chore(deps): bump @socketsecurity/lib to 5.21.0

Catalog bump from 5.20.1 to 5.21.0 plus the caller-side migrations
needed for the new API surface:

- pnpm-workspace.yaml catalog: 5.20.1 → 5.21.0
- packageManager + engines.pnpm: 11.0.0-rc.0 → 11.0.0-rc.2 to match
  the rest of the fleet

Migrations for 5.21.0 changes:

1. `printFooter` moved out of `@socketsecurity/lib/stdio/header` —
   it was a latent wrong-path import that lib's loose subpath
   exports hid on 5.18.2. Now imported from
   `@socketsecurity/lib/stdio/footer` in scripts/check.mts and
   scripts/type.mts.

2. `StdioOptions` strictening via `SpawnExtra = Record<string,
   unknown>` — `spawnExtra?.['stdio']` is `unknown`, not assignable
   to `StdioOptions`. Cast to `StdioOptions | undefined` at the
   9 call sites in utils/dlx/spawn.mts and utils/coana/spawn.mts.
   Also switched `||` → `??` so an empty-string stdio (not a real
   value, but TypeScript-possible) doesn't silently fall through.

3. `IpcHandshake` / `IpcMessage` types removed from
   `@socketsecurity/lib/ipc`. The cli validator re-derives these
   shapes structurally anyway — define them locally in
   utils/validation/ipc.mts alongside the validators.

4. `sendBootstrapHandshake`'s parameter requires a non-optional
   `send` method, but `ChildProcess.send` is optional. Add a
   runtime typeof-guard with a clear TypeError before the call
   (we always spawn with an IPC channel; the guard just narrows
   for the type system).

Lint + typecheck clean. Pre-existing check-new-deps hook test
failures on main are unrelated to this bump.

Author: jdalton

package.json

@@ -1,11 +1,11 @@
 {
   "name": "socket-cli-monorepo",
   "version": "0.0.0",
-  "packageManager": "pnpm@11.0.0-rc.0",
+  "packageManager": "pnpm@11.0.0-rc.2",
   "private": true,
   "engines": {
     "node": ">=25.9.0",
-    "pnpm": ">=11.0.0-rc.0"
+    "pnpm": ">=11.0.0-rc.2"
   },
   "scripts": {
     "// Build": "",

packages/cli/src/utils/coana/spawn.mts

@@ -12,6 +12,7 @@ import { spawnNode } from '../spawn/spawn-node.mjs'
 
 import type { IpcObject } from '../ipc.mts'
 import type { CResult } from '../../types.mjs'
+import type { StdioOptions } from 'node:child_process'
 import type { SpawnExtra, SpawnOptions } from '@socketsecurity/lib/spawn'
 
 export type CoanaSpawnOptions = SpawnOptions & {
@@ -70,7 +71,8 @@ export async function spawnCoana(
             ...mixinsEnv,
             ...spawnEnv,
           },
-          stdio: spawnExtra?.['stdio'] || 'inherit',
+          stdio:
+            (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
         },
       )
 

packages/cli/src/utils/dlx/spawn.mts

@@ -69,6 +69,7 @@ import { getDefaultApiToken, getDefaultProxyUrl } from '../socket/sdk.mjs'
 import type { IpcObject } from '../ipc.mts'
 import type { CResult } from '../../types.mjs'
 import type { ExternalTool } from './vfs-extract.mjs'
+import type { StdioOptions } from 'node:child_process'
 import type {
   SpawnExtra,
   SpawnOptions,
@@ -390,7 +391,7 @@ export async function spawnCoanaDlx(
       const spawnPromise = spawn(spawnCommand, spawnArgs, {
         ...dlxOptions,
         env: finalEnv,
-        stdio: spawnExtra?.['stdio'] || 'inherit',
+        stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
       })
 
       const output = await spawnPromise
@@ -469,7 +470,7 @@ export async function spawnCdxgenDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -519,7 +520,7 @@ export async function spawnSfwDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -572,7 +573,7 @@ export async function spawnSocketPatchDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -590,7 +591,7 @@ export async function spawnSocketPatchDlx(
         ...process.env,
         ...spawnEnv,
       },
-      stdio: spawnExtra?.['stdio'] || 'inherit',
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
     })
 
     return {
@@ -672,7 +673,7 @@ async function spawnToolVfs(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {
@@ -1657,7 +1658,7 @@ async function spawnTrivyDlx(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {
@@ -1719,7 +1720,7 @@ async function spawnTrufflehogDlx(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {
@@ -1781,7 +1782,7 @@ async function spawnOpengrepDlx(
       ...process.env,
       ...spawnEnv,
     },
-    stdio: spawnExtra?.['stdio'] || 'inherit',
+    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
   })
 
   return {

packages/cli/src/utils/spawn/spawn-node.mts

@@ -117,8 +117,13 @@ export function spawnNode(
     extra,
   )
 
+  if (typeof spawnResult.process.send !== 'function') {
+    throw new TypeError(
+      'spawn-node: expected IPC channel on child process (send is undefined)',
+    )
+  }
   sendBootstrapHandshake(
-    spawnResult.process,
+    spawnResult.process as { send: (message: unknown) => void },
     // Always send IPC handshake with bootstrap indicators + custom data.
     {
       subprocess: true,

packages/cli/src/utils/validation/ipc.mts

@@ -7,7 +7,23 @@
 
 import { randomBytes } from 'node:crypto'
 
-import type { IpcHandshake, IpcMessage, IpcStub } from '@socketsecurity/lib/ipc'
+import type { IpcStub } from '@socketsecurity/lib/ipc'
+
+export interface IpcMessage<T = unknown> {
+  id: string
+  timestamp: number
+  type: string
+  data: T
+}
+
+export interface IpcHandshake extends IpcMessage<{
+  version: string
+  pid: number
+  appName: string
+  apiToken?: string | undefined
+}> {
+  type: 'handshake'
+}
 
 /**
  * Check if a value is a valid IPC message.

pnpm-lock.yaml

@@ -42,7 +42,7 @@ catalog:
   '@socketregistry/packageurl-js': 1.4.2
   '@socketregistry/yocto-spinner': 1.0.25
   '@socketsecurity/config': 3.0.1
-  '@socketsecurity/lib': 5.20.1
+  '@socketsecurity/lib': 5.21.0
   '@socketsecurity/registry': 2.0.2
   '@socketsecurity/sdk': 4.0.1
   '@types/adm-zip': 0.5.7

pnpm-workspace.yaml

@@ -14,7 +14,8 @@ import { WIN32 } from '@socketsecurity/lib/constants/platform'
 import { getChangedFiles, getStagedFiles } from '@socketsecurity/lib/git'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { spawn } from '@socketsecurity/lib/spawn'
-import { printFooter, printHeader } from '@socketsecurity/lib/stdio/header'
+import { printFooter } from '@socketsecurity/lib/stdio/footer'
+import { printHeader } from '@socketsecurity/lib/stdio/header'
 
 import {
   getAffectedPackages,

scripts/check.mts

@@ -12,7 +12,8 @@ import { parseArgs } from '@socketsecurity/lib/argv/parse'
 import { WIN32 } from '@socketsecurity/lib/constants/platform'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { spawn } from '@socketsecurity/lib/spawn'
-import { printFooter, printHeader } from '@socketsecurity/lib/stdio/header'
+import { printFooter } from '@socketsecurity/lib/stdio/footer'
+import { printHeader } from '@socketsecurity/lib/stdio/header'
 
 import { getPackagesWithScript } from './utils/monorepo-helper.mts'