refactor(cli): move externalTools to separate JSON files and document in workflows

Separate external tool configurations from package.json into dedicated
external-tools.json files for better organization and maintainability.
Add workflow documentation referencing these files as source of truth.

Changes:
- Create packages/cli/external-tools.json for CLI-specific tools
  (@coana-tech/cli, @cyclonedx/cdxgen, python, socketsecurity, sfw)
- Create packages/build-infra/external-tools.json for core build tools
  (cmake, emsdk, gh, ninja, python, rust)
- Update esbuild-shared.mjs to read from external-tools.json
- Remove externalTools field from both package.json files
- Fix SpawnNodeOptions.ipc type to include | undefined for exactOptionalPropertyTypes
- Update analytics test snapshots with current dates
- Update build-infra external-tools.json versions to match workflow usage:
  - emsdk: 3.1.69 -> 4.0.18
  - python: 3.10.18 -> 3.11
- Add "Version from packages/build-infra/external-tools.json" comments to workflows:
  - build-wasm.yml: emsdk and python-version references
  - build-sea.yml: emsdk cache key and python-version references

Author: jdalton

.github/workflows/build-sea.yml

@@ -68,15 +68,24 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Load tool versions
+        id: tools
+        run: |
+          # Load versions from packages/build-infra/external-tools.json
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          PNPM_VERSION=$(jq -r '.pnpm.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node-version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "pnpm-version=$PNPM_VERSION" >> $GITHUB_OUTPUT
+
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 24.10.0
+          node-version: ${{ steps.tools.outputs.node-version }}
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: 10.20.0
+          version: ${{ steps.tools.outputs.pnpm-version }}
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -217,17 +226,27 @@ jobs:
           echo ""
           echo "✓ Bootstrap artifacts verified"
 
+      - name: Load tool versions
+        if: steps.check-platform.outputs.should-run == 'true'
+        id: tools
+        run: |
+          # Load versions from packages/build-infra/external-tools.json
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          PNPM_VERSION=$(jq -r '.pnpm.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node-version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "pnpm-version=$PNPM_VERSION" >> $GITHUB_OUTPUT
+
       - name: Setup Node.js
         if: steps.check-platform.outputs.should-run == 'true'
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 24.10.0
+          node-version: ${{ steps.tools.outputs.node-version }}
 
       - name: Setup pnpm
         if: steps.check-platform.outputs.should-run == 'true'
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: 10.20.0
+          version: ${{ steps.tools.outputs.pnpm-version }}
 
       - name: Install dependencies
         if: steps.check-platform.outputs.should-run == 'true'
@@ -349,6 +368,7 @@ jobs:
           # At: tools/gyp/pylib/gyp/generator/ninja.py:813 hashlib.md5(outputs[0]).
           # Python 3.13 requires .encode() for hashlib, but gyp doesn't support it yet.
           # Using 3.11 ensures consistency across standard and musl libc builds.
+          # Version from packages/build-infra/external-tools.json
           python-version: '3.11'
 
       - name: Cache Emscripten SDK (non-Windows)
@@ -357,7 +377,8 @@ jobs:
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: emsdk
-          key: emsdk-${{ runner.os }}-3.1.69
+          # Version from packages/build-infra/external-tools.json
+          key: emsdk-${{ runner.os }}-4.0.18
           restore-keys: emsdk-${{ runner.os }}-
 
       # - name: Cache pip packages
@@ -389,13 +410,15 @@ jobs:
               echo "::group::Installing Emscripten"
               git clone https://github.com/emscripten-core/emsdk.git
               cd emsdk
+              # Version from packages/build-infra/external-tools.json
               ./emsdk install 4.0.18
               ./emsdk activate 4.0.18
               cd ..
               echo "::endgroup::"
             else
               echo "::group::Activating Emscripten (from cache)"
               cd emsdk
+              # Version from packages/build-infra/external-tools.json
               ./emsdk activate 4.0.18
               cd ..
               echo "::endgroup::"

