jmagly/supply-chain-hardening-quickstart

supply-chain-hardening-quickstart

Use this skill when a user asks to harden an npm project after a supply-chain incident, prepare a release pipeline for trusted publishing, or give their users verification instructions.

Runbook

1. Run npm-supply-chain-audit to find the current exposure.
2. Run npm-release-age-gate to configure the 7-day default and 10-day high-sensitivity profile.
3. Use supply-chain-trust for broader release evidence: signed tags, provenance, cosign signatures, SBOM, and reproducible-build tradeoffs.
4. Produce user-facing docs that explain:
   • runtime Node/npm requirements,
   • contributor lockfile requirements,
   • release-publisher requirements,
   • how to verify provenance, signatures, and SBOMs,
   • what to rotate if a malicious package ran.

Minimum issue set

File or verify issues for:

• Remove install lifecycle scripts or document why each one must remain.
• Block Git, GitHub shorthand, direct tarball, file:, and link: dep sources outside an allowlist.
• Add a known-affected package feed scan and document how CI points it at the current CSV snapshot (local path or raw gist URL).
• Add .npmrc min-release-age=7.
• Document npm 11.5+ for dependency updates.
• Move npmjs.org release publishing to trusted publishing where possible.
• Add signed tag verification before release workflows publish.
• Add tarball audit, npm audit signatures, and SBOM generation.
• Add consumer verification docs.

Completion criteria

• A clean audit result exists with file:line findings or explicit clean checks.
• Known-affected exact matches are distinguished from advisory-vuln results and include package/version/published/detected evidence.
• Users can install without lifecycle-script surprises.
• Contributors know when npm 11.5+ is required.
• Release engineers use Node 24 or another environment satisfying npm trusted-publishing requirements.
• Public docs explain verification without asking users to trust the registry alone.