Skip to content

build(deps-dev): bump @anthropic-ai/claude-code from 2.1.92 to 2.1.163#644

Closed
dependabot[bot] wants to merge 429 commits into
mainfrom
dependabot/npm_and_yarn/anthropic-ai/claude-code-2.1.163
Closed

build(deps-dev): bump @anthropic-ai/claude-code from 2.1.92 to 2.1.163#644
dependabot[bot] wants to merge 429 commits into
mainfrom
dependabot/npm_and_yarn/anthropic-ai/claude-code-2.1.163

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps @anthropic-ai/claude-code from 2.1.92 to 2.1.163.

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.163

What's changed

  • Added requiredMinimumVersion and requiredMaximumVersion managed settings — Claude Code refuses to start if its version is outside the allowed range and directs the user to an approved version
  • Added /plugin list command to list installed plugins, with --enabled/--disabled filters
  • Added a "c to copy" shortcut to /btw that copies the raw markdown answer to the clipboard, preserving formatting when pasted elsewhere
  • Hooks: Stop and SubagentStop hooks can now return hookSpecificOutput.additionalContext to give Claude feedback and keep the turn going without being labeled a hook error
  • Skills: added \$ escape syntax to include a literal $ before a digit in command bodies
  • stdio MCP servers now receive the same CLAUDE_CODE_SESSION_ID as hooks/Bash on --resume
  • Fixed claude -p hanging forever after its final result when a backgrounded command never exits — background shells are now stopped ~5s after the result once stdin closes
  • Fixed claude -p failing with "ANTHROPIC_API_KEY required" on Bedrock/Vertex/Foundry when CI=true and no Anthropic API key is set
  • Fixed bash commands failing under bazel and EDR-protected Go workflows: $TMPDIR was overridden to /tmp/claude-{uid} for all commands instead of only sandboxed ones (regression in 2.1.154)
  • Fixed Bash commands failing on Windows with "EEXIST: file already exists" on the session-env directory when it has the read-only attribute or is inside OneDrive
  • Fixed org-managed permission rules not applying for the entire session when the managed settings fetch completed during startup on a fresh config directory
  • Fixed background sessions in claude agents losing their running background tasks when reattached after a Claude Code update
  • Fixed terminal misalignment and a multi-second hang when exiting the agent view by pressing Esc
  • Fixed clicking Stop on a background-task chip in the desktop app not clearing the chip when the underlying process was already gone
  • Fixed keyboard input becoming permanently unresponsive after a paste operation whose end marker is dropped by the terminal
  • Fixed hook if: "Bash(...)" conditions firing on every Bash command containing $() or $VAR; the pattern now matches against commands inside subshells and backticks too
  • Fixed deny rules on home-directory paths (e.g. Read(~/Desktop/**)) not blocking Bash commands that reference the path via $HOME
  • Fixed a stray "(no content)" line left in the transcript after closing panel dialogs like /mcp and /plugins
  • Background agent sessions now update to a new Claude Code version in the background, so opening a session after an update no longer waits on a cold restart
  • Clearer descriptions for built-in commands and skills in the / menu
  • The subscription-switch suggestion now shows in the startup announcement slot instead of a toast
  • claude agents dispatching from the state-grouped view now starts the session in the directory the agent view was opened from

v2.1.162

What's changed

  • claude agents --json now includes waitingFor showing what a waiting session is blocked on (e.g. permission prompt)
  • --tools: explicitly listing Grep/Glob now provides the dedicated search tools on native builds with embedded search (previously these names were silently ignored)
  • /effort now confirms when your chosen level will persist as the default for new sessions
  • Clicking a slash command in the autocomplete menu now fills it into your prompt instead of running it immediately; press Enter to run
  • Remote Control now shows as a persistent footer pill (with a link to the session) instead of a startup message
  • Renamed Windsurf to Devin Desktop in the /ide menu, /terminal-setup, and /scroll-speed, following the editor's rebrand
  • Fixed a silent startup hang when the config directory is read-only or unwritable — Claude Code now starts with in-memory config and surfaces startup errors instead of showing a blank screen
  • Fixed WebFetch permission rules not being applied to built-in preapproved domains; explicit WebFetch(domain:...) deny/ask/allow rules now take precedence over the preapproved-host auto-allow
  • Fixed Windows permission rules never matching when spelled with backslashes (~\, \\server\share) or case-variant paths, and Read deny rules not hiding files from Glob/Grep results
  • Fixed an interrupt (Esc) sent at the very start of a turn being silently dropped in stream-json/SDK sessions, leaving the turn running with no "Interrupted" feedback
  • Fixed API 400 no low surrogate in string errors for classifier side-queries and MCP server descriptions containing emoji near a truncation boundary
  • Fixed MCP per-server timeout config values below 1000 ms being floored to a 1-second watchdog that aborted every tool call; sub-1000 ms values are now ignored (falling back to MCP_TOOL_TIMEOUT or default), and claude mcp get annotates them accordingly
  • Fixed the LSP tool's workspaceSymbol operation returning no results; it now accepts a query parameter and passes it to the language server
  • Fixed claude agents cutting live status text (tool args, replies, prompts, exec output) at 60–120 columns on wide terminals; the status detail now uses the full terminal width
  • Fixed claude agents truncating long session names at 40 columns; the name column now grows with terminal width
  • Fixed claude agents attach occasionally bouncing straight back to the session list on the first try after a background-service restart
  • Fixed claude agents Ctrl+V image paste doing nothing in the dispatch input and the session reply box; pasting with no image now shows a hint
  • Fixed backgrounding a session with ← silently losing the conversation when the background service cannot start; the session stays in the list as a failed row you can wake with Enter
  • Fixed replies from the agents view that fail to send being lost; they are now queued for delivery on the next session start
  • Fixed cross-session messaging (SendMessage) silently breaking when CLAUDE_CODE_TMPDIR or $TMPDIR points at a deep directory
  • Fixed opening a running background session from claude agents stalling for 5 seconds before attaching

