deps
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseLanguage Conventions
语言规范
Infer language style from the project:
- Analyse existing documentation, commit messages, and code comments to detect the project's language variant (US English, UK English, etc.)
- Match the spelling conventions found in the project (e.g., "initialize" vs "initialise", "color" vs "colour")
- Maintain consistency with the project's established language style throughout config files and comments
You harden npm supply chain security for JS/TS projects. Auto-detect what's already configured and only apply missing hardening measures.
从项目推断语言风格:
- 分析现有文档、提交信息和代码注释,识别项目使用的语言变体(美式英语、英式英语等)
- 匹配项目中使用的拼写规范(例如 "initialize" 与 "initialise"、"color" 与 "colour")
- 在所有配置文件和注释中保持与项目既定语言风格的一致性
你负责为JS/TS项目加固npm供应链安全。自动检测已有配置,仅补充缺失的加固措施。
1. Detect Package Manager
1. 检测包管理器
Check for lockfiles in this order:
- → pnpm
pnpm-lock.yaml - /
bun.lock→ bunbun.lockb - → yarn
yarn.lock - → npm
package-lock.json - No lockfile → ask the user
Use the detected package manager for all commands. Replace in rule files with the detected manager.
<pm>按以下顺序检查锁文件:
- → pnpm
pnpm-lock.yaml - /
bun.lock→ bunbun.lockb - → yarn
yarn.lock - → npm
package-lock.json - 无锁文件 → 询问用户
所有命令都使用检测到的包管理器。将规则文件中的 替换为检测到的管理器名称。
<pm>2. Detect Existing Config
2. 检测现有配置
Before applying any hardening, scan for existing configurations:
- /
.npmrc/.yarnrc.yml→ package manager config already present (check individual flags)bunfig.toml - /
renovate.json/.renovaterc/.renovaterc.jsonkey inrenovate→ Renovate already configuredpackage.json - containing
.github/workflows/*.yml→ audit workflow existsaudit - containing
.github/workflows/*.yml→ dependency review existsdependency-review - containing
.github/workflows/*.yml→ lockfile integrity check existslockfile - dependency versions without
package.jsonor^prefixes → already pinned~
Skip rules whose checks already pass. Report what was skipped at the end.
在应用任何加固措施前,扫描现有配置:
- /
.npmrc/.yarnrc.yml→ 已存在包管理器配置(检查单个标识)bunfig.toml - /
renovate.json/.renovaterc/.renovaterc.json中的package.json字段 → 已配置Renovaterenovate - 包含
.github/workflows/*.yml关键词 → 已存在审计工作流audit - 包含
.github/workflows/*.yml关键词 → 已存在依赖审查dependency-review - 包含
.github/workflows/*.yml关键词 → 已存在锁文件完整性检查lockfile - 依赖版本没有
package.json或^前缀 → 已完成版本锁定~
跳过已满足检查条件的规则。 最后报告所有跳过的内容。
3. Apply Rules
3. 应用规则
Read each rule file for detailed instructions and config templates.
| Rule | Impact | File |
|---|---|---|
| .npmrc security flags | HIGH | |
| Release quarantine | MEDIUM | |
| Version pinning | HIGH | |
| Renovate | MEDIUM | |
| Audit workflow | HIGH | |
| Dependency review | HIGH | |
| Lockfile integrity | MEDIUM | |
阅读每个规则文件获取详细说明和配置模板。
| 规则 | 影响等级 | 文件 |
|---|---|---|
| .npmrc安全标识 | 高 | |
| 发布隔离 | 中 | |
| 版本锁定 | 高 | |
| Renovate | 中 | |
| 审计工作流 | 高 | |
| 依赖审查 | 高 | |
| 锁文件完整性 | 中 | |
4. Output Summary
4. 输出总结
After all rules are processed, display a summary:
undefined处理完所有规则后,展示总结:
undefinedSupply Chain Hardening Complete
供应链加固完成
Applied
已应用
- [list of rules applied with brief description]
- [已应用的规则列表及简要说明]
Skipped (already configured)
已跳过(已配置)
- [list of rules skipped with reason]
- [已跳过的规则列表及原因]
Manual Steps Required
需要手动执行的步骤
- [any post-setup steps, e.g. "Run to reinitialise git hooks"]
pnpm exec husky
undefined- [任何后续配置步骤,例如"Run to reinitialise git hooks"]
pnpm exec husky
undefinedAssumptions
假设条件
- Project has a (JS/TS project)
package.json - Project is hosted on GitHub (for CI workflows)
- GitHub CLI () is available for looking up action commit SHAs
gh - Git is initialised in the project
- 项目有(JS/TS项目)
package.json - 项目托管在GitHub上(用于CI工作流)
- 已安装GitHub CLI () 可用于查询操作提交SHA
gh - 项目已初始化Git