Add dependency malware checker hook for Claude Code#1184
Merged
John-David Dalton (jdalton) merged 7 commits intomainfrom Apr 11, 2026
Merged
Add dependency malware checker hook for Claude Code#1184John-David Dalton (jdalton) merged 7 commits intomainfrom
John-David Dalton (jdalton) merged 7 commits intomainfrom
Conversation
Intercepts Edit/Write on dependency files across 17+ ecosystems (npm, PyPI, Cargo, Go, Maven, etc.) and checks new deps against Socket.dev's malware API before they're added. Uses SDK v4 checkMalware() with batch chunking, namespace-aware matching, and in-memory caching.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
John-David Dalton (jdalton)
force-pushed
the
feat/check-new-deps-hook
branch
3 times, most recently
from
f1e6e29 to
14f1337
Compare
John-David Dalton (jdalton)
force-pushed
the
feat/check-new-deps-hook
branch
from
14f1337 to
7436829
Compare
Bill Li (billxinli)
approved these changes
Apr 10, 2026
Pipfile.lock is JSON (with "default" and "develop" sections keyed by package name), not requirements.txt format. The regex-based extractPypi silently matched zero dependencies. Add a dedicated extractPipfileLock that parses the JSON structure correctly.
Contributor
Author
|
Cursor (@cursor) review |
Empty string is a valid value for new_string (Edit that deletes content) and old_string. Using || instead of ?? caused falsy empty strings to fall through to the wrong field.
Contributor
Author
|
Cursor (@cursor) review |
- Swift package URLs commonly end with .git (e.g. vapor.git); strip the suffix so the PURL lookup finds the correct package - Remove 'brew' extractor key that matched any path ending in 'brew'; only 'Brewfile' is the correct Homebrew manifest filename
Contributor
Author
|
Cursor (@cursor) review |
1 similar comment
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 096ce9f. Configure here.
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 096ce9f. Configure here.
- Cargo.toml: Only extract deps from [dependencies] sections, not metadata like name, version, edition - npm: Exclude known package.json metadata field names that match the dep pattern but aren't dependencies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
A Claude Code pre-tool hook that automatically checks new dependencies for malware before they're added to the project. Runs on every Edit/Write to dependency manifest files.
How it works
checkMalware()Files
.claude/hooks/check-new-deps/— the hook + tests (82 pass) + README.claude/settings.json— registers the hook on PreToolUse Edit|Write.gitignore— tracks.claude/hooks/and.claude/settings.jsonDepends on
PR #1183 (SDK v4 bump) for
checkMalware()APINote
Medium Risk
Introduces a new Claude Code
PreToolUsehook that can blockEdit/Writeoperations based on live Socket.dev API responses, which may impact developer workflows and depends on network availability/token configuration.Overview
Adds a new Claude Code pre-tool hook (
.claude/hooks/check-new-deps) that detects newly introduced dependencies in common manifest/lock files (and GitHub Actions workflows), converts them to PURLs, and checks them via Socket.dev (sdk.checkMalware).The hook is diff-aware (only scans deps added vs
old_string), caches API results in-process, warns on low scores, and blocks the tool call (exit code2) when malware or critical alerts are detected;.claude/settings.jsonregisters it forEdit|Write, and.gitignoreis updated to track the hook + settings. Includes a comprehensive Node test suite for extractors, diffing, caching, and end-to-end blocking behavior.Reviewed by Cursor Bugbot for commit 096ce9f. Configure here.