chore(deps): bump @socketsecurity/lib to 5.18.2, @socketregistry/packageurl-js to 1.4.2, @socketsecurity/sdk to 4.0.1 by jdalton · Pull Request #1200 · SocketDev/socket-cli

John-David Dalton (jdalton) · 2026-04-14T16:06:49Z

Bump dependencies across workspace and hooks:

@socketsecurity/lib 5.15.0 → 5.18.2
@socketregistry/packageurl-js 1.4.1 → 1.4.2
@socketsecurity/sdk 4.0.0 → 4.0.1

Updated in pnpm-workspace.yaml catalog, hook package.json files, and lockfiles.

socket-security · 2026-04-14T16:07:36Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/@socketsecurity/lib@5.15.0 ⏵ 5.18.2
	npm/@socketregistry/packageurl-js@1.4.1 ⏵ 1.4.2
	npm/@socketsecurity/sdk@4.0.0 ⏵ 4.0.1

View full report

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

✅ Fixed: Version bump breaks Claude hook dependency symlink
- Updated .claude/hooks/check-new-deps/package.json and package-lock.json to reference @socketsecurity/lib 5.16.0, matching the workspace catalog version and fixing the broken symlink path.

Or push these changes by commenting:

@cursor push 240f485e36

Preview (240f485e36)

diff --git a/.claude/hooks/check-new-deps/package-lock.json b/.claude/hooks/check-new-deps/package-lock.json
--- a/.claude/hooks/check-new-deps/package-lock.json
+++ b/.claude/hooks/check-new-deps/package-lock.json
@@ -7,7 +7,7 @@
       "name": "@socketsecurity/hook-check-new-deps",
       "dependencies": {
         "@socketregistry/packageurl-js": "1.4.1",
-        "@socketsecurity/lib": "5.15.0",
+        "@socketsecurity/lib": "5.16.0",
         "@socketsecurity/sdk": "4.0.0"
       },
       "devDependencies": {
@@ -56,8 +56,8 @@
         "pnpm": ">=10.25.0"
       }
     },
-    "../../../node_modules/.pnpm/@socketsecurity+lib@5.15.0_typescript@5.9.3/node_modules/@socketsecurity/lib": {
-      "version": "5.15.0",
+    "../../../node_modules/.pnpm/@socketsecurity+lib@5.16.0_typescript@5.9.3/node_modules/@socketsecurity/lib": {
+      "version": "5.16.0",
       "license": "MIT",
       "devDependencies": {
         "@anthropic-ai/claude-code": "2.1.92",
@@ -149,7 +149,7 @@
       "version": "4.0.0",
       "license": "MIT",
       "dependencies": {
-        "@socketsecurity/lib": "5.15.0",
+        "@socketsecurity/lib": "5.16.0",
         "form-data": "4.0.5"
       },
       "devDependencies": {
@@ -200,7 +200,7 @@
       "link": true
     },
     "node_modules/@socketsecurity/lib": {
-      "resolved": "../../../node_modules/.pnpm/@socketsecurity+lib@5.15.0_typescript@5.9.3/node_modules/@socketsecurity/lib",
+      "resolved": "../../../node_modules/.pnpm/@socketsecurity+lib@5.16.0_typescript@5.9.3/node_modules/@socketsecurity/lib",
       "link": true
     },
     "node_modules/@socketsecurity/sdk": {

diff --git a/.claude/hooks/check-new-deps/package.json b/.claude/hooks/check-new-deps/package.json
--- a/.claude/hooks/check-new-deps/package.json
+++ b/.claude/hooks/check-new-deps/package.json
@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@socketregistry/packageurl-js": "1.4.1",
-    "@socketsecurity/lib": "5.15.0",
+    "@socketsecurity/lib": "5.16.0",
     "@socketsecurity/sdk": "4.0.0"
   },
   "devDependencies": {

_{You can send follow-ups to the cloud agent here.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 7e6d0e1. Configure here.}

socket-security-staging · 2026-04-14T22:52:54Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@socketsecurity/lib` is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: .claude/hooks/setup-security-tools/package-lock.json → `npm/@socketsecurity/lib@5.18.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/@socketsecurity/lib@5.18.2`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

socket-security-staging · 2026-04-14T23:28:53Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/@socketsecurity/lib@5.15.0 ⏵ 5.18.2
	npm/@socketregistry/packageurl-js@1.4.1 ⏵ 1.4.2
	npm/@socketsecurity/sdk@4.0.0 ⏵ 4.0.1