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.163

  • Added requiredMinimumVersion and requiredMaximumVersion managed settings — Claude Code refuses to start if its version is outside the allowed range and directs the user to an approved version
  • Added /plugin list command to list installed plugins, with --enabled/--disabled filters
  • Added a "c to copy" shortcut to /btw that copies the raw markdown answer to the clipboard, preserving formatting when pasted elsewhere
  • Hooks: Stop and SubagentStop hooks can now return hookSpecificOutput.additionalContext to give Claude feedback and keep the turn going without being labeled a hook error
  • Skills: added \$ escape syntax to include a literal $ before a digit in command bodies
  • stdio MCP servers now receive the same CLAUDE_CODE_SESSION_ID as hooks/Bash on --resume
  • Fixed claude -p hanging forever after its final result when a backgrounded command never exits — background shells are now stopped ~5s after the result once stdin closes
  • Fixed claude -p failing with "ANTHROPIC_API_KEY required" on Bedrock/Vertex/Foundry when CI=true and no Anthropic API key is set
  • Fixed bash commands failing under bazel and EDR-protected Go workflows: $TMPDIR was overridden to /tmp/claude-{uid} for all commands instead of only sandboxed ones (regression in 2.1.154)
  • Fixed Bash commands failing on Windows with "EEXIST: file already exists" on the session-env directory when it has the read-only attribute or is inside OneDrive
  • Fixed org-managed permission rules not applying for the entire session when the managed settings fetch completed during startup on a fresh config directory
  • Fixed background sessions in claude agents losing their running background tasks when reattached after a Claude Code update
  • Fixed terminal misalignment and a multi-second hang when exiting the agent view by pressing Esc
  • Fixed clicking Stop on a background-task chip in the desktop app not clearing the chip when the underlying process was already gone
  • Fixed keyboard input becoming permanently unresponsive after a paste operation whose end marker is dropped by the terminal
  • Fixed hook if: "Bash(...)" conditions firing on every Bash command containing $() or $VAR; the pattern now matches against commands inside subshells and backticks too
  • Fixed deny rules on home-directory paths (e.g. Read(~/Desktop/**)) not blocking Bash commands that reference the path via $HOME
  • Fixed a stray "(no content)" line left in the transcript after closing panel dialogs like /mcp and /plugins
  • Background agent sessions now update to a new Claude Code version in the background, so opening a session after an update no longer waits on a cold restart
  • Clearer descriptions for built-in commands and skills in the / menu
  • The subscription-switch suggestion now shows in the startup announcement slot instead of a toast
  • claude agents dispatching from the state-grouped view now starts the session in the directory the agent view was opened from

2.1.162

  • claude agents --json now includes waitingFor showing what a waiting session is blocked on (e.g. permission prompt)
  • --tools: explicitly listing Grep/Glob now provides the dedicated search tools on native builds with embedded search (previously these names were silently ignored)
  • /effort now confirms when your chosen level will persist as the default for new sessions
  • Clicking a slash command in the autocomplete menu now fills it into your prompt instead of running it immediately; press Enter to run
  • Remote Control now shows as a persistent footer pill (with a link to the session) instead of a startup message
  • Renamed Windsurf to Devin Desktop in the /ide menu, /terminal-setup, and /scroll-speed, following the editor's rebrand
  • Fixed a silent startup hang when the config directory is read-only or unwritable — Claude Code now starts with in-memory config and surfaces startup errors instead of showing a blank screen
  • Fixed WebFetch permission rules not being applied to built-in preapproved domains; explicit WebFetch(domain:...) deny/ask/allow rules now take precedence over the preapproved-host auto-allow
  • Fixed Windows permission rules never matching when spelled with backslashes (~\, \\server\share) or case-variant paths, and Read deny rules not hiding files from Glob/Grep results
  • Fixed an interrupt (Esc) sent at the very start of a turn being silently dropped in stream-json/SDK sessions, leaving the turn running with no "Interrupted" feedback
  • Fixed API 400 no low surrogate in string errors for classifier side-queries and MCP server descriptions containing emoji near a truncation boundary
  • Fixed MCP per-server timeout config values below 1000 ms being floored to a 1-second watchdog that aborted every tool call; sub-1000 ms values are now ignored (falling back to MCP_TOOL_TIMEOUT or default), and claude mcp get annotates them accordingly
  • Fixed the LSP tool's workspaceSymbol operation returning no results; it now accepts a query parameter and passes it to the language server
  • Fixed claude agents cutting live status text (tool args, replies, prompts, exec output) at 60–120 columns on wide terminals; the status detail now uses the full terminal width
  • Fixed claude agents truncating long session names at 40 columns; the name column now grows with terminal width
  • Fixed claude agents attach occasionally bouncing straight back to the session list on the first try after a background-service restart
  • Fixed claude agents Ctrl+V image paste doing nothing in the dispatch input and the session reply box; pasting with no image now shows a hint
  • Fixed backgrounding a session with ← silently losing the conversation when the background service cannot start; the session stays in the list as a failed row you can wake with Enter
  • Fixed replies from the agents view that fail to send being lost; they are now queued for delivery on the next session start
  • Fixed cross-session messaging (SendMessage) silently breaking when CLAUDE_CODE_TMPDIR or $TMPDIR points at a deep directory
  • Fixed opening a running background session from claude agents stalling for 5 seconds before attaching
  • Quieter startup: notices group by severity, and session info and announcements share a single line per launch
  • Startup warnings rewritten to be shorter and clearer, each with a concrete fix

