Skip to content

Add check-new-deps hook#9

Open
John-David Dalton (jdalton) wants to merge 1 commit intomainfrom
add-claude-hooks
Open

Add check-new-deps hook#9
John-David Dalton (jdalton) wants to merge 1 commit intomainfrom
add-claude-hooks

Conversation

@jdalton
Copy link
Copy Markdown
Contributor

@jdalton John-David Dalton (jdalton) commented Apr 13, 2026
edited
Loading

Summary

Adds a Claude Code PreToolUse hook that checks new dependencies against the Socket.dev malware API before they're added to the project.

When Claude edits or writes a dependency manifest file, the hook:

  • Extracts newly-added dependencies from the edit
  • Sends them to sdk.checkMalware() as Package URLs (PURLs)
  • Blocks the edit (exit 2) if malware is detected
  • Allows the edit (exit 0) if clean or not a manifest file

Diff-aware: only checks deps added in the current edit, not pre-existing ones.

Files

  • .claude/hooks/check-new-deps/index.mts — hook script
  • .claude/hooks/check-new-deps/test/extract-deps.test.mts — unit + integration tests
  • .claude/hooks/check-new-deps/package.json — deps (@socketsecurity/sdk, @socketsecurity/lib, @socketregistry/packageurl-js)
  • .gitignore — updated to track .claude/hooks/

Supported manifest formats

npm, PyPI, Cargo, Go, Maven, RubyGems, NuGet, Composer

Setup

Add to .claude/settings.json:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Edit|Write",
        "hooks": [
          {
            "type": "command",
            "command": "node .claude/hooks/check-new-deps/index.mts"
          }
        ]
      }
    ]
  }
}

Test plan

  • cd .claude/hooks/check-new-deps && npm install && npm test
  • Verify malware packages are blocked (bradleymeck test case)
  • Verify clean packages pass through (lodash, express, etc.)
  • Test with Claude Code by adding the hook to settings.json

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 13, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​types/​node@​24.9.21001008196100
Addednpm/​@​socketregistry/​packageurl-js@​1.4.2100100100100100
Addednpm/​@​socketsecurity/​lib@​5.18.0100100100100100
Addednpm/​@​socketsecurity/​sdk@​4.0.0100100100100100

View full report

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Apr 13, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​types/​node@​24.9.21001008196100
Addednpm/​@​socketregistry/​packageurl-js@​1.4.2100100100100100
Addednpm/​@​socketsecurity/​lib@​5.18.0100100100100100
Addednpm/​@​socketsecurity/​sdk@​4.0.0100100100100100

View full report

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Apr 13, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@jdalton John-David Dalton (jdalton) marked this pull request as ready for review April 14, 2026 21:18
@jdalton
add check-new-deps Claude Code hook
2cfeb2a 
PreToolUse hook that checks newly-added dependencies against the
Socket.dev malware API before allowing edits through. Supports
npm, PyPI, Cargo, Go, Maven, RubyGems, NuGet, and Composer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdalton