feat: SDK v4 malware API + check-new-deps hook#1182
Closed
John-David Dalton (jdalton) wants to merge 24 commits intomainfrom
Closed
feat: SDK v4 malware API + check-new-deps hook#1182John-David Dalton (jdalton) wants to merge 24 commits intomainfrom
John-David Dalton (jdalton) wants to merge 24 commits intomainfrom
Conversation
SDK v4 exposes `checkMalware()` which handles firewall vs batch routing internally, simplifying consumers that need malware/security checks.
to use SDK v4's checkMalware() method instead of hand-rolled fetch calls. The SDK handles firewall vs batch routing internally, so we remove checkSingleDep(), checkBatchDeps(), FIREWALL_API_URL, and the BatchArtifact interface.
- Add .claude/hooks/* to pnpm workspace packages - Replace hardcoded versions with catalog: references - Add package name for workspace resolution
- Register check-new-deps hook in .claude/settings.json - Allowlist settings.json in .gitignore - Add comprehensive README with ecosystem table and flow diagram - Reference the hook from the security-scan skill
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Add update.mts script that checks for new zizmor and sfw releases, respecting the 7-day minimumReleaseAge cooldown for third-party tools while updating Socket-owned tools immediately.
- SFW shims: read SOCKET_API_KEY from env/.env.local at runtime instead of embedding plaintext secret in shim scripts - check-new-deps: chunk API requests instead of silently dropping deps beyond MAX_BATCH_SIZE (1024) - check-new-deps: include namespace in result matching key to avoid collisions (e.g. @types/node vs node) - check-new-deps: tighten PyPI extractor to require version specifier context, preventing over-matching of ordinary Python keywords
- Shim .env parser: strip quotes, inline comments, whitespace, handle spaces around = sign - Fix .env file ordering: .env.local before .env (matches shim runtime) - Remove hardcoded "7 days" from update.mts; compute from COOLDOWN_MS
…dating skill - Bump catalog and minimumReleaseAgeExclude to match installed version - Add phase 3c to updating skill: sync Claude Code version from installed binary, bypasses cooldown since we're the ones running it
- Install-time .env parser: handle spaces around =, strip quotes, strip inline comments - extractNpm: filter by version-specifier pattern to avoid false positives from scripts/config fields - Windows: generate .cmd shims alongside bash shims, matching CI pattern (strip shim dir from PATH via batch string replacement)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades
@socketsecurity/sdkfrom 3.4.1 to 4.0.0 and adds a Claude Code pre-tool hook that checks new dependencies against Socket.dev before they're added to the project.What's new
SDK v4 upgrade
@socketsecurity/sdkto 4.0.0 in workspace catalogcheckMalware()which handles both single-dep firewall requests and batch PURL API automaticallycheck-new-deps hook (
.claude/hooks/check-new-deps/)A pre-tool hook that intercepts every Edit/Write to dependency manifest files across 17+ ecosystems (npm, PyPI, Cargo, Go, Maven, Gems, Composer, NuGet, Swift, Dart, Terraform, Homebrew, Conan, Nix, GitHub Actions, and more).
How it works:
sdk.checkMalware()to check for malware and critical alertsUses SDK v4's
checkMalware()instead of hand-rolled fetch calls — the SDK handles routing (≤5 deps → parallel firewall, >5 → batch API), retries, and policy normalization.Integration
.claude/settings.json(PreToolUse on Edit|Write)catalog:for all deps (DRY).gitignoreupdated to track.claude/hooks/and.claude/settings.jsonDocumentation
.claude/hooks/check-new-deps/README.mdTest plan
pnpm run build:clipassesnode --test .claude/hooks/check-new-deps/test/*.test.mtspassesNote
Medium Risk
Introduces a new pre-tool hook that can block Claude
Edit/Writeoperations based on Socket.dev API results, which could affect developer workflows if parsing or API behavior is wrong. Also upgrades@socketsecurity/sdkto4.0.0, which may have compatibility impact wherever the SDK is consumed.Overview
Adds a Claude Code
PreToolUsehook (.claude/hooks/check-new-deps/) that detects dependency manifest edits across multiple ecosystems, diffsold_stringvsnew_stringto find new dependencies, and queries Socket.dev viasdk.checkMalware()to block malware/critical alerts (exit2) and warn on low scores (exit0).Wires the hook into
.claude/settings.json, adds a dedicated workspace package with tests/docs/tsconfig, updates.gitignoreto track the new.claudehook/settings files, and bumps@socketsecurity/sdkto4.0.0(with correspondingpnpm-workspace.yaml/pnpm-lock.yamlupdates).Reviewed by Cursor Bugbot for commit ca25e24. Configure here.