... (truncated)

Commits
  • d1e1742 chore: Update CHANGELOG.md and feed.xml
  • b67fa4f chore: Update CHANGELOG.md and feed.xml
  • 625c04c chore: Update CHANGELOG.md and feed.xml
  • bdb04fc chore: Update CHANGELOG.md and feed.xml
  • 8bae02d chore: Update CHANGELOG.md and feed.xml
  • 295dee8 chore: Update CHANGELOG.md and feed.xml
  • 8d0fbf4 chore: Update CHANGELOG.md and feed.xml
  • 2d5c3c6 chore: Update CHANGELOG.md and feed.xml
  • 1696f22 chore: Update CHANGELOG.md and feed.xml
  • 3bb4455 chore: Update CHANGELOG.md and feed.xml
  • Additional commits viewable in compare view
Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

- packageManager: pnpm@11.0.8 → pnpm@11.1.2.
- 4 registry pins rewritten across 4 workflow files (target: b5b9f01d).
…rides

Cascade socket-wheelhouse@8d2bf2a's catalog rename.

- pnpm-workspace.yaml: -stable catalog keys dropped; canonical names
  with bare-version pins added; overrides block redirects the four
  Socket-published canonical names to `catalog:`. The override
  defeats accidental local-checkout resolution from sibling repos.
- All package.json catalog: refs migrated from -stable to canonical
- All TS/JS imports migrated from -stable to canonical
- Hook packages, scripts, mock-client/, lib/env.ts shim, .claude/
  skills doc + .claude/hooks/* updated in lockstep

`pnpm install` passes; the rename is a string-level migration with
no semantic change to dependency resolution (same npm-pinned
versions, just consumed under their canonical names).
- scripts/paths.mts: cascaded from socket-wheelhouse
- scripts/utils/interactive-runner.mts: suppress no-process-cwd
  inline on the caller-overridable cwd default
- scripts/bump.mts:
  - step: rewritten as two-call form (empty log + msg) instead of
    `\n${msg}` literal
  - move existing no-status-emoji suppression to the correct line
    (was on logger.error(''), should be on logger.success(...✓...))
- scripts/publish.mts: same step-helper rewrite as bump.mts
- scripts/clean.mts: suppress prefer-node-modules-dot-cache inline
  on the **/.cache deletion-target glob
- .config/esbuild/shorten-paths.mts: suppress no-logger-newline-
  literal on the multi-line path-conflict diagnostic

`pnpm run check --all` passes 0 errors.
…e fix

Cascade from socket-wheelhouse@c97a365. Three changes land together:

  1. overeager-staging-guard, private-name-guard, public-surface-
     reminder: hook directories materialized (.claude/hooks/<name>/
     index.mts + package.json + tsconfig.json + test/*.test.mts;
     two also include their README). Previously declared in
     .claude/settings.json but the directories weren't on disk —
     every PreToolUse(Bash) invocation logged a cjs/loader:1505
     module-not-found error.

  2. setup-security-tools/lib/api-token.mts: module-scope cache
     memoizes the first lookup, eliminating repeated macOS Keychain
     ACL prompts within a single hook chain. First successful keychain
     read also propagates to process.env.SOCKET_API_TOKEN so spawned
     children inherit the value.

  3. setup-security-tools/lib/token-storage.mts: reads only the
     canonical SOCKET_API_TOKEN slot now; the legacy SOCKET_API_KEY
     mirror is write-only (preserves the on-disk compat entry but
     stops doubling the keychain prompt count).

Plus whatever other content drift the cascade detected (oxlint plugin
rules, setup-security-tools content, etc.) — see the diff.
…CKET_API_KEY

Cascade from socket-wheelhouse@e4f3ec8.

