chore: tsconfig sourcemaps off + check-new-deps hook cleanup

tsconfig: explicit sourceMap: false and declarationMap: false on every
config, keys alphanumerically sorted. Never ship sourcemaps.

hook: remove low-score warnings and fix inaccurate comments. The
malware API only checks for malware, not quality scores; warned/score
logic was dead code and the SDK batch comment was wrong.

Author: jdalton

.claude/hooks/check-new-deps/README.md

@@ -8,10 +8,9 @@ When Claude edits a file like `package.json`, `requirements.txt`, `Cargo.toml`,
 
 1. **Detects the file type** and extracts dependency names from the content
 2. **Diffs against the old content** (for edits) so only *newly added* deps are checked
-3. **Queries the Socket.dev API** to check for malware and critical security alerts
-4. **Blocks the edit** (exit code 2) if malware or critical alerts are found
-5. **Warns** (but allows) if a package has a low quality score
-6. **Allows** (exit code 0) if everything is clean or the file isn't a manifest
+3. **Queries the Socket.dev API** to check for malware
+4. **Blocks the edit** (exit code 2) if malware is detected
+5. **Allows** (exit code 0) if everything is clean or the file isn't a manifest
 
 ## How it works
 
@@ -30,11 +29,8 @@ Build Package URLs (PURLs) for each dep
         │
         ▼
 Call sdk.checkMalware(components)
-  - ≤5 deps: parallel firewall API (fast, full data)
-  - >5 deps: batch PURL API (efficient)
         │
-        ├── Malware/critical alert → EXIT 2 (blocked)
-        ├── Low score → warn, EXIT 0 (allowed)
+        ├── Malware detected → EXIT 2 (blocked)
         └── Clean → EXIT 0 (allowed)
 ```
 

.claude/hooks/check-new-deps/index.mts

@@ -15,7 +15,7 @@
 //
 // Exit codes:
 //   0 = allow (no new deps, all clean, or non-dep file)
-//   2 = block (malware or critical alert from Socket.dev)
+//   2 = block (malware detected by Socket.dev)
 
 import {
   parseNpmSpecifier,
@@ -36,8 +36,6 @@ const logger = getDefaultLogger()
 
 // Per-request timeout (ms) to avoid blocking the hook on slow responses.
 const API_TIMEOUT = 5_000
-// Deps scoring below this threshold trigger a warning (not a block).
-const LOW_SCORE_THRESHOLD = 0.5
 // Max PURLs per batch request (API limit is 1024).
 const MAX_BATCH_SIZE = 1024
 // How long (ms) to cache a successful API response (5 minutes).
@@ -75,9 +73,7 @@ interface HookInput {
 interface CheckResult {
   purl: string
   blocked?: boolean
-  warned?: boolean
   reason?: string
-  score?: number
 }
 
 
@@ -324,14 +320,8 @@ async function check(hook: HookInput): Promise<number> {
   if (deps.length === 0) return 0
 
   // Check all deps via SDK checkMalware().
-  const { blocked, warned } = await checkDepsBatch(deps)
+  const blocked = await checkDepsBatch(deps)
 
-  if (warned.length > 0) {
-    logger.warn('Socket: low-scoring dependencies (not blocked):')
-    for (const w of warned) {
-      logger.warn(`  ${w.purl}: overall score ${w.score}`)
-    }
-  }
   if (blocked.length > 0) {
     logger.error(`Socket: blocked ${blocked.length} dep(s):`)
     for (const b of blocked) {
@@ -343,14 +333,11 @@ async function check(hook: HookInput): Promise<number> {
 }
 
 // Check deps against Socket.dev using SDK v4 checkMalware().
-// The SDK automatically routes small sets (<=5) to parallel firewall
-// requests and larger sets to the batch PURL API.
 // Deps already in cache are skipped; results are cached after lookup.
 async function checkDepsBatch(
   deps: Dep[],
-): Promise<{ blocked: CheckResult[]; warned: CheckResult[] }> {
+): Promise<CheckResult[]> {
   const blocked: CheckResult[] = []
-  const warned: CheckResult[] = []
 
   // Partition deps into cached vs uncached.
   const uncached: Array<{ dep: Dep; purl: string }> = []
@@ -359,13 +346,12 @@ async function checkDepsBatch(
     const cached = cacheGet(purl)
     if (cached) {
       if (cached.result?.blocked) blocked.push(cached.result)
-      else if (cached.result?.warned) warned.push(cached.result)
       continue
     }
     uncached.push({ dep, purl })
   }
 
-  if (!uncached.length) return { blocked, warned }
+  if (!uncached.length) return blocked
 
   try {
     // Process in chunks to respect API batch size limit.
@@ -379,7 +365,7 @@ async function checkDepsBatch(
         logger.warn(
           `Socket: API returned ${result.status}, allowing all`
         )
-        return { blocked, warned }
+        return blocked
       }
 
       // Build lookup keyed by full PURL (includes namespace + version).
@@ -395,37 +381,22 @@ async function checkDepsBatch(
         const purl = purlByKey.get(key)
         if (!purl) continue
 
-        // Check for malware or critical-severity alerts.
