Danijel Martinek
ea5db36da6
Adds a supply-chain scan step that runs `socket-cli` against the lockfile on PRs that touch package.json or pnpm-lock.yaml. The step is gated behind a git-diff paths check so it only fires when dependency files change. The repo-root .socket.json (critical → error) causes the step to exit non-zero on any critical finding, blocking the PR. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>