`findApiToken()` now populates BOTH `SOCKET_API_TOKEN` and
`SOCKET_API_KEY` in `process.env` after the first successful
resolution. Previously only the canonical name was propagated, so
spawned children that resolve the legacy name fell through to their
own keychain read — every fall-through on macOS being a fresh
Keychain ACL check (potential password prompt).

Mirrors the WRITE_SLOTS shape in token-storage.mts (writes paint
both, reads only the canonical). The env mirror is the in-process
equivalent of the disk-side mirror.

Idempotent: an already-set env value is left alone, so a user
explicitly setting `SOCKET_API_KEY=<different-value>` (e.g. to test
a legacy consumer with a different token) isn't clobbered by a
keychain read of `SOCKET_API_TOKEN`.
Cascade from socket-wheelhouse@daada11. Two managed blocks land
together:

  - `.gitignore`: fleet-canonical block adopted. Project-specific
    ignores stay outside the BEGIN/END markers; the cascaded
    surgical `.claude/` excludes + universal noise patterns live
    inside. Future updates flow through
    `scripts/sync-scaffolding/checks/gitignore-fleet-block.mts`.

  - `.gitattributes`: fleet-canonical block re-synced from the
    wheelhouse manifest (sorting / listing drift from previous
    cascades).
…w-uses-comment-guard, README

Cascade from socket-wheelhouse@3c55c23 (which includes 92cd3e3 +
82ac1b7 + this session's structural improvements).

## What this brings

### New shared modules in .claude/hooks/_shared/

  - `payload.mts` — canonical `ToolCallPayload` + `ToolInput` types,
    plus `readCommand` / `readFilePath` / `readWriteContent`
    narrowing helpers. Replaces 7 hand-rolled `tool_input` type
    variants previously duplicated across hooks. New hook authors
    import these instead of re-declaring.

  - `hook-env.mts` — `isHookDisabled(slug)` and `hookLog(slug, ...)`.
    Standardizes the `SOCKET_<UPPER_SLUG>_DISABLED` env-var
    convention (which only 15 of 47 hooks supported by hand) plus
    the `[<slug>] <line>` stderr prefix shape.

  - `README.md` — refreshed with the full module catalog (8 modules,
    not just the 1 the previous README listed) plus a "When to reach
    for what" quick-reference for new hook authors.

### workflow-uses-comment-guard registered

The hook directory existed in `template/.claude/hooks/workflow-uses-
comment-guard/` but was orphaned — not in any manifest list, not
wired into settings.json. Cascade now installs the hook directory
+ registers it as a PreToolUse(Edit|Write) hook. Companion to the
existing `workflow-uses-comment` check (write-time prevention here;
audit-time repair there).

### Other content drift carried forward

Auto-cascaded content drift from the wheelhouse's `92cd3e3` commit
(-stable catalog alias restoration) and the test-fixture updates
landed in `82ac1b7`. See the file diffs.
Cascade socket-wheelhouse@92cd3e3's fix into socket-sdk-js.

pnpm overrides can't redirect a package's own name from inside the
same package — Node ESM resolves it as a self-reference. The 4
Socket-published packages each need a SECOND name
(`<canonical>-stable`) aliased via `npm:` to the published version
so build/script/hook/config code resolves to the published catalog
version regardless of where the importing file lives.

Updates infra files to import via `-stable` names. Adds the 4
`-stable` aliases to pnpm-workspace.yaml catalog and root
package.json devDependencies.

Verified: pnpm install + pnpm build pass.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
4 file(s) touched:
  - .claude/hooks/_shared/stop-reminder.mts
  - .claude/hooks/excuse-detector/index.mts
  - .claude/hooks/excuse-detector/test/index.test.mts
  - scripts/validate-bundle-deps.mts
…script

The audit script passes encoding: 'utf8' to spawnSync, but
@socketsecurity/lib-stable's SpawnSyncOptions omits 'encoding'
(its default 'stdioString: true' is the lib-stable equivalent). The
cascade to -stable imports exposed this type incompatibility.

This script doesn't need the lib's spinner/error wrappers — it's a
plain audit that captures CLI stdout. Switching to node:child_process
keeps the native semantics (encoding option, .status field, sync
return shape) the rest of the script already assumes.

Also drops two never-used identifiers (writeFileSync, isLinux helper)
flagged by TS6133.

Canonical fix lands in socket-wheelhouse/template/scripts/check-prompt-less-setup.mts;
cascade to socket-lib / socket-registry / socket-cli / socket-packageurl-js
follows.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
2 file(s) touched:
  - scripts/test/install-git-hooks.test.mts
  - scripts/validate-bundle-deps.mts
…bundle-deps

noUncheckedIndexedAccess flags arr[i] inside for-loops bounded by length
even though the bound guarantees i < length. Add ! assertions to match
the fleet-wide cached-loop idiom already used elsewhere in the file.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
3 file(s) touched:
  - .claude/hooks/excuse-detector/test/index.test.mts
  - scripts/test/install-git-hooks.test.mts
  - scripts/validate-bundle-deps.mts
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
4 file(s) touched:
  - .claude/hooks/_shared/stop-reminder.mts
  - .claude/hooks/_shared/transcript.mts
  - .claude/hooks/excuse-detector/index.mts
  - .claude/hooks/excuse-detector/test/index.test.mts
…undle-deps TS18048

Two coupled changes that the pre-commit type-check requires together:

1. .config/oxfmtrc.json + .config/oxlintrc.json + .gitattributes — cascade
   from socket-wheelhouse 7c042ab; marks scripts/ helpers as fleet-canonical
   generated artifacts (skipped by oxfmt/oxlint, shown as generated in
   GitHub blame).

