secondsky/dependency-upgrade

Dependency Upgrade

Related Skills

• sap-hana-cli: For dependency-aware database tooling workflows and upgrade guidance
• sap-cap-capire: For CAP dependency-safe runtime and service configuration guidance
• sap-fiori-tools: For secure UI5/Fiori dependency strategy when tooling touches frontend packages

Manage dependency upgrades with supply chain security, compatibility analysis, staged rollout, and comprehensive testing across all major package managers.

When to Use This Skill

• Upgrading major framework or library versions
• Configuring supply chain attack prevention (cooldown, script blocking, lockfile hardening)
• Setting up secure package manager configuration
• Resolving dependency conflicts or peer dependency issues
• Planning incremental upgrade paths with testing
• Automating dependency updates with Renovate, Dependabot, or Snyk
• Auditing dependencies for vulnerabilities
• Setting up CI/CD dependency security workflows

Two Modes of Operation

Interactive — Walk through setup questions to generate tailored config. Use for fresh setup.

Default — Apply recommended defaults immediately: 7-day cooldown, block all scripts, frozen-lockfile, lockfile-lint, Dependabot with cooldown. Customization optional.

Interactive Setup Flow

When the user wants tailored configuration, walk through these decisions. Skip this section entirely if using default mode.

Tier 1: Required Decisions

Always ask these 3 questions before generating any config:

1. Package Manager

"Which package manager does this project use?"

| Answer | Generates | |--------|-----------| | npm | .npmrc | | Bun | bunfig.toml | | pnpm | pnpm-workspace.yaml | | Yarn | .yarnrc.yml | | Deno | deno.json config |

2. Cooldown Period

"How many days should newly published packages age before install? This prevents supply chain attacks where malicious packages are discovered and unpublished within days."

| Option | Days | Use Case | |--------|------|----------| | Aggressive | 3 | Catches most typosquatting | | Recommended | 7 | Good balance for most projects | | Conservative | 14 | Critical/production systems | | Paranoid | 21 | Matches Snyk's built-in default | | Custom | N | User specifies |

3. Post-Install Script Policy

"How should lifecycle scripts (postinstall, preinstall) be handled? These are the #1 attack vector for supply chain attacks."

| Option | Behavior | |--------|----------| | Block all (recommended) | --ignore-scripts + allow-git=none | | Allowlist | Block by default, allow specific trusted packages | | Review only | Warn but don't block |

Tier 2: Security Tooling (Offer as Batch)

"Which of these security features would you like to configure? Select any that apply."

4. CI/CD Automation Tool

| Answer | Generates | |--------|-----------| | Dependabot | .github/dependabot.yml with cooldown | | Renovate | renovate.json with minimumReleaseAge | | Snyk | No config needed (21-day cooldown built-in) | | None | Skip |

5. Automerge Policy

| Option | Behavior | |--------|----------| | None | All updates require manual review | | Minor+Patch only | Auto-merge safe updates, review majors | | All with approval | Auto-merge after team approval |

6. Update Schedule

| Option | Config Value | |--------|-------------| | Daily | "daily" | | Weekly (default) | "weekly" | | Biweekly | "biweekly" | | Monthly | "monthly" |

7. Install-Time Security Tooling

"Which security tools should protect dependency installation?"

| Option | Free? | What It Does | |--------|-------|-------------| | socket npm wrapper | Yes (beta) | Wraps npm/npx, blocks malicious packages before install. Run socket wrapper on to enable system-wide. | | npq | Yes | Pre-install auditor (CVE, typosquat, age, provenance checks) | | Socket Firewall (sfw) | No | Real-time deep analysis, blocks malicious packages | | socket npm + npq | Yes | Both free tools combined | | None | — | Skip |

Load references/socket-cli-guide.md for full Socket CLI setup including authentication and free vs authenticated features.

8. Lockfile Validation

| Option | Behavior | |--------|----------| | Yes (recommended) | Adds lockfile-lint + CI script | | No | Skip |

Tier 3: Advanced Options (Only If User Opts In)

"Would you like to configure any advanced options?"