View full report

…ageurl-js to 1.4.2, @socketsecurity/sdk to 4.0.1

cursor bot reviewed Apr 14, 2026

View reviewed changes

Comment thread pnpm-workspace.yaml Outdated

John-David Dalton (jdalton) changed the title ~~chore(deps): bump @socketsecurity/lib to 5.16.0~~ chore(deps): bump @socketsecurity/lib to 5.17.0 Apr 14, 2026

John-David Dalton (jdalton) force-pushed the chore/bump-lib-5.16.0 branch from 7e6d0e1 to c6e348b Compare April 14, 2026 16:30

John-David Dalton (jdalton) changed the title ~~chore(deps): bump @socketsecurity/lib to 5.17.0~~ chore(deps): bump @socketsecurity/lib to 5.18.0 Apr 14, 2026

Bill Li (billxinli) approved these changes Apr 14, 2026

View reviewed changes

John-David Dalton (jdalton) force-pushed the chore/bump-lib-5.16.0 branch from a51f640 to 84d3d70 Compare April 14, 2026 22:51

John-David Dalton (jdalton) changed the title ~~chore(deps): bump @socketsecurity/lib to 5.18.0~~ chore(deps): bump @socketsecurity/lib to 5.18.1 Apr 14, 2026

John-David Dalton (jdalton) force-pushed the chore/bump-lib-5.16.0 branch from 84d3d70 to 1f27c64 Compare April 14, 2026 23:19

John-David Dalton (jdalton) changed the title ~~chore(deps): bump @socketsecurity/lib to 5.18.1~~ chore(deps): bump @socketsecurity/lib to 5.18.2 Apr 14, 2026

John-David Dalton (jdalton) force-pushed the chore/bump-lib-5.16.0 branch from 1f27c64 to fee47c2 Compare April 14, 2026 23:26

John-David Dalton (jdalton) changed the title ~~chore(deps): bump @socketsecurity/lib to 5.18.2~~ chore(deps): bump @socketsecurity/lib to 5.18.2 and @socketregistry/packageurl-js to 1.4.2 Apr 14, 2026

John-David Dalton (jdalton) force-pushed the chore/bump-lib-5.16.0 branch from fee47c2 to 3874802 Compare April 15, 2026 00:21

John-David Dalton (jdalton) changed the title ~~chore(deps): bump @socketsecurity/lib to 5.18.2 and @socketregistry/packageurl-js to 1.4.2~~ chore(deps): bump @socketsecurity/lib to 5.18.2, @socketregistry/packageurl-js to 1.4.2, @socketsecurity/sdk to 4.0.1 Apr 15, 2026

chore(deps): bump @socketsecurity/lib to 5.18.2, @socketregistry/pack…

cb56aea

…ageurl-js to 1.4.2, @socketsecurity/sdk to 4.0.1

John-David Dalton (jdalton) force-pushed the chore/bump-lib-5.16.0 branch from 3874802 to cb56aea Compare April 15, 2026 00:25

John-David Dalton (jdalton) merged commit 19a3a1f into main Apr 15, 2026
13 checks passed

John-David Dalton (jdalton) deleted the chore/bump-lib-5.16.0 branch April 15, 2026 02:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump @socketsecurity/lib to 5.18.2, @socketregistry/packageurl-js to 1.4.2, @socketsecurity/sdk to 4.0.1#1200

chore(deps): bump @socketsecurity/lib to 5.18.2, @socketregistry/packageurl-js to 1.4.2, @socketsecurity/sdk to 4.0.1#1200
John-David Dalton (jdalton) merged 1 commit intomainfrom
chore/bump-lib-5.16.0

John-David Dalton (jdalton) commented Apr 14, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

cursor bot left a comment •

edited

Loading

Uh oh!

Uh oh!

socket-security-staging bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

socket-security-staging bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

John-David Dalton (jdalton) commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cursor bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

socket-security-staging bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security-staging bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

John-David Dalton (jdalton) commented Apr 14, 2026 •

edited

Loading

socket-security bot commented Apr 14, 2026 •

edited

Loading

cursor bot left a comment •

edited

Loading

socket-security-staging bot commented Apr 14, 2026 •

edited

Loading

socket-security-staging bot commented Apr 14, 2026 •

edited

Loading