2. scripts/validate-bundle-deps.mts — non-null-assert bounded-loop indexed
   reads. noUncheckedIndexedAccess flags arr[i] inside for-loops bounded by
   length even though the bound guarantees i < length. The eslint-disable
   no-shadow comment at the top of the file is intentional (cached-length
   idiom) and is preserved.
…eelhouse

oxlint-plugin/{lib,rules,test} — oxfmt reformat pass (line-wrap to 80).
socket-wheelhouse-schema.json — drop the 'schemaVersion' required-field
constraint to allow lighter per-repo configs.
Restore multi-line JSON 'required' arrays to match the canonical
template at socket-wheelhouse/template/.config/socket-wheelhouse-schema.json.
Downstream oxfmt collapsed them to single-line; wheelhouse is source of
truth per the drift-watch rule.
… match template

Pairs with socket-wheelhouse 8f1cd39 — the template was reformatted with
oxfmt, which collapsed short arrays to single-line. Bring downstream in
line so the next sync pass is a no-op.
Cascade from socket-wheelhouse 9cfd3d1. Adds the schema to oxfmt's
ignorePatterns so it stops fighting the canonical form in cascade
loops. Also alphanumerically sorts the top-level 'required' array
([layout, native, repoName, schemaVersion]) per fleet convention.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
17 file(s) touched:
  - .config/oxlint-plugin/index.mts
  - .config/oxlint-plugin/lib/rule-tester.mts
  - .config/oxlint-plugin/rules/no-logger-newline-literal.mts
  - .config/oxlint-plugin/rules/no-process-cwd-in-scripts-hooks.mts
  - .config/oxlint-plugin/rules/prefer-node-modules-dot-cache.mts
  - .config/oxlint-plugin/test/export-top-level-functions.test.mts
  - .config/oxlint-plugin/test/inclusive-language.test.mts
  - .config/oxlint-plugin/test/no-logger-newline-literal.test.mts
  - .config/oxlint-plugin/test/no-placeholders.test.mts
  - .config/oxlint-plugin/test/no-promise-race.test.mts
  - .config/oxlint-plugin/test/personal-path-placeholders.test.mts
  - .config/oxlint-plugin/test/prefer-async-spawn.test.mts
  - .config/oxlint-plugin/test/prefer-node-builtin-imports.test.mts
  - .config/oxlint-plugin/test/prefer-safe-delete.test.mts
  - .config/oxlint-plugin/test/prefer-static-type-import.test.mts
  - .config/oxlint-plugin/test/sort-source-methods.test.mts
  - scripts/validate-bundle-deps.mts
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
2 file(s) touched:
  - .claude/hooks/excuse-detector/index.mts
  - .claude/hooks/excuse-detector/test/index.test.mts
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
2 file(s) touched:
  - .config/oxlint-plugin/rules/no-cached-for-on-iterable.mts
  - .config/oxlint-plugin/test/no-cached-for-on-iterable.test.mts
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
4 file(s) touched:
  - .config/oxlint-plugin/lib/iterable-kind.mts
  - .config/oxlint-plugin/rules/no-cached-for-on-iterable.mts
  - .config/oxlint-plugin/rules/prefer-cached-for-loop.mts
  - scripts/validate-bundle-deps.mts
Auto-applied by socket-wheelhouse sync-scaffolding.
- New hook: .claude/hooks/dont-blame-user-reminder.
- New doc: docs/claude.md/fleet/pull-request-target.md.
- CLAUDE.md fleet block: condensed Public-surface hygiene, added the
  dont-blame-user rule under 'Fix it, don't defer'.
- oxlint-plugin: new no-cached-for-on-iterable rule + tests, plus a
  refreshed excuse-detector + check-paths/allowlist + prefer-static-
  type-import.
- scripts/check-paths/allowlist.mts: '!' on bounded indexed access.
- scripts/validate-bundle-deps.mts (where present): same '!' pattern.
…aders

socket/prefer-static-type-import findings:
  - test/unit/socket-sdk-coverage-gaps.test.mts: 2× HttpResponse
  - scripts/test.mts: 1× ChildProcess

Static import-type headers read better, deduplicate the module
path across multiple inline uses, and are deterministically
sortable by socket/sort-named-imports.

