml

@@ -109,7 +109,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
 
@@ -168,7 +168,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
 
@@ -234,7 +234,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
@@ -310,7 +310,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}

.github/workflows/provenance.yml

@@ -51,7 +51,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
 
@@ -91,7 +91,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -141,7 +141,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'

.github/workflows/weekly-update.yml

@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
 
@@ -62,7 +62,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           checkout: 'false'
 
@@ -79,7 +79,7 @@ jobs:
           git checkout -b "$BRANCH_NAME" HEAD~1
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -332,7 +332,7 @@ jobs:
             test.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@a5923566cd8bcf70aefa1eefacf21f96e328be45 # main
         if: always()
 
   notify:

package.json

@@ -1,11 +1,11 @@
 {
   "name": "socket-cli-monorepo",
   "version": "0.0.0",
-  "packageManager": "pnpm@11.0.0-rc.0",
+  "packageManager": "pnpm@11.0.0-rc.2",
   "private": true,
   "engines": {
     "node": ">=25.9.0",
-    "pnpm": ">=11.0.0-rc.0"
+    "pnpm": ">=11.0.0-rc.2"
   },
   "scripts": {
     "// Build": "",

packages/cli/src/utils/coana/spawn.mts

@@ -12,6 +12,7 @@ import { spawnNode } from '../spawn/spawn-node.mjs'
 
 import type { IpcObject } from '../ipc.mts'
 import type { CResult } from '../../types.mjs'
+import type { StdioOptions } from 'node:child_process'
 import type { SpawnExtra, SpawnOptions } from '@socketsecurity/lib/spawn'
 
 export type CoanaSpawnOptions = SpawnOptions & {
@@ -70,7 +71,8 @@ export async function spawnCoana(
             ...mixinsEnv,
             ...spawnEnv,
           },
-          stdio: spawnExtra?.['stdio'] || 'inherit',
+          stdio:
+            (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
         },
       )
 

packages/cli/src/utils/dlx/spawn.mts

@@ -69,6 +69,7 @@ import { getDefaultApiToken, getDefaultProxyUrl } from '../socket/sdk.mjs'
 import type { IpcObject } from '../ipc.mts'
 import type { CResult } from '../../types.mjs'
 import type { ExternalTool } from './vfs-extract.mjs'
+import type { StdioOptions } from 'node:child_process'
 import type {
   SpawnExtra,
   SpawnOptions,
@@ -390,7 +391,7 @@ export async function spawnCoanaDlx(
       const spawnPromise = spawn(spawnCommand, spawnArgs, {
         ...dlxOptions,
         env: finalEnv,
-        stdio: spawnExtra?.['stdio'] || 'inherit',
+        stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
       })
 
       const output = await spawnPromise
@@ -469,7 +470,7 @@ export async function spawnCdxgenDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -519,7 +520,7 @@ export async function spawnSfwDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -572,7 +573,7 @@ export async function spawnSocketPatchDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -590,7 +591,7 @@ export async function spawnSocketPatchDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -672,7 +673,7 @@ async function spawnToolVfs(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {
@@ -1657,7 +1658,7 @@ async function spawnTrivyDlx(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {
@@ -1719,7 +1720,7 @@ async function spawnTrufflehogDlx(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {
@@ -1781,7 +1782,7 @@ async function spawnOpengrepDlx(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {

packages/cli/src/utils/spawn/spawn-node.mts

@@ -33,6 +33,22 @@ import type {
   SpawnExtra,
 } from '@socketsecurity/lib/spawn'
 
+/**
+ * Narrows a spawned process to the shape required by
+ * `sendBootstrapHandshake` (i.e. `.send` is a callable, not undefined).
+ * The typeof-on-a-property guard can't flow to the parent object, so
+ * we need an explicit assertion function.
+ */
+function assertHasSend<T extends { send?: unknown }>(
+  proc: T,
+): asserts proc is T & { send: (message: unknown) => void } {
+  if (typeof proc.send !== 'function') {
+    throw new TypeError(
+      'spawn-node: expected IPC channel on child process (send is undefined)',
+    )
+  }
+}
+
 /**
  * Ensures stdio configuration includes IPC channel for process communication.
  * Converts various stdio formats to include 'ipc' as the fourth element.
@@ -117,6 +133,10 @@ export function spawnNode(
     extra,
   )
 
+  // `ensureIpcInStdio` above guarantees an IPC channel in stdio, so
+  // `.send` should always be a function here. Narrow explicitly via an
+  // assertion function so the call site doesn't need a structural cast.
+  assertHasSend(spawnResult.process)
   sendBootstrapHandshake(
     spawnResult.process,
     // Always send IPC handshake with bootstrap indicators + custom data.

packages/cli/src/utils/validation/ipc.mts

@@ -7,7 +7,23 @@
 
 import { randomBytes } from 'node:crypto'
 
-import type { IpcHandshake, IpcMessage, IpcStub } from '@socketsecurity/lib/ipc'
+import type { IpcStub } from '@socketsecurity/lib/ipc'
+
+export interface IpcMessage<T = unknown> {
+  data: T
+  id: string
+  timestamp: number
+  type: string
+}
+
+export interface IpcHandshake extends IpcMessage<{
+  apiToken?: string | undefined
+  appName: string
+  pid: number
+  version: string
+}> {
+  type: 'handshake'
+}
 
 /**
  * Check if a value is a valid IPC message.