.github/workflows/build-wasm.yml

@@ -81,15 +81,24 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Load tool versions
+        id: tools
+        run: |
+          # Load versions from packages/build-infra/external-tools.json
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          PNPM_VERSION=$(jq -r '.pnpm.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node-version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "pnpm-version=$PNPM_VERSION" >> $GITHUB_OUTPUT
+
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22.11.0
+          node-version: ${{ steps.tools.outputs.node-version }}
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: 10.20.0
+          version: ${{ steps.tools.outputs.pnpm-version }}
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -142,6 +151,7 @@ jobs:
           echo "::group::Installing Emscripten"
           git clone https://github.com/emscripten-core/emsdk.git
           cd emsdk
+          # Version from packages/build-infra/external-tools.json
           ./emsdk install 4.0.18
           ./emsdk activate 4.0.18
           echo "::endgroup::"
@@ -195,15 +205,24 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Load tool versions
+        id: tools
+        run: |
+          # Load versions from packages/build-infra/external-tools.json
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          PNPM_VERSION=$(jq -r '.pnpm.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node-version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "pnpm-version=$PNPM_VERSION" >> $GITHUB_OUTPUT
+
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22.11.0
+          node-version: ${{ steps.tools.outputs.node-version }}
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: 10.20.0
+          version: ${{ steps.tools.outputs.pnpm-version }}
 
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
@@ -213,6 +232,7 @@ jobs:
           # At: tools/gyp/pylib/gyp/generator/ninja.py:813 hashlib.md5(outputs[0])
           # Python 3.13 requires .encode() for hashlib, but gyp doesn't support it yet.
           # Using 3.11 ensures consistency across standard and Alpine builds.
+          # Version from packages/build-infra/external-tools.json
           python-version: '3.11'
 
       - name: Cache pip packages
@@ -374,15 +394,24 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Load tool versions
+        id: tools
+        run: |
+          # Load versions from packages/build-infra/external-tools.json
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          PNPM_VERSION=$(jq -r '.pnpm.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node-version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "pnpm-version=$PNPM_VERSION" >> $GITHUB_OUTPUT
+
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22.11.0
+          node-version: ${{ steps.tools.outputs.node-version }}
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: 10.20.0
+          version: ${{ steps.tools.outputs.pnpm-version }}
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -434,6 +463,7 @@ jobs:
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: emsdk
+          # Version from packages/build-infra/external-tools.json
           key: emsdk-${{ runner.os }}-4.0.18
           restore-keys: emsdk-${{ runner.os }}-
 
@@ -443,6 +473,7 @@ jobs:
           echo "::group::Installing Emscripten"
           git clone https://github.com/emscripten-core/emsdk.git
           cd emsdk
+          # Version from packages/build-infra/external-tools.json
           ./emsdk install 4.0.18
           ./emsdk activate 4.0.18
           echo "::endgroup::"
@@ -451,6 +482,7 @@ jobs:
         if: (steps.onnx-cache-valid.outputs.valid != 'true' || inputs.force) && steps.emsdk-cache.outputs.cache-hit == 'true'
         run: |
           cd emsdk
+          # Version from packages/build-infra/external-tools.json
           ./emsdk activate 4.0.18
 
       - name: Check workflow status before build

.github/workflows/ci.yml

@@ -25,21 +25,39 @@ on:
         description: 'Node.js versions to test (JSON array)'
         required: false
         type: string
+        # Default should match packages/build-infra/external-tools.json -> node.recommendedVersion.
         default: '["24.10.0"]'
 
