chore: cascade — socket-registry refs + @socketsecurity/lib 5.21.0 + workspace hooks + lib-stub expansion

[John-David Dalton (jdalton)]

Squash of the full cascade sync branch.

What's in this cascade

1. socket-registry action refs bumped to @3362af95fadd1e325cb48e9ad6daff21c112bd72. Cascades the pnpm 11.0.0-rc.0 → 11.0.0-rc.2 bump from socket-registry.

2. .github/workflows/weekly-update.yml reduced to a thin 20-line delegator calling SocketDev/socket-registry/.github/workflows/weekly-update.yml.

3. @socketsecurity/lib bumped 5.18.2 → 5.21.0 (via 5.19.0, 5.19.1, 5.20.0, 5.20.1). Hook manifest .claude/hooks/check-new-deps/package.json kept in lockstep.

   Brings everything between 5.18.2 and 5.21.0:

   • New @socketsecurity/lib/schema/* module (validateSchema, parseSchema, Schema<T>, Infer<S>, ValidateResult<T>) — replaces the retired @socketsecurity/lib/validation/validate-schema subpath.
   • @socketsecurity/lib/json/parse now hosts safeJsonParse (prototype-pollution reviver + size limits) — replaces @socketsecurity/lib/validation/json-parser.
   • New @socketsecurity/lib/promises withResolvers() — spec-compliant TC39 `Promise.withResolvers` helper, bound to native when available.
   • `@socketsecurity/lib/regexps` `escapeRegExp()` now spec-compliant with TC39 `RegExp.escape`, bound to native on Node 24+. Caller-visible shape change: escaped output uses `\xHH` for many characters that previously passed through literally (functional equivalence preserved).
   • Perf: O(1) LRU bookkeeping in `memoization.memoize()` / `memoizeAsync()`; wildcard `cacache.clear()` compiles the match regex once per call.
   • ENOENT error surface normalized across `archives.extractZip()` / `extractTar()` / `extractTarGz()`.
   • Bounded `PromiseQueue` now rejects the newest submission when full (preserving committed-to in-flight work). Caller-visible: the `test/unit/promise-queue.test.mts` scenario was updated to match — see diff.
   • dlx pin pipeline (`DlxBinaryOptions.hash`, lockfile materialization).
   • `memoizeDebounced` removed (was misnamed, no consumers).

4. Workspace globs: `pnpm-workspace.yaml` `packages` glob now includes `.claude/hooks/*` so taze bumps hook manifests automatically.

5. Bundle shrink: `createLibStubPlugin` in `.config/esbuild.config.mts` also stubs `external/del.js` + `external/cacache.js` (eagerly loaded by `lib/fs` + `lib/cacache` but unused by the SDK).

6. `fix(publish)`: gate `--provenance` on `GITHUB_ACTIONS` so local publish runs don't break.

7. Fixes pre-existing `printFooter` imports in `scripts/build.mts` + `scripts/check.mts` that pulled from `lib/stdio/header` where `printFooter` never lived. 5.18.2's loose subpath exports hid the bug; 5.19.x surfaces it.

Folds PR #601 (socket-registry 3362af95 bump) into this cascade.

Caller-visible API changes in 5.21.0 that consumers should check

• Any import from `@socketsecurity/lib/validation/` → migrate to `@socketsecurity/lib/schema/` or `@socketsecurity/lib/json/parse`. This SDK has no such imports.
• `MemoizeOptions<Args, Result>` → `MemoizeOptions` (second type parameter dropped).
• `escapeRegExp` output byte-shape changed; only callers that string-match the output (rather than compile it into a `RegExp`) need updates. No such callers here.
• `getRepoUrlDetails` now rejects scp-style `git@github.com:…` URLs (returns empty result). No such callers here.

Test plan

• `pnpm install`
• `pnpm run check` (lint + typecheck)
• `pnpm exec vitest run` — 739/739 runtime tests pass. 1 pre-existing `check-new-deps` hook failure unrelated to this bump.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​socketsecurity/​lib@​5.21.0

View full report