chore: cascade bump — socket-registry refs + @socketsecurity/lib 5.19.1 + register .claude/hooks/* + lib-stub expansion

[John-David Dalton (jdalton)]

Summary

Multi-repo cascade sync:

1. socket-registry refs (SHA pin bump)

SocketDev/socket-registry/.github/...@<SHA> refs in .github/workflows/ → @3362af95fadd1e325cb48e9ad6daff21c112bd72.

This cascades the pnpm 11.0.0-rc.0 → 11.0.0-rc.2 bump from socket-registry. Folds #601 into this PR.

2. weekly-update delegation

.github/workflows/weekly-update.yml reduced to a thin 20-line delegator calling SocketDev/socket-registry/.github/workflows/weekly-update.yml@3362af95.

3. @socketsecurity/lib 5.19.1 bump

package.json dev dep @socketsecurity/lib bumped from 5.18.2 → 5.19.1. Hook manifest .claude/hooks/check-new-deps/package.json also bumped (subsequently synced to 5.20.1 on this branch).

lib 5.19.x brings:

• New dlx pin pipeline (dlx/integrity, dlx/arborist, dlx/lockfile) with generatePackagePin() + default 7-day minimum-release-age
• pacote shim exposes tarball/manifest/packument (fixes latent runtime crash in fetchPackageManifest/fetchPackagePackument)
• DlxBinaryOptions.hash? / DlxPackageOptions.hash? / DlxPackageOptions.lockfile? options
• ~1.1 MB smaller dist/external/ via stub coverage of sigstore/tuf/arborist internals + zod v4 locales + debug/browser
• 5.19.1 restores stdio/{prompts,progress,clear} + vendored @inquirer/* shims that 5.19.0 accidentally removed

Fixes pre-existing printFooter imports in scripts/build.mts + scripts/check.mts that pulled from lib/stdio/header (where printFooter never lived). 5.18.2's loose subpath exports hid the bug; 5.19.x surfaces it.

4. Register .claude/hooks/* as workspace packages

pnpm-workspace.yaml packages: glob now includes .claude/hooks/*. Taze (run via pnpm run update) now sees and bumps the hook manifests automatically, so they stay in lockstep with the root without manual sed.

5. Expand SDK's libStubPlugin pattern

createLibStubPlugin in .config/esbuild.config.mts now also stubs external/del.js + external/cacache.js. Both are eagerly loaded by @socketsecurity/lib/dist/fs.js (lazy getDel()) and @socketsecurity/lib/dist/cacache.js, but SDK never calls safeDelete/safeDeleteSync and cache-with-ttl degrades gracefully.

Cascade

• Direct push (main): socket-lib (5.19.1 release), socket-btm, sdxgen, socket-tui, socketui, socket-registry, socket-packageurl-js
• PR: socket-cli (#1237), socket-sdk-js (this PR)

Test plan

• CI green
• No stale registry refs: grep -rn "SocketDev/socket-registry" .github/ | grep "@" | grep -v 3362af95 returns nothing
• grep @socketsecurity/lib package.json .claude/hooks/check-new-deps/package.json shows 5.19.1+
• pnpm run update now traverses .claude/hooks/* package.jsons too
• pnpm 11.0.0-rc.2 is installed during setup (cascaded from chore(ci): bump socket-registry action refs to main (3362af95) #601)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​socketsecurity/​lib@​5.20.1

View full report