 permissions:
   contents: read
 
 jobs:
+  versions:
+    name: Load Tool Versions
+    runs-on: ubuntu-latest
+    outputs:
+      node: ${{ steps.versions.outputs.node }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Load Node.js version from external-tools.json
+        id: versions
+        run: |
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node=[\"$NODE_VERSION\"]" >> $GITHUB_OUTPUT
+          echo "Loaded Node.js: $NODE_VERSION"
+
   ci:
     name: Run CI Pipeline
+    needs: versions
     uses: SocketDev/socket-registry/.github/workflows/ci.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
     with:
       test-setup-script: 'pnpm --filter @socketsecurity/cli run build'
       lint-script: 'pnpm --filter @socketsecurity/cli run check'
       type-check-script: 'pnpm --filter @socketsecurity/cli run type'
       run-test: false  # Tests run in separate sharded job below.
-      node-versions: ${{ inputs.node-versions || '["24.10.0"]' }}
+      node-versions: ${{ inputs.node-versions || needs.versions.outputs.node }}
       os-versions: '["ubuntu-latest"]'
       fail-fast: false
       max-parallel: 4
@@ -50,14 +68,14 @@ jobs:
   # Runs on Linux only to optimize CI runtime and build requirements.
   test-sharded:
     name: Unit Tests (Shard ${{ matrix.shard }}/3)
-    needs: ci
+    needs: [ci, versions]
     runs-on: ubuntu-latest
     timeout-minutes: 10
     strategy:
       fail-fast: false
       max-parallel: 4
       matrix:
-        node-version: ${{ fromJSON(inputs.node-versions || '["24.10.0"]') }}
+        node-version: ${{ fromJSON(inputs.node-versions || needs.versions.outputs.node) }}
         shard: [1, 2, 3]
     steps:
       - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
@@ -99,13 +117,13 @@ jobs:
   # Tests the JS distribution and optionally SEA/smol if cached binaries are available.
   integration:
     name: Integration Tests
-    needs: ci
+    needs: [ci, versions]
     runs-on: ubuntu-latest
     timeout-minutes: 15
     strategy:
       fail-fast: false
       matrix:
-        node-version: ['24.10.0']
+        node-version: ${{ fromJSON(inputs.node-versions || needs.versions.outputs.node) }}
     steps:
       - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
         with:
@@ -256,13 +274,13 @@ jobs:
 
   e2e:
     name: E2E Tests
-    needs: ci
+    needs: [ci, versions]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
     strategy:
       fail-fast: true
       matrix:
-        node-version: ['24.10.0']
+        node-version: ${{ fromJSON(inputs.node-versions || needs.versions.outputs.node) }}
         os: [ubuntu-latest]
     steps:
       - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4709a2443e5a036bb0cd94e5d1559f138f05994c # main

.github/workflows/publish-socketbin.yml

@@ -122,16 +122,25 @@ jobs:
           autocrlf: false
           persist-credentials: false
 
+      - name: Load tool versions
+        id: tools
+        run: |
+          # Load versions from packages/build-infra/external-tools.json
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          PNPM_VERSION=$(jq -r '.pnpm.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node-version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "pnpm-version=$PNPM_VERSION" >> $GITHUB_OUTPUT
+
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22.11.0
+          node-version: ${{ steps.tools.outputs.node-version }}
           registry-url: 'https://registry.npmjs.org'
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: 10.20.0
+          version: ${{ steps.tools.outputs.pnpm-version }}
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -345,16 +354,25 @@ jobs:
           autocrlf: false
           persist-credentials: false
 
+      - name: Load tool versions
+        id: tools
+        run: |
+          # Load versions from packages/build-infra/external-tools.json
+          NODE_VERSION=$(jq -r '.node.recommendedVersion' packages/build-infra/external-tools.json)
+          PNPM_VERSION=$(jq -r '.pnpm.recommendedVersion' packages/build-infra/external-tools.json)
+          echo "node-version=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "pnpm-version=$PNPM_VERSION" >> $GITHUB_OUTPUT
+
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22.11.0
+          node-version: ${{ steps.tools.outputs.node-version }}
           registry-url: 'https://registry.npmjs.org'
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: 10.20.0
+          version: ${{ steps.tools.outputs.pnpm-version }}
 
       - name: Install latest npm
         run: npm install -g npm@latest

packages/build-infra/external-tools.json

@@ -0,0 +1,18 @@
+{
+  "cmake": "3.30.5",
+  "emsdk": "4.0.18",
+  "gh": "2.62.0",
+  "ninja": "1.12.1",
+  "node": {
+    "description": "Node.js runtime",
+    "minimumVersion": "24.10.0",
+    "recommendedVersion": "24.10.0"
+  },
+  "pnpm": {
+    "description": "pnpm package manager",
+    "minimumVersion": "10.22.0",
+    "recommendedVersion": "10.22.0"
+  },
+  "python": "3.11",
+  "rust": "1.82.0"
+}

packages/build-infra/package.json

@@ -18,13 +18,5 @@
     "@babel/traverse": "catalog:",
     "@socketsecurity/lib": "catalog:",
     "magic-string": "catalog:"
-  },
-  "externalTools": {
-    "cmake": "3.30.5",
-    "emsdk": "3.1.69",
-    "gh": "2.62.0",
-    "ninja": "1.12.1",
-    "python": "3.10.18",
-    "rust": "1.82.0"
   }
 }