perf(build): bundle all deps and stub heavy internals

Move @socketsecurity/lib and form-data from dependencies to
devDependencies so esbuild bundles them into the dist output,
making the SDK a zero-runtime-dependency package.

Add esbuild stub plugin to replace heavy modules with minimal stubs:

  @socketsecurity/lib internals:
  - npm-pack.js (2.5MB): npm tooling (arborist, cacache, pacote, semver)
    — cacache usage degrades gracefully (safeGet returns undefined,
    in-memory memoization still works)
  - pico-pack.js (260KB): glob deps (picomatch, fast-glob, del)
  - globs.js, sorts.js: gateway modules to pico-pack and npm-pack

  Third-party:
  - mime-db (212KB): replaced with 3-entry lookup for the MIME types
    the SDK actually uses (application/json, application/octet-stream,
    multipart/form-data). Safe because the SDK always passes explicit
    contentType to form-data, so mime.lookup is never called.

dist/index.js: 3,897KB → 712KB (82% reduction), zero dependencies.

Author: jdalton

.config/esbuild.config.mjs

@@ -206,6 +206,56 @@ function createNodeProtocolPlugin() {
   }
 }
 
+/**
+ * Plugin to stub heavy @socketsecurity/lib internals and third-party modules
+ * that are unreachable or safely degradable in the SDK's runtime code paths.
+ *
+ * @socketsecurity/lib stubs:
+ *
+ *   npm-pack.js (2.5MB) — arborist, cacache, pacote, make-fetch-happen,
+ *     semver. Reached via sorts→semver (dead) and cache-with-ttl→cacache
+ *     (degrades gracefully: safeGet returns undefined, in-memory memoization
+ *     still works).
+ *
+ *   pico-pack.js (260KB) — picomatch, fast-glob, del. Reached via
+ *     fs→globs for isDirEmptySync/readDirNames, never called by SDK.
+ *
+ *   globs.js, sorts.js — gateway modules to pico-pack and npm-pack.
+ *
+ * Third-party stubs:
+ *
+ *   mime-db (212KB) — Massive MIME type database bundled via form-data →
+ *     mime-types → mime-db. The SDK only uses 'application/octet-stream'
+ *     (file uploads) and 'application/json' (API calls). Replaced with a
+ *     minimal lookup covering just those types.
+ */
+function createLibStubPlugin() {
+  const libStubPattern =
+    /@socketsecurity\/lib\/dist\/(globs|sorts|external\/(npm-pack|pico-pack))\.js$/
+
+  const mimeDbPattern = /mime-db\/db\.json$/
+
+  return {
+    name: 'stub-unused-internals',
+    setup(build) {
+      // Stub heavy lib modules with empty exports.
+      build.onLoad({ filter: libStubPattern }, () => ({
+        contents: 'module.exports = {}',
+        loader: 'js',
+      }))
+      // Replace 212KB mime-db with minimal lookup for types the SDK uses.
+      build.onLoad({ filter: mimeDbPattern }, () => ({
+        contents: `module.exports = {
+  "application/json": { source: "iana", charset: "UTF-8", compressible: true },
+  "application/octet-stream": { source: "iana", compressible: false },
+  "multipart/form-data": { source: "iana" }
+}`,
+        loader: 'js',
+      }))
+    },
+  }
+}
+
 // Build configuration for ESM output
 export const buildConfig = {
   entryPoints: [`${srcPath}/index.ts`, `${srcPath}/testing.ts`],
@@ -226,9 +276,11 @@ export const buildConfig = {
   logLevel: 'info',
 
   // Use plugins for module resolution and path handling.
-  plugins: [createNodeProtocolPlugin(), createPathShorteningPlugin()].filter(
-    Boolean,
-  ),
+  plugins: [
+    createLibStubPlugin(),
+    createNodeProtocolPlugin(),
+    createPathShorteningPlugin(),
+  ].filter(Boolean),
 
   // External dependencies.
   // All runtime dependencies from package.json are external (not bundled) - consumers must install them.

CLAUDE.md

@@ -21,6 +21,7 @@
 - Dependencies: After `package.json` edits, run `pnpm install` to update `pnpm-lock.yaml`
 - Backward Compatibility: 🚨 FORBIDDEN to maintain - actively remove when encountered (see canonical CLAUDE.md)
 - 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** — use `pnpm exec <package>` for devDep binaries, or `pnpm run <script>` for package.json scripts. If a tool is needed, add it as a pinned devDependency first.
+- **minimumReleaseAge**: NEVER add packages to `minimumReleaseAgeExclude` in CI. Locally, ASK before adding — the age threshold is a security control.
 
 ---
 

package.json

@@ -64,12 +64,9 @@
     "type": "tsgo --noEmit -p .config/tsconfig.check.json",
     "update": "node scripts/update.mjs"
   },
-  "dependencies": {
-    "@socketsecurity/lib": "5.15.0",
-    "form-data": "4.0.5"
-  },
   "devDependencies": {
     "@anthropic-ai/claude-code": "2.1.92",
+    "@socketsecurity/lib": "5.18.2",
     "@babel/generator": "7.28.5",
     "@babel/parser": "7.26.3",
     "@babel/traverse": "7.26.4",
@@ -87,6 +84,7 @@
     "ecc-agentshield": "1.4.0",
     "esbuild": "0.25.11",
     "fast-glob": "3.3.3",
+    "form-data": "4.0.5",
     "husky": "9.1.7",
     "magic-string": "0.30.14",
     "nock": "14.0.10",
@@ -120,7 +118,7 @@
       "unrs-resolver"
     ],
     "overrides": {
-      "defu": ">=6.1.6",
+      "defu": ">=6.1.7",
       "vite": "7.3.2"
     }
   }