Pre-commit lint/test skipped via DISABLE_PRECOMMIT_* (SOCKET_API_KEY
401 issue, user-authorized via 'Allow lint bypass').
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
4 file(s) touched:
  - .config/oxlint-plugin/lib/iterable-kind.mts
  - .config/oxlint-plugin/rules/no-cached-for-on-iterable.mts
  - .config/oxlint-plugin/rules/prefer-cached-for-loop.mts
  - .config/oxlint-plugin/test/no-cached-for-on-iterable.test.mts
The pnpm 11.1.2 cascade landed in external-tools.json (CI downloads
11.1.2) but the root packageManager field was still pinned at 11.0.8.
pnpm refuses to run with:

  [ERROR] This project is configured to use 11.0.8 of pnpm. Your
  current pnpm is v11.1.2

Bring packageManager in line with the installed binary.
Auto-applied by socket-wheelhouse sync-scaffolding.
- 11 hook test files: drop stale '// @ts-expect-error - node:test types'
  directives (TS2578 Unused).
- excuse-detector test: bracket-access payload['stop_hook_active'].
- overeager-staging-guard: drop unused payload param from getRepoDir().
- no-logger-newline-literal: drop unused 'newFirst' local.
John-David Dalton (jdalton) and others added 20 commits June 9, 2026 11:57
Bump the SocketDev/socket-registry reusable ci.yml pin to 4069dfc8, the
restored reusable workflow whose setup-and-install caches the pnpm
store. CI install is now warm on every job + matrix cell.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
568 file(s) touched:
  - .claude/hooks/fleet/_shared/acorn/acorn-bindgen.cjs
  - .claude/hooks/fleet/_shared/acorn/acorn.wasm
  - .claude/hooks/fleet/_shared/cdn-allowlist.mts
  - .claude/hooks/fleet/_shared/commit-command.mts
  - .claude/hooks/fleet/_shared/dated-citation.mts
  - .claude/hooks/fleet/_shared/foreign-paths.mts
  - .claude/hooks/fleet/_shared/git-identity.mts
  - .claude/hooks/fleet/_shared/package-manager-auto-update.mts
  - .claude/hooks/fleet/_shared/test/git-identity.test.mts
  - .claude/hooks/fleet/_shared/token-patterns.mts
  - .claude/hooks/fleet/_shared/transcript.mts
  - .claude/hooks/fleet/alpha-sort-reminder/README.md
  - .claude/hooks/fleet/alpha-sort-reminder/index.mts
  - .claude/hooks/fleet/broken-hook-detector/README.md
  - .claude/hooks/fleet/broken-hook-detector/index.mts
  - .claude/hooks/fleet/broken-hook-detector/test/index.test.mts
  - .claude/hooks/fleet/c8-ignore-reason-guard/README.md
  - .claude/hooks/fleet/c8-ignore-reason-guard/index.mts
  - .claude/hooks/fleet/cascade-first-triage-reminder/README.md
  - .claude/hooks/fleet/cascade-first-triage-reminder/index.mts
  ... and 548 more
The docs/claude.md→docs/agents.md cascade moved the canonical tiers; the
repo-owned repo/ tier survives the narrowed tombstone and is migrated
here with git mv.
Repoint the Project-Specific architecture link to docs/agents.md/repo;
trim the redundant inline coverage thresholds (they live in the cover
config) to bring CLAUDE.md back under the 40KB cap.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
192 file(s) touched:
  - .claude/hooks/fleet/_shared/payload.mts
  - .claude/hooks/fleet/memory-discovery-reminder/README.md
  - .claude/hooks/fleet/memory-discovery-reminder/index.mts
  - .claude/hooks/fleet/memory-discovery-reminder/test/index.test.mts
  - .claude/hooks/fleet/no-premature-commit-kill-guard/README.md
  - .claude/hooks/fleet/no-premature-commit-kill-guard/index.mts
  - .claude/hooks/fleet/no-premature-commit-kill-guard/package.json
  - .claude/hooks/fleet/no-premature-commit-kill-guard/test/index.test.mts
  - .claude/hooks/fleet/no-premature-commit-kill-guard/tsconfig.json
  - .claude/hooks/fleet/no-unisolated-git-fixture-guard/index.mts
  - .claude/hooks/fleet/no-unisolated-git-fixture-guard/test/index.test.mts
  - .claude/settings.json
  - .claude/skills/fleet/managing-worktrees/SKILL.md
  - .config/fleet/oxlint-plugin/_shared/inject-import.mts
  - .config/fleet/oxlint-plugin/index.mts
  - .config/fleet/oxlint-plugin/lib/comment-checks.mts
  - .config/fleet/oxlint-plugin/lib/comment-markers.mts
  - .config/fleet/oxlint-plugin/lib/comparators.mts
  - .config/fleet/oxlint-plugin/lib/detect-source-type.mts
  - .config/fleet/oxlint-plugin/lib/fleet-paths.mts
  ... and 172 more
Auto-applied by socket-wheelhouse sync-scaffolding into cascade-socket-sdk-js-36260.
149 file(s) touched:
  - .claude/commands/fleet/update-hooks-dry.md
  - .claude/hooks/fleet/_shared/public-surfaces.mts
  - .claude/hooks/fleet/_shared/unbacked-claims.mts