-        const critical = pkg.alerts.find(
+        // Check for malware alerts.
+        const malware = pkg.alerts.find(
           a => a.severity === 'critical' || a.type === 'malware'
         )
-        if (critical) {
+        if (malware) {
           const cr: CheckResult = {
             purl,
             blocked: true,
-            reason: `${critical.type} — ${critical.severity ?? 'critical'}`,
+            reason: `${malware.type} — ${malware.severity ?? 'critical'}`,
           }
           cacheSet(purl, cr)
           blocked.push(cr)
           continue
         }
 
-        // Warn on low quality score.
-        if (
-          pkg.score?.overall !== undefined
-          && pkg.score.overall < LOW_SCORE_THRESHOLD
-        ) {
-          const wr: CheckResult = {
-            purl,
-            warned: true,
-            score: pkg.score.overall,
-          }
-          cacheSet(purl, wr)
-          warned.push(wr)
-          continue
-        }
-
-        // No blocking alerts — clean dep.
+        // No malware alerts — clean dep.
         cacheSet(purl, undefined)
       }
     }
@@ -437,7 +408,7 @@ async function checkDepsBatch(
     )
   }
 
-  return { blocked, warned }
+  return blocked
 }
 
 // Return deps in `newDeps` that don't appear in `oldDeps` (by PURL).

.claude/hooks/check-new-deps/tsconfig.json

@@ -1,13 +1,16 @@
 {
   "compilerOptions": {
-    "noEmit": true,
-    "target": "esnext",
+    "declarationMap": false,
+    "erasableSyntaxOnly": true,
     "module": "nodenext",
     "moduleResolution": "nodenext",
+    "noEmit": true,
     "rewriteRelativeImportExtensions": true,
-    "erasableSyntaxOnly": true,
-    "verbatimModuleSyntax": true,
+    "skipLibCheck": true,
+    "sourceMap": false,
     "strict": true,
-    "skipLibCheck": true
+    "target": "esnext",
+    "useUnknownInCatchVariables": true,
+    "verbatimModuleSyntax": true
   }
 }

.config/tsconfig.check.json

@@ -1,10 +1,12 @@
 {
   "extends": "../tsconfig.json",
   "compilerOptions": {
+    "declarationMap": false,
     "noEmit": true,
     "rootDir": "..",
-    "types": ["node", "vitest"],
-    "skipLibCheck": true
+    "skipLibCheck": true,
+    "sourceMap": false,
+    "types": ["node", "vitest"]
   },
   "include": ["../src/**/*.ts", "../test/**/*.ts", "../test/**/*.mts"],
   "exclude": ["../node_modules", "../dist/**/*"]

.config/tsconfig.external-aliases.json

@@ -1,6 +1,7 @@
 {
   "extends": "./tsconfig.check.json",
   "compilerOptions": {
+    "declarationMap": false,
     "paths": {
       "#constants/*": ["../src/constants/*"],
       "#env/*": ["../src/env/*"],
@@ -25,6 +26,7 @@
       "@socketregistry/packageurl-js/*": ["../../socket-packageurl-js/dist/*"],
       "@socketsecurity/sdk": ["../../socket-sdk-js/dist/index.d.ts"],
       "@socketsecurity/sdk/*": ["../../socket-sdk-js/dist/*"]
-    }
+    },
+    "sourceMap": false
   }
 }

tsconfig.dts.json

@@ -2,8 +2,10 @@
   "extends": "./tsconfig.json",
   "compilerOptions": {
     "declaration": true,
+    "declarationMap": false,
     "emitDeclarationOnly": true,
-    "noEmit": false
+    "noEmit": false,
+    "sourceMap": false
   },
   "include": ["src/**/*.ts"],
   "exclude": ["node_modules", "dist/**/*", "lib", "test", "src/**/*.js"]

tsconfig.json

@@ -1,26 +1,26 @@
 {
   "extends": "./.config/tsconfig.base.json",
   "compilerOptions": {
+    "allowSyntheticDefaultImports": true,
+    "declaration": false,
+    "declarationMap": false,
     "module": "commonjs",
     "moduleResolution": "bundler",
-    "outDir": "dist",
-    "rootDir": "src",
     "noEmit": false,
     "noEmitOnError": false,
-    "sourceMap": false,
-    "declaration": false,
-    "declarationMap": false,
-    "verbatimModuleSyntax": false,
-    "allowSyntheticDefaultImports": true,
-    "types": ["node"],
+    "outDir": "dist",
     "paths": {
       "adm-zip": ["./src/external/adm-zip"],
       "cacache": ["./src/external/cacache"],
       "make-fetch-happen": ["./src/external/make-fetch-happen"],
       "fast-sort": ["./src/external/fast-sort"],
       "pacote": ["./src/external/pacote"],
       "tar-fs": ["./src/external/tar-fs"]
-    }
+    },
+    "rootDir": "src",
+    "sourceMap": false,
+    "types": ["node"],
+    "verbatimModuleSyntax": false
   },
   "include": ["src/**/*.ts", "src/**/*.d.ts"],
   "exclude": ["node_modules", "dist/**/*", "lib", "test", "src/**/*.js"]

tsconfig.test.json

@@ -1,7 +1,9 @@
 {
   "extends": "./tsconfig.json",
   "compilerOptions": {
+    "declarationMap": false,
     "rootDir": ".",
+    "sourceMap": false,
     "types": ["node", "vitest"]
   },
   "include": ["test/**/*.ts", "test/**/*.mts", "src/**/*.ts"],