9. Dev Containers — Generate hardened .devcontainer/devcontainer.json (Yes/No)

10. Secrets Manager — 1Password CLI / Infisical / None

11. pnpm Trust Policy — Enable trustPolicy: no-downgrade (pnpm 10.21+ only, Yes/No)

12. Cooldown Exclusions — Package names that bypass cooldown (e.g., @types/react, typescript, esbuild)

Security-First Upgrade Principles

1. Cooldown before installing — Wait 7 days for new package versions to be vetted by the community
2. Block post-install scripts — Prevent arbitrary code execution during npm install
3. Freeze lockfiles in CI — Use deterministic installs (npm ci, --frozen-lockfile)
4. Validate lockfile integrity — Use lockfile-lint to detect injection
5. Audit before trusting — Use npq or Socket CLI to check packages before installing
6. Upgrade incrementally — One major version at a time with testing between each
7. Never blindly upgrade — Avoid npm update or npm-check-updates -u without review
8. Scan before and after — Use socket scan to detect supply chain issues beyond CVEs

Cooldown Period: Prevent Supply Chain Attacks

Newly published packages may contain malicious code discovered within hours. Configure a cooldown period to delay installation.

Quick Setup

npm (.npmrc):

min-release-age=7

Bun (bunfig.toml):

[install]
minimumReleaseAge = 604800  # 7 days in seconds
minimumReleaseAgeExcludes = ["@types/bun", "typescript"]

pnpm (pnpm-workspace.yaml):

minimumReleaseAge: 10080  # 7 days in minutes
minimumReleaseAgeExclude:
  - '@types/react'
  - typescript

Yarn (.yarnrc.yml):

npmMinimalAgeGate: "7d"
npmPreapprovedPackages:
  - "@types/react"
  - "typescript"

Load references/cooldown-config-guide.md for detailed per-PM configuration, CI tool integration, and exclusion patterns.

Use templates/<pm>-security.tmpl for copy-paste ready config files.

Disable Post-Install Scripts

Post-install scripts are the most common supply chain attack vector (Shai-Hulud, Nx, event-stream incidents).

Quick Setup

npm:

npm config set ignore-scripts true
npm config set allow-git none

Bun: Disabled by default. Allow specific packages in package.json:

{ "trustedDependencies": ["esbuild", "sharp"] }

pnpm (10.0+): Disabled by default. Allow specific packages in pnpm-workspace.yaml:

allowBuilds:
  esbuild: true
strictDepBuilds: true  # Hard error on unreviewed scripts

Load references/package-manager-security.md for full per-PM hardening including pnpm trustPolicy, blockExoticSubdeps, and @lavamoat/allow-scripts.

Deterministic & Frozen Installs

Always use frozen install commands in CI to ensure reproducible builds:

| Package Manager | Command | What It Does | |----------------|---------|-------------| | npm | npm ci | Deletes node_modules, installs exact lockfile versions | | Bun | bun install --frozen-lockfile | Fails if lockfile is out of sync | | pnpm | pnpm install --frozen-lockfile | Fails if lockfile is out of sync | | Yarn | yarn install --immutable --immutable-cache | Validates lockfile and cache | | Deno | deno install --frozen | Frozen installation |

Commit all lockfiles to version control: package-lock.json, bun.lock, pnpm-lock.yaml, yarn.lock, deno.lock.

Lockfile Validation

Install and configure lockfile-lint to detect lockfile injection attacks:

npm install --save-dev lockfile-lint

{
  "scripts": {
    "lint:lockfile": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https",
    "preinstall": "npm run lint:lockfile"
  }
}

Note: lockfile-lint does not currently support Bun's bun.lock / bun.lockb formats.

Pre-Install Security Auditing

npq — Pre-Install Auditor

npm install -g npq
npq install <package>          # Audit before installing
npq install <package> --dry-run # Audit without installing

# Shell alias for seamless use
alias npm='npq-hero'

# Use with other PMs
NPQ_PKG_MGR=pnpm npq install <package>
NPQ_PKG_MGR=bun npq install <package>

Socket Firewall (sfw) — Real-Time Blocker

npm install -g sfw
sfw npm install <package>      # Blocks malicious packages
sfw pnpm add <package>
sfw yarn add <package>

Load references/supply-chain-security.md for full comparison of npq vs sfw and what each validates.

Socket CLI Integration

Socket CLI provides proactive supply chain security beyond basic vulnerability scanning — covering malware detection, typosquatting, protestware, install script risks, and license compliance.

