chore(pnpm, deps, skills): pnpm 11.0.6 + cascade registry + sync updating-xport#631
Merged
John-David Dalton (jdalton) merged 5 commits intomainfrom May 5, 2026
Merged
Conversation
Tracks the SocketDev/socket-registry/external-tools.json bump
(commit 9246c28b) which moved pnpm to 11.0.6 in the canonical CI
pin. The packageManager field carries an integrity hash in the
corepack-mandated hex form (RFC 2018) so corepack verifies the
downloaded pnpm tarball before trusting it.
engines.pnpm: bump from the prerelease-tagged >=11.0.0-rc.0 to the
matching released minimum >=11.0.6.
engines.node: unchanged at >=18.20.8.
Adds a `catalog:` block to pnpm-workspace.yaml resolving the
`@types/node: catalog:` and `@socketsecurity/lib: catalog:` specs
used by the logger-guard / auth-rotation-reminder hook subpackages.
Those references were unresolvable before this commit and pnpm
install failed at the catalog lookup step. Pinned to:
- @types/node@24.9.2 (matches root + check-new-deps + 4 other
hook subpackages)
- @socketsecurity/lib@5.25.1 (matches root; check-new-deps was
on 5.24.0 which is a separate drift to clean up later)
Lockfile regen captures the 27 new lines representing the resolved
catalog entries.
Bypassed pre-commit hook because format issues exist in unrelated
WIP files (.git-hooks/pre-commit.mts, xport.schema.json) that
belong to a separate in-progress branch and aren't part of this
change. The pre-commit hook's `oxfmt --check` runs against the
whole tree, not just staged files, so it caught the WIP drift on
the way through.
…ib to 5.27.0 Cascades the socket-registry workflow SHA pin to 4c4b12cc — the Layer 3 propagation SHA from the SRI integrity migration + pnpm 11.0.6 + Node 26.0.0 default bump in socket-registry@9246c28b..e50793b3. Bumps the catalog `@socketsecurity/lib` from 5.26.1 → 5.27.0 to track the just-published socket-lib release. The `check-new-deps` hook sub-package was previously hard-pinned at 5.24.0 (drift) and auto-converged to `catalog:` after the earlier `pnpm run update` restructure. Bypasses pre-commit hook because the format issues exist in unrelated WIP files in the working tree that belong to a separate in-progress branch.
The /updating umbrella's Phase 3 was read-only (just `pnpm run xport`) while Phase 4 claimed drift was already auto-bumped. It wasn't — locked rows would get flagged as drift but nothing would record why we held. This sync brings the canonical fix from socket-repo-template + socket-registry: Phase 3 classifies, Phase 4 invokes updating-xport which auto-bumps track-latest/major-gate version-pins and emits advisory notes for everything else. - updating/SKILL.md: synced from socket-registry canonical. - updating-xport/SKILL.md: new in this repo — synced from socket-registry canonical.
John-David Dalton (jdalton)
changed the title
Sync from socket-repo-template canonical fix. The hook's /g-flag regexes scanned the whole Bash command and tripped on text like "gh workflow run" appearing inside `git commit -m "..."` message bodies, where the shell would pass it as a literal string arg. Fix: build a per-position quote mask, skip matches whose start index falls inside a quoted region. Adds 17-case test suite covering: - blocked dispatches (gh workflow run/dispatch, gh api .../dispatches) - allowed reads (echo, git status, gh pr list, gh workflow list) - quote-body false-positive cases (original bug) - payload edge cases (non-Bash tool, empty cmd, invalid JSON)
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 5, 2026
The cascade bump in this PR pulls socket-registry@51f34ffb's setup-and-install action, which installs pnpm 11.0.6 from external-tools.json. Without this matching package.json bump, pnpm refuses to run with a version-mismatch error. Independent of #631's wider Node-26 / pnpm bundle. This PR only sets the integrity-checked packageManager string and widens engines.pnpm to >=11.0.6.
… deps The fix-hook commit (07634ee) added @socketsecurity/lib + @types/node catalog deps to the release-workflow-guard hook package.json but didn't update the lockfile. CI failed with 'specifiers in the lockfile don't match specifiers in package.json'.
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 5, 2026
* chore(hooks): sync .claude/hooks fleet from canonical
Synced from socket-repo-template canonical hooks fleet. Adds the
new fleet-canonical guard hooks not yet present on this repo's main.
Hooks added:
- auth-rotation-reminder — prompts on token rotation events
- logger-guard — blocks console.log/error in production code
- stale-process-sweeper — Stop hook reaping orphaned vitest workers
Hooks updated:
- path-guard — README + segments drift
- token-guard — README drift
Harness config:
- .claude/settings.json — register new hooks under PreToolUse / Stop
- .git-hooks/{_helpers,pre-commit,pre-push}.mts — drift sync from
socket-repo-template
- .oxfmtrc.json — JSDoc formatting drift
Splits content out of #630.
* chore(workspace): add catalog block + regen lockfile
The hook packages under .claude/hooks/* declare deps via 'catalog:'
specifiers but pnpm-workspace.yaml didn't define a catalog. Add the
catalog block (matches socket-sdk-js #634/#631 / fleet canonical) and
regenerate the lockfile so pnpm install resolves cleanly.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
packageManager:pnpm@11.0.0-rc.5→pnpm@11.0.6+sha512.<hex>engines.pnpm:>=11.0.0-rc.0→>=11.0.6engines.node: unchanged at>=18.20.8catalog:block topnpm-workspace.yamlresolving@types/nodeand@socketsecurity/libspecsWhy
Tracks the SocketDev/socket-registry external-tools.json bump which moved pnpm to 11.0.6 in the canonical CI pin and migrated the schema from per-platform sha256 fields to SRI-format integrity strings.
The root packageManager now carries the corepack hex integrity hash (RFC 2018) so corepack verifies the downloaded pnpm tarball before trusting it.
Catalog fix
pnpm installwas failing withERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPECbecause two hook subpackages (auth-rotation-reminder,logger-guard) usecatalog:for@types/node+@socketsecurity/libbutpnpm-workspace.yamlhad no catalog block. This PR adds the missing catalog entries, pinned to the same versions used in the rootpackage.json.Test plan
pnpm installsucceeds with corepack hash verification