chore: cascade — socket-registry refs + @socketsecurity/lib 5.20.1 + workspace hooks + lib-stub expansion

Squash of the full cascade sync branch:

1. socket-registry action refs bumped to @3362af95fadd1e325cb48e9ad6daff21c112bd72.
   Cascades the pnpm 11.0.0-rc.0 → 11.0.0-rc.2 bump from socket-registry.

2. .github/workflows/weekly-update.yml reduced to a thin 20-line delegator
   calling SocketDev/socket-registry/.github/workflows/weekly-update.yml.

3. @socketsecurity/lib bumped 5.18.2 → 5.20.1 (via 5.19.0, 5.19.1).
   Hook manifest .claude/hooks/check-new-deps/package.json kept in lockstep.
   Brings the new dlx pin pipeline, pacote shim fix, DlxBinaryOptions.hash,
   and stdio/prompts restoration.

4. pnpm-workspace.yaml packages glob now includes .claude/hooks/* so taze
   bumps hook manifests automatically.

5. createLibStubPlugin in .config/esbuild.config.mts also stubs external/del.js
   + external/cacache.js (eagerly loaded by lib/fs + lib/cacache but unused
   by the SDK).

6. fix(publish): gate --provenance on GITHUB_ACTIONS so local publish runs
   don't break.

7. Fixes pre-existing printFooter imports in scripts/build.mts +
   scripts/check.mts that pulled from lib/stdio/header where printFooter
   never lived. 5.18.2's loose subpath exports hid the bug; 5.19.x surfaces it.

Folds PR #601 (socket-registry 3362af95 bump) into this cascade.

Author: jdalton

.claude/hooks/check-new-deps/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@socketregistry/packageurl-js": "1.4.2",
-    "@socketsecurity/lib": "5.18.2",
+    "@socketsecurity/lib": "5.20.1",
     "@socketsecurity/sdk": "4.0.1"
   },
   "devDependencies": {

.config/esbuild.config.mts

@@ -241,8 +241,21 @@ function createNodeProtocolPlugin() {
  *     minimal lookup covering just those types.
  */
 function createLibStubPlugin() {
+  // Heavy lib modules that are eagerly required but never exercised
+  // by the SDK's actual code paths.
+  //
+  // Never-reached by SDK gateway modules:
+  //   - globs.js / sorts.js → only used by fs helpers the SDK skips
+  //   - external/npm-pack.js / pico-pack.js → Arborist/pacote/fast-glob,
+  //     SDK only needs validateFiles() from fs
+  //
+  // Never-reached transitive external shims:
+  //   - external/cacache.js → destructures from npm-pack (already stubbed),
+  //     SDK's cache-with-ttl path degrades gracefully
+  //   - external/del.js → pulled in by fs's lazy getDel() for safeDelete,
+  //     SDK never calls safeDelete/safeDeleteSync
   const libStubPattern =
-    /@socketsecurity\/lib\/dist\/(globs|sorts|external\/(npm-pack|pico-pack))\.js$/
+    /@socketsecurity\/lib\/dist\/(globs|sorts|external\/(npm-pack|pico-pack|cacache|del))\.js$/
 
   const mimeDbPattern = /mime-db\/db\.json$/
 

.github/workflows/ci.yml

@@ -21,6 +21,6 @@ concurrency:
 jobs:
   ci:
     name: Run CI Pipeline
-    uses: SocketDev/socket-registry/.github/workflows/ci.yml@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+    uses: SocketDev/socket-registry/.github/workflows/ci.yml@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
     with:
       test-script: 'pnpm run test --all --skip-build'

.github/workflows/generate.yml

@@ -46,14 +46,14 @@ jobs:
           echo "Sleeping for $delay seconds..."
           sleep $delay
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
 
       - name: Configure push credentials
         env:
           GH_TOKEN: ${{ github.token }}
         run: git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -145,5 +145,5 @@ jobs:
           > \`\`\`
           EOF
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
         if: always()

.github/workflows/provenance.yml

@@ -30,7 +30,7 @@ jobs:
     permissions:
       contents: write # To create GitHub releases
       id-token: write # For npm trusted publishing via OIDC
-    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@bbe46386c0a2bc6baefd02916234956a38e622d5 # main
+    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@3362af95fadd1e325cb48e9ad6daff21c112bd72 # main
     with:
       debug: ${{ inputs.debug }}
       dist-tag: ${{ inputs.dist-tag }}