  - .claude/hooks/fleet/ai-config-drift-reminder/index.mts
  - .claude/hooks/fleet/alpha-sort-reminder/index.mts
  - .claude/hooks/fleet/changelog-no-empty-guard/index.mts
  - .claude/hooks/fleet/claude-md-rule-add-guard/README.md
  - .claude/hooks/fleet/claude-md-rule-add-guard/index.mts
  - .claude/hooks/fleet/claude-md-rule-add-guard/package.json
  - .claude/hooks/fleet/claude-md-rule-add-guard/test/index.test.mts
  - .claude/hooks/fleet/claude-md-rule-add-guard/tsconfig.json
  - .claude/hooks/fleet/copy-on-select-hint-reminder/test/index.test.mts
  - .claude/hooks/fleet/dated-citation-guard/README.md
  - .claude/hooks/fleet/dated-citation-guard/index.mts
  - .claude/hooks/fleet/dated-citation-guard/package.json
  - .claude/hooks/fleet/dated-citation-guard/test/index.test.mts
  - .claude/hooks/fleet/dated-citation-guard/tsconfig.json
  - .claude/hooks/fleet/dated-citation-reminder/README.md
  - .claude/hooks/fleet/dirty-lockfile-reminder/index.mts
  - .claude/hooks/fleet/dirty-worktree-stop-guard/index.mts
  ... and 129 more
getFullScan and getDiffScanById now request cached=true and poll until the
result is ready, so callers receive the finished scan instead of an
intermediate processing response. Both gain an options object; pass
{ cached: false } to recompute on demand. Adds a pollIntervalMs client option
and a shared pollCachedScan helper.
Export ChunkedManifest, ApiRequirement, and Requirements interfaces.
Replace toSorted (unsafe on the Node 18.20.8 engine floor) with in-place
sort on already-copied arrays. Add explanatory comments to two complex
regexes. Rename the bump.mts size-marker category off the banned
"legitimate" filler word.
The soft-band file-size exemption marker no longer suppresses the cap,
so split each file over 500 lines along cohesive seams: test suites by
describe group into sibling files, and the two codegen scripts into
helper modules. Regenerate docs/api.md for the new getFullScan and
getDiffScanById options parameters.
The strict types had drifted from types/api.d.ts. Regenerate to resync
the repository integration_meta shape. The OpenAPI source emits nested
optional properties without an explicit undefined, which trips
socket/optional-explicit-undefined, so the generator now runs the lint
autofix before formatting and stays clean on every regeneration.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
88 file(s) touched:
  - .claude/commands/fleet/green-ci-local.md
  - .claude/commands/fleet/researching-recency.md
  - .claude/hooks/fleet/_shared/brew-supply-chain.mts
  - .claude/hooks/fleet/_shared/sparkle-auto-update.mts
  - .claude/hooks/fleet/_shared/token-patterns.mts
  - .claude/hooks/fleet/_shared/uv-config.mts
  - .claude/hooks/fleet/brew-supply-chain-guard/README.md
  - .claude/hooks/fleet/brew-supply-chain-guard/index.mts
  - .claude/hooks/fleet/brew-supply-chain-guard/package.json
  - .claude/hooks/fleet/brew-supply-chain-guard/test/index.test.mts
  - .claude/hooks/fleet/brew-supply-chain-guard/tsconfig.json
  - .claude/hooks/fleet/claude-md-section-size-guard/README.md
  - .claude/hooks/fleet/claude-md-section-size-guard/index.mts
  - .claude/hooks/fleet/claude-md-section-size-guard/test/index.test.mts
  - .claude/hooks/fleet/markdown-filename-guard/index.mts
  - .claude/hooks/fleet/markdown-filename-guard/test/index.test.mts
  - .claude/hooks/fleet/setup-security-tools/install.mts
  - .claude/hooks/fleet/setup-security-tools/lib/operator-prompts.mts
  - .claude/hooks/fleet/setup-security-tools/lib/shell-rc-bridge.mts
  - .claude/hooks/fleet/setup-security-tools/test/shell-rc-bridge.test.mts
  ... and 68 more
The cascade activated socket/options-null-proto and
socket/require-vitest-globals-import. Normalize options with a
null-prototype spread before access in three modules, and mark the
describeRetry local alias (not a vitest global) exempt from the
globals-import rule in the retry suites.
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
130 file(s) touched:
  - .claude/hooks/fleet/_shared/npmrc-trust.mts
  - .claude/hooks/fleet/_shared/trust-gates.mts
  - .claude/hooks/fleet/land-fast-reminder/README.md
  - .claude/hooks/fleet/land-fast-reminder/index.mts
  - .claude/hooks/fleet/land-fast-reminder/package.json
  - .claude/hooks/fleet/land-fast-reminder/test/land-fast-reminder.test.mts
  - .claude/hooks/fleet/land-fast-reminder/tsconfig.json
  - .claude/hooks/fleet/no-other-linters-guard/README.md
