takazudo/dev-package-json
skills/dev-package-json/SKILL.md
Organize and maintain package.json and npm config (.npmrc) for readability and security. Use when: (1) Reorganizing scripts section or adding separators, (2) Extracting multi-process commands into shell scripts, (3) Setting up multi-environment dev commands (local/preview/prod), (4) Handling pnpm "Ignored build scripts" warnings, (5) Configuring .npmrc security (strictDepBuilds, allowBuilds, ignoredBuilds), (6) Managing pnpm via corepack and packageManager field, (7) Adding predev port cleanup. Keywords: package.json, npm scripts, .npmrc, pnpm, build scripts, supply chain, corepack, packageManager, predev, kill port, port in use.
$ install --global
skillsauthnpx skillsauth add takazudo/claude-resources dev-package-jsonInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 8, 2026, 4:26 AM110.5s4 files scanned
SKILL.md
- name:
- dev-package-json
- description:
- Organize and maintain package.json and npm config (.npmrc) for readability and security. Use when: (1) Reorganizing scripts section or adding separators, (2) Extracting multi-process commands into shell scripts, (3) Setting up multi-environment dev commands (local/preview/prod), (4) Handling pnpm \"Ignored build scripts\" warnings, (5) Configuring .npmrc security (strictDepBuilds, allowBuilds, ignoredBuilds), (6) Managing pnpm via corepack and packageManager field, (7) Adding predev port cleanup. Keywords: package.json, npm scripts, .npmrc, pnpm, build scripts, supply chain, corepack, packageManager, predev, kill port, port in use.
package.json & npm Config Management
Part 1: package.json Scripts Organization
Two techniques for keeping large scripts sections readable and maintainable.
Technique 1: Comment Separator Keys
Add visual section dividers using unused JSON keys:
{
"scripts": {
"// ── Core ─────────────────────────────────────────": "",
"dev": "next dev",
"build": "next build",
"// ── Testing ─────────────────────────────────────": "",
"test": "jest",
"test:e2e": "playwright test"
}
}
Format: "// ── Section Name ──────..." with ─ padding to ~50 chars, value "".
Technique 2: Predev Port Cleanup
Add a predev script that kills stale processes on dev server ports before starting. This prevents "port already in use" errors that commonly occur after crashes, orphaned processes, or forgotten terminal sessions.
{
"scripts": {
"predev": "lsof -ti :5173,:8787 | xargs kill 2>/dev/null; true",
"dev": "next dev"
}
}
How it works:
lsof -ti :PORT— finds PIDs listening on specified ports (-t= terse/PID-only,-i= internet addresses)- Comma-separated ports:
:5173,:8787checks multiple ports at once xargs kill— sends SIGTERM (graceful) to found processes2>/dev/null; true— silently succeeds when no processes are found- npm/pnpm auto-runs
predevbeforedev(lifecycle hook convention)
Adapt port numbers to match your project's dev servers (e.g., :3000,:8080 for a typical Node.js + API setup).
Technique 3: External Shell Scripts for Multi-Process Commands
When a command starts 2+ background processes, extract to scripts/*.sh.
Template available at scripts/multi-process-dev.sh.template. Key pattern:
#!/bin/bash
set -e
cleanup() {
kill $PID_1 $PID_2 2>/dev/null
wait $PID_1 $PID_2 2>/dev/null
}
trap cleanup EXIT INT TERM
if [ "$MODE" = "local" ]; then
backend-server &
PID_1=$!
sleep 3
fi
pnpm dev &
PID_2=$!
wait
Call from package.json: "dev:full": "MODE=local ./scripts/dev-full.sh"
Make executable: chmod +x scripts/*.sh
Multi-Environment Pattern
For apps with local/preview/production API targets:
{
"// ── Dev with API (3 environments) ───────────────": "",
"dev:full": "API_MODE=local ./scripts/dev-full.sh",
"dev:full:preview": "API_MODE=preview pnpm dev",
"dev:full:prod": "API_MODE=production pnpm dev"
}
Detailed Patterns
See references/patterns.md for:
- Full list of suggested section names
- Namespace prefixing for monorepo sub-packages
- Internal/private script conventions (
_prefix) - Complete multi-process shell script template with explanations
Part 2: pnpm Version Management with Corepack
The packageManager Field
Pin the exact pnpm version in package.json:
{
"packageManager": "[email protected]+sha512.36cdc707e7b..."