Proactive Upgrade Workflow

1. PRE-UPGRADE:   socket scan create --report          → establish baseline
2. EVALUATE:      socket package score npm <pkg>@<ver>  → assess target package safety
3. SAFE INSTALL:  socket npm install <pkg>              → block malicious packages
4. POST-UPGRADE:  socket scan create --report          → verify no new alerts
5. DIFF:          socket scan diff <before> <after>     → see exactly what changed
6. FIX:           socket fix --minimum-release-age 7d   → auto-fix any new CVEs
7. OPTIMIZE:      socket optimize                       → apply security overrides

Quick Reference

# Install
npm install -g socket

# Authenticate (required for scans, fixes, package scores)
socket login

# Check a package before upgrading
socket package score npm <package>

# Scan your whole project
socket scan create --report

# Auto-fix CVEs (complements Dependabot/Renovate)
socket fix --minimum-release-age 7d

# Gate CI on security policy
socket ci

# Safe npm wrapper (free, no auth needed)
socket wrapper on

Load references/socket-cli-guide.md for comprehensive command reference, CI workflow templates, alert categories, and free vs authenticated feature matrix.

Dependency Analysis

# Audit for vulnerabilities
bun audit       # Bun
npm audit       # npm
yarn audit      # Yarn

# Socket: deep security assessment (CVEs + supply chain + license)
socket package score npm <package>
socket scan create --report

# Check for outdated packages
bun outdated
npm outdated

# Interactive upgrade (safe — review each)
bunx npm-check-updates --interactive

# Analyze dependency tree
npm ls <package-name>
yarn why <package-name>

Staged Upgrade Strategy

Upgrade one dependency at a time with testing between each:

# 1. Create feature branch
git checkout -b upgrade/<package>-<version>

# 2. (Optional) Baseline scan — capture current state
socket scan create --report

# 3. Evaluate target package before upgrading
socket package score npm <package>@<version>

# 4. Upgrade single package
bun add <package>@<version>

# 5. Test immediately
bun test && bunx tsc --noEmit && bun run build

# 6. (Optional) Post-upgrade scan — verify no new alerts
socket scan create --report

# 7. Commit and continue
git add -A && git commit -m "chore: upgrade <package> to <version>"

Load references/staged-upgrades.md for codemod automation, custom migration scripts, and peer dependency handling.

Load references/compatibility-matrix.md for version compatibility tables (React 18/19, Next.js 13-15, TypeScript, Tailwind 3/4).

Automated Updates with Cooldown

Configure CI/CD tools to respect cooldown periods:

Dependabot (.github/dependabot.yml)

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 7

Renovate (renovate.json)

{
  "extends": ["config:base"],
  "minimumReleaseAge": "7 days",
  "packageRules": [
    {
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    },
    {
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "minimumReleaseAge": "14 days"
    }
  ]
}

Snyk

Snyk includes a built-in 21-day cooldown for upgrade PRs. No configuration needed.

Socket Fix (complements Dependabot/Renovate)

Socket Fix automatically resolves CVEs with intelligent upgrade planning. Runs alongside other automation tools — it focuses on CVE remediation specifically:

# Fix all fixable CVEs with cooldown alignment
socket fix --minimum-release-age 7d

# Conservative: no major version bumps
socket fix --minimum-release-age 7d --no-major-updates

# Target specific CVEs
socket fix --id GHSA-hhq3-ff78-jv3g --minimum-release-age 7d

# Preview without applying
socket fix --no-apply-fixes --minimum-release-age 7d

For CI autopilot mode (auto-creates and auto-merges fix PRs), use templates/socket-fix-ci.tmpl.

Load references/socket-cli-guide.md for full socket fix options including --autopilot, --range-style, and --pr-limit.

Use templates/dependabot-security.tmpl or templates/renovate-security.tmpl for complete config files.

Publishing Security

For package maintainers:

# Enable 2FA
npm profile enable-2fa auth-and-writes

# Publish with provenance (cryptographic build proof)
npm publish --provenance

# Trusted publishing via OIDC (eliminates long-lived tokens)
# Configure on npmjs.com, then:
# In GitHub Actions: permissions: id-token: write

Load references/supply-chain-security.md for full publishing security guide including OIDC setup and dependency tree reduction.

Dev Environment Hardening

Isolate dependency execution from the host system:

• Dev containers — limit blast radius of malicious packages
• Secrets management — use 1Password CLI or Infisical instead of plaintext .env files
• Dependency tree reduction — replace common packages with native JS

Use templates/devcontainer-security.tmpl for a hardened dev container config.

Load references/secrets-and-containers.md for dev container setup, secrets management, and dependency reduction patterns.