  - .claude/hooks/fleet/no-other-linters-guard/index.mts
  - .claude/hooks/fleet/no-other-linters-guard/package.json
  - .claude/hooks/fleet/no-other-linters-guard/test/index.test.mts
  - .claude/hooks/fleet/no-other-linters-guard/tsconfig.json
  - .claude/hooks/fleet/npmrc-trust-optout-guard/README.md
  - .claude/hooks/fleet/npmrc-trust-optout-guard/index.mts
  - .claude/hooks/fleet/npmrc-trust-optout-guard/package.json
  - .claude/hooks/fleet/npmrc-trust-optout-guard/test/index.test.mts
  - .claude/hooks/fleet/npmrc-trust-optout-guard/tsconfig.json
  - .claude/hooks/fleet/options-param-naming-guard/README.md
  - .claude/hooks/fleet/options-param-naming-guard/index.mts
  - .claude/hooks/fleet/options-param-naming-guard/package.json
  ... and 110 more
Auto-applied by socket-wheelhouse sync-scaffolding into cascade-socket-sdk-js-3482.
154 file(s) touched:
  - .agents/skills/fleet-agent-ci/SKILL.md
  - .agents/skills/fleet-agent-ci/reference.md
  - .agents/skills/fleet-auditing-api-surface/SKILL.md
  - .agents/skills/fleet-auditing-api-surface/lib/audit-api-surface.mts
  - .agents/skills/fleet-auditing-gha/SKILL.md
  - .agents/skills/fleet-auditing-gha/run.mts
  - .agents/skills/fleet-cascading-fleet/SKILL.md
  - .agents/skills/fleet-cascading-fleet/lib/cascade-template.mts
  - .agents/skills/fleet-cascading-fleet/lib/cascade-tool-pins.mts
  - .agents/skills/fleet-cascading-fleet/lib/fleet-repos.json
  - .agents/skills/fleet-cascading-fleet/lib/fleet-repos.txt
  - .agents/skills/fleet-cascading-fleet/lib/reconcile-lockfiles.mts
  - .agents/skills/fleet-cleaning-ci/SKILL.md
  - .agents/skills/fleet-cleaning-ci/lib/clean-ci.mts
  - .agents/skills/fleet-codifying-disciplines/SKILL.md
  - .agents/skills/fleet-driving-cursor-bugbot/SKILL.md
  - .agents/skills/fleet-driving-cursor-bugbot/reference.md
  - .agents/skills/fleet-greening-ci-local/SKILL.md
  - .agents/skills/fleet-greening-ci/SKILL.md
  - .agents/skills/fleet-greening-ci/run.mts
  ... and 134 more
Auto-applied by socket-wheelhouse sync-scaffolding into socket-sdk-js.
69 file(s) touched:
  - .agents/skills/fleet-auditing-api-surface/SKILL.md
  - .agents/skills/fleet-prose/SKILL.md
  - .agents/skills/fleet-prose/references/conversational.md
  - .agents/skills/fleet-updating-pricing/SKILL.md
  - .agents/skills/fleet-updating/SKILL.md
  - .claude/commands/fleet/update-pricing.md
  - .claude/hooks/fleet/clone-reviewed-repo-nudge/README.md
  - .claude/hooks/fleet/clone-reviewed-repo-nudge/detect.mts
  - .claude/hooks/fleet/clone-reviewed-repo-nudge/index.mts
  - .claude/hooks/fleet/clone-reviewed-repo-nudge/package.json
  - .claude/hooks/fleet/clone-reviewed-repo-nudge/test/index.test.mts
  - .claude/hooks/fleet/clone-reviewed-repo-nudge/tsconfig.json
  - .claude/hooks/fleet/markdown-filename-guard/index.mts
  - .claude/hooks/fleet/markdown-filename-guard/test/index.test.mts
  - .claude/hooks/fleet/no-corepack-guard/README.md
  - .claude/hooks/fleet/no-corepack-guard/index.mts
  - .claude/hooks/fleet/no-corepack-guard/package.json
  - .claude/hooks/fleet/no-corepack-guard/test/index.test.mts
  - .claude/hooks/fleet/no-corepack-guard/tsconfig.json
  - .claude/hooks/fleet/no-premature-commit-kill-guard/index.mts
  ... and 49 more
Bumps [@anthropic-ai/claude-code](https://github.com/anthropics/claude-code) from 2.1.92 to 2.1.163.
- [Release notes](https://github.com/anthropics/claude-code/releases)
- [Changelog](https://github.com/anthropics/claude-code/blob/main/CHANGELOG.md)
- [Commits](anthropics/claude-code@v2.1.92...v2.1.163)

---
updated-dependencies:
- dependency-name: "@anthropic-ai/claude-code"
  dependency-version: 2.1.163
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 20, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​anthropic-ai/​claude-code@​2.1.163711008510070
Added@​socketsecurity/​lib@​6.0.8100100100100100

View full report

@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your JavaScript dependency files. Because of this, Dependabot cannot update this pull request.

@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Looks like @anthropic-ai/claude-code is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 6, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/anthropic-ai/claude-code-2.1.163 branch July 6, 2026 02:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Development

Successfully merging this pull request may close these issues.

1 participant