}
This ensures every developer and CI uses the identical pnpm version. Corepack reads this field and auto-downloads the specified version.
Setup (Once Per Machine)
corepack enable
After this, running pnpm install / pnpm dev / etc. just works — corepack intercepts the pnpm command and uses the pinned version automatically. No global pnpm install needed.
Key Rules
- Never run
pnpm self-update— it errors when pnpm is managed by corepack - Never run
corepack use pnpm@latestroutinely — it bumps the version inpackage.jsonand often regeneratespnpm-lock.yaml, creating noisy diffs - Only update intentionally — when the team decides to upgrade, one person runs
corepack use pnpm@<version>, commits thepackage.json+ lockfile changes, and everyone else gets it viapnpm install - Different repos can pin different versions — corepack handles per-project version switching automatically
Common Mistake
AI tools and automation sometimes add corepack use pnpm@latest to setup steps. This causes unnecessary version bumps and lockfile churn. Remove it — corepack enable + the existing packageManager field is sufficient.
Part 3: .npmrc Build Script Security Management
Evaluate and manage dependency build scripts for supply chain security.
See references/npmrc-build-scripts.md for:
- The full evaluation workflow for "Ignored build scripts" warnings
- Decision criteria for allowBuilds vs ignoredBuilds
- Common package evaluations (reference table)
- .npmrc configuration patterns
Related Skills
takazudo/dev-linkify-cc-resources
development
VerifiedTrustedCommunity
Link Claude Code skill names mentioned in a CodeGrid article (data/{series}/{n}.md) to the author's public claude-resources repo, pinned to the latest commit hash so links don't rot. Use when: (1) user says 'linkify cc resources', 'link the skills', 'link skill names', or invokes /dev-linkify-cc-resources; (2) editing a CodeGrid article that mentions `/commits`, `/pr-complete`, `/skill-creator` or other Claude Code skills and they should point to claude-resources. Only links skills that actually exist in the public repo; skips hypothetical examples and code blocks.
10SKILL.mdUpdated Jun 2, 2026
takazudo/opus-2nd
development
VerifiedTrustedCommunity
Second opinion from Claude Opus on a plan or approach. Use when: (1) Planning phase of /big-plan needs a higher-quality review than /codex-2nd / /gco-2nd / /gcoc-2nd, (2) User says 'opus 2nd' or 'opus opinion', (3) Wanting Anthropic's larger model to critique a plan. Spawns a general-purpose Agent with model: opus that reads the plan file and returns structured feedback. Anthropic quota — not free.
10SKILL.mdUpdated May 29, 2026
takazudo/dev-ai-based-test
tools
VerifiedTrustedCommunity
AI-based testing via subagent + a per-task test-flow skill. Use when the user wants to verify something that mechanical assertions can't fully capture — image recognition, visual size/position comparison, animation smoothness, multi-step manual flows that need AI judgment. Triggers: 'AI-based test', 'AI test', 'visual verify', 'image recognition test', 'manual operation test', 'human-eye check', 'verify visually', 'compare screenshots', 'looks the same', 'looks correct'. The skill's job is to (1) author a focused test-flow skill that captures the exact procedure + verdict criteria, then (2) dispatch a verification subagent via the Agent tool that loads BOTH the test-flow skill AND a browser-driving skill (/verify-ui primary, /headless-browser fallback) so the subagent has clear context and consistent verdicts. NEVER uses `claude -p` — subagent dispatch goes through the Agent tool exclusively.
10SKILL.mdUpdated May 29, 2026
takazudo/cleanup-resources
development
VerifiedTrustedCommunity
End-of-workflow audit of touched GitHub issues, PRs, and branches via a Sonnet subagent. Use when: (1) /big-plan, /x-as-pr, or /x-wt-teams finishes its main work and needs to verify every touched resource is in the right state (closed when done, kept when ongoing, deleted when dead), (2) User says 'cleanup resources', 'audit cleanup', or 'check what should be closed', (3) A long workflow ends and the manager wants a structured paper trail of what it closed/kept/deleted. Auto-execute by default — the Sonnet agent proposes, the manager (you) executes safe actions and prints a final report.
10SKILL.mdUpdated May 29, 2026