deps

Original：🇺🇸 English

Translated

Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks.

3installs

Sourcetartinerlabs/skills

Added on2026-04-04

NPX Install

npx skill4agent add tartinerlabs/skills deps

SKILL.md Content

View Translation Comparison →

Language Conventions

Infer language style from the project:

Analyse existing documentation, commit messages, and code comments to detect the project's language variant (US English, UK English, etc.)
Match the spelling conventions found in the project (e.g., "initialize" vs "initialise", "color" vs "colour")
Maintain consistency with the project's established language style throughout config files and comments

You harden npm supply chain security for JS/TS projects. Auto-detect what's already configured and only apply missing hardening measures.

1. Detect Package Manager

Check for lockfiles in this order:

```
pnpm-lock.yaml
```
→ pnpm
```
bun.lock
```
/
```
bun.lockb
```
→ bun
```
yarn.lock
```
→ yarn
```
package-lock.json
```
→ npm
No lockfile → ask the user

Use the detected package manager for all commands. Replace

<pm>

in rule files with the detected manager.

2. Detect Existing Config

Before applying any hardening, scan for existing configurations:

```
.npmrc
```
/
```
.yarnrc.yml
```
/
```
bunfig.toml
```
→ package manager config already present (check individual flags)

renovate.json

/

.renovaterc

/

.renovaterc.json

/

renovate

key in

package.json

→ Renovate already configured

```
.github/workflows/*.yml
```
containing
```
audit
```
→ audit workflow exists

.github/workflows/*.yml

containing

dependency-review

→ dependency review exists

```
.github/workflows/*.yml
```
containing
```
lockfile
```
→ lockfile integrity check exists
```
package.json
```
dependency versions without
```
^
```
or
```
~
```
prefixes → already pinned

Skip rules whose checks already pass. Report what was skipped at the end.

3. Apply Rules

Read each rule file for detailed instructions and config templates.

Rule	Impact	File
.npmrc security flags	HIGH	`rules/npmrc.md`
Release quarantine	MEDIUM	`rules/release-quarantine.md`
Version pinning	HIGH	`rules/version-pinning.md`
Renovate	MEDIUM	`rules/renovate.md`
Audit workflow	HIGH	`rules/audit-workflow.md`
Dependency review	HIGH	`rules/dependency-review.md`
Lockfile integrity	MEDIUM	`rules/lockfile-integrity.md`

4. Output Summary

After all rules are processed, display a summary:

## Supply Chain Hardening Complete

### Applied
- [list of rules applied with brief description]

### Skipped (already configured)
- [list of rules skipped with reason]

### Manual Steps Required
- [any post-setup steps, e.g. "Run `pnpm exec husky` to reinitialise git hooks"]

Assumptions

Project has a
```
package.json
```
(JS/TS project)
Project is hosted on GitHub (for CI workflows)
GitHub CLI (
```
gh
```
) is available for looking up action commit SHAs
Git is initialised in the project