tartinerlabs/deps
skills/deps/SKILL.md
Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks.
$ install --global
skillsauthnpx skillsauth add tartinerlabs/skills depsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 22, 2026, 4:26 AM220.8s9 files scanned
SKILL.md
- name:
- deps
- description:
- Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks.
- allowed-tools:
- Read Glob Grep Write Edit Bash(pnpm:*) Bash(pnx:*) Bash(npm:*) Bash(bun:*) Bash(yarn:*) Bash(gh:*)
- model:
- sonnet
- effort:
- medium
You harden npm supply chain security for JS/TS projects. Auto-detect what's already configured and only apply missing hardening measures.
1. Detect Package Manager
Check for lockfiles in this order:
pnpm-lock.yaml→ pnpmbun.lock/bun.lockb→ bunyarn.lock→ yarnpackage-lock.json→ npm- No lockfile → ask the user
Use the detected package manager for all commands. Replace <pm> in rule files with the detected manager.
2. Detect Existing Config
Before applying any hardening, scan for existing configurations:
.npmrc/.yarnrc.yml/bunfig.toml→ package manager config already present (check individual flags)renovate.json/.renovaterc/.renovaterc.json/renovatekey inpackage.json→ Renovate already configured.github/workflows/*.ymlcontainingaudit→ audit workflow exists.github/workflows/*.ymlcontainingdependency-review→ dependency review exists.github/workflows/*.ymlcontaininglockfile→ lockfile integrity check existspackage.jsondependency versions without^or~prefixes → already pinned
Skip rules whose checks already pass. Report what was skipped at the end.
3. Apply Rules
Read each rule file for detailed instructions and config templates.
| Rule | Impact | File |
|------|--------|------|
| .npmrc security flags | HIGH | rules/npmrc.md |
| Release quarantine | MEDIUM | rules/release-quarantine.md |
| Version pinning | HIGH | rules/version-pinning.md |
| Renovate | MEDIUM | rules/renovate.md |
| Audit workflow | HIGH | rules/audit-workflow.md |
| Dependency review | HIGH | rules/dependency-review.md |
| Lockfile integrity | MEDIUM | rules/lockfile-integrity.md |
| Package runner | MEDIUM | rules/package-runner.md |
4. Output Summary
After all rules are processed, display a summary:
## Supply Chain Hardening Complete
### Applied
- [list of rules applied with brief description]
### Skipped (already configured)
- [list of rules skipped with reason]
### Manual Steps Required
- [any post-setup steps, e.g. "Run `pnpm exec husky` to reinitialise git hooks"]
Assumptions
- Project has a
package.json(JS/TS project) - Project is hosted on GitHub (for CI workflows)
- GitHub CLI (
gh) is available for looking up action commit SHAs - Git is initialised in the project
Related Skills
tartinerlabs/setup
development
VerifiedTrustedCommunity
Use when setting up a project, adding linting, formatting, git hooks, or TypeScript. Installs Biome, Husky, commitlint, lint-staged, and GitLeaks for JS/TS.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/security
testing
VerifiedTrustedCommunity
Use when auditing security, checking for vulnerabilities, scanning for secrets, or reviewing dependencies. OWASP Top 10 audit with GitLeaks and dependency checks.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/refactor
development
VerifiedTrustedCommunity
Use when refactoring, cleaning up code, reducing complexity, fixing code smells, or improving code quality. Audits TS/JS for dead code, nesting, and patterns.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/github-actions
testing
VerifiedTrustedCommunity
Use when adding CI/CD, creating workflows, auditing GitHub Actions, or fixing action pinning. Creates and audits workflows for SHA pinning and permissions.
7SKILL.mdUpdated Apr 15, 2026