Testing Strategy

Run tests at every level after each upgrade:

# 1. Static analysis (fastest)
bunx tsc --noEmit && bun run lint

# 2. Unit tests
bun test

# 3. Build check
bun run build

# 4. Integration / E2E (after major upgrades)
bun run test:e2e

Load references/testing-strategy.md for full testing pyramid, CI integration, and bundle analysis.

Rollback Plan

#!/bin/bash
git stash
git checkout -b upgrade/<package>

bun add <package>@latest

if bun test && bun run build; then
  git add package.json bun.lock
  git commit -m "chore: upgrade <package>"
else
  echo "Upgrade failed, rolling back"
  git checkout main
  git branch -D upgrade/<package>
  bun install
fi

Upgrade Checklist

Pre-Upgrade:
- [ ] Review current dependency versions
- [ ] Read changelogs for breaking changes
- [ ] Create feature branch
- [ ] Tag current state (git tag pre-upgrade)
- [ ] Run full test suite (baseline)
- [ ] Verify cooldown period is configured

Security Pre-Checks:
- [ ] Post-install scripts are disabled
- [ ] Lockfile validation is active
- [ ] Install auditing tools configured (if applicable)
- [ ] CI uses frozen-lockfile install
- [ ] Run `socket scan create --report` for baseline (if Socket available)

During Upgrade:
- [ ] Upgrade one dependency at a time
- [ ] Check target package: `socket package score npm <pkg>` (if Socket available)
- [ ] Respect cooldown period (don't force latest)
- [ ] Update peer dependencies
- [ ] Fix TypeScript errors
- [ ] Run test suite after each upgrade
- [ ] Check bundle size impact

Post-Upgrade:
- [ ] Post-upgrade scan: `socket scan diff` to verify no new alerts (if Socket available)
- [ ] Consider `socket fix --minimum-release-age 7d` for any new CVEs
- [ ] Full regression testing
- [ ] Performance testing
- [ ] Update documentation
- [ ] Deploy to staging
- [ ] Monitor for errors
- [ ] Deploy to production

Common Pitfalls

• Upgrading all dependencies at once (use incremental upgrades)
• Blindly running npm update or npm-check-updates -u without review
• Not testing after each individual upgrade
• Ignoring peer dependency warnings
• Forgetting to update or commit the lock file
• Not reading breaking change notes in changelogs
• Skipping major versions instead of stepping through them
• Not having a rollback plan
• Trusting npmjs.org displayed source code (can differ from actual tarball)
• Leaving post-install scripts enabled (most common attack vector)
• Not configuring a cooldown period for new package versions

When to Load References

Load these reference files when the user needs detailed information beyond the quick-reference in SKILL.md:

| Load This File | When | |---------------|------| | references/cooldown-config-guide.md | Configuring cooldown for a specific PM, CI tool integration, or exclusion patterns | | references/package-manager-security.md | Full per-PM hardening guide including pnpm trust policy, blockExoticSubdeps, cross-PM cheat sheet | | references/supply-chain-security.md | Understanding attack vectors, incident history, npq vs sfw vs Socket CLI comparison, publisher security (2FA, provenance, OIDC) | | references/secrets-and-containers.md | Setting up dev containers, secrets management with 1Password/Infisical | | references/socket-cli-guide.md | Using Socket CLI for scans, fixes, package scoring, CI integration, wrapper mode, alert categories | | references/compatibility-matrix.md | Checking version compatibility for React, Next.js, TypeScript, Tailwind upgrades | | references/staged-upgrades.md | Codemod automation, custom migration scripts, peer dependency handling, workspace upgrades | | references/testing-strategy.md | Full testing pyramid, CI integration, bundle analysis, performance testing |

Template Files

Ready-to-use config files in templates/:

| Template | Purpose | |----------|---------| | npmrc-security.tmpl | Secure .npmrc with scripts disabled + cooldown | | bunfig-security.tmpl | Secure bunfig.toml with cooldown + exclusions | | pnpm-workspace-security.tmpl | Secure pnpm-workspace.yaml with cooldown, allowBuilds, trustPolicy | | yarnrc-security.tmpl | Secure .yarnrc.yml with age gate + preapproved packages | | dependabot-security.tmpl | Dependabot config with 7-day cooldown | | renovate-security.tmpl | Renovate config with minimumReleaseAge + automerge rules | | devcontainer-security.tmpl | Hardened dev container with security options | | socket-fix-ci.tmpl | GitHub Actions: Socket Fix autopilot with cooldown-aligned CVE remediation | | socket-scan-ci.tmpl | GitHub Actions: Socket CI security gate for every push/PR |