{"id":"c2c0ed83-a5d3-4726-83fb-92398ef1250c","shortId":"cSrfch","kind":"skill","title":"deps","tagline":"Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks.","description":"You harden npm supply chain security for JS/TS projects. Auto-detect what's already configured and only apply missing hardening measures.\n\n## 1. Detect Package Manager\n\nCheck for lockfiles in this order:\n1. `pnpm-lock.yaml` → **pnpm**\n2. `bun.lock` / `bun.lockb` → **bun**\n3. `yarn.lock` → **yarn**\n4. `package-lock.json` → **npm**\n5. No lockfile → ask the user\n\nUse the detected package manager for all commands. Replace `<pm>` in rule files with the detected manager.\n\n## 2. Detect Existing Config\n\nBefore applying any hardening, scan for existing configurations:\n- `.npmrc` / `.yarnrc.yml` / `bunfig.toml` → package manager config already present (check individual flags)\n- `renovate.json` / `.renovaterc` / `.renovaterc.json` / `renovate` key in `package.json` → Renovate already configured\n- `.github/workflows/*.yml` containing `audit` → audit workflow exists\n- `.github/workflows/*.yml` containing `dependency-review` → dependency review exists\n- `.github/workflows/*.yml` containing `lockfile` → lockfile integrity check exists\n- `package.json` dependency versions without `^` or `~` prefixes → already pinned\n\n**Skip rules whose checks already pass.** Report what was skipped at the end.\n\n## 3. Apply Rules\n\nRead each rule file for detailed instructions and config templates.\n\n| Rule | Impact | File |\n|------|--------|------|\n| .npmrc security flags | HIGH | `rules/npmrc.md` |\n| Release quarantine | MEDIUM | `rules/release-quarantine.md` |\n| Version pinning | HIGH | `rules/version-pinning.md` |\n| Renovate | MEDIUM | `rules/renovate.md` |\n| Audit workflow | HIGH | `rules/audit-workflow.md` |\n| Dependency review | HIGH | `rules/dependency-review.md` |\n| Lockfile integrity | MEDIUM | `rules/lockfile-integrity.md` |\n\n## 4. Output Summary\n\nAfter all rules are processed, display a summary:\n\n```\n## Supply Chain Hardening Complete\n\n### Applied\n- [list of rules applied with brief description]\n\n### Skipped (already configured)\n- [list of rules skipped with reason]\n\n### Manual Steps Required\n- [any post-setup steps, e.g. \"Run `pnpm exec husky` to reinitialise git hooks\"]\n```\n\n## Assumptions\n\n- Project has a `package.json` (JS/TS project)\n- Project is hosted on GitHub (for CI workflows)\n- GitHub CLI (`gh`) is available for looking up action commit SHAs\n- Git is initialised in the project","tags":["deps","skills","tartinerlabs","agent-skills","automation","claude-code","claude-code-skills","cli","code-quality","developer-tools","github-actions","productivity"],"capabilities":["skill","source-tartinerlabs","skill-deps","topic-agent-skills","topic-automation","topic-claude-code","topic-claude-code-skills","topic-cli","topic-code-quality","topic-developer-tools","topic-github-actions","topic-productivity","topic-tailwind-css"],"categories":["skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/tartinerlabs/skills/deps","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add tartinerlabs/skills","source_repo":"https://github.com/tartinerlabs/skills","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 7 github stars · SKILL.md body (2,304 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:13:56.382Z","embedding":null,"createdAt":"2026-05-18T13:21:00.808Z","updatedAt":"2026-05-18T19:13:56.382Z","lastSeenAt":"2026-05-18T19:13:56.382Z","tsv":"'1':56,66 '2':69,101 '3':73,179 '4':76,223 '5':79 'action':295 'ad':11 'alreadi':48,119,132,164,170,247 'appli':52,106,180,238,242 'ask':82 'assumpt':272 'audit':20,137,138,211 'auto':44 'auto-detect':43 'avail':291 'brief':244 'bun':72 'bun.lock':70 'bun.lockb':71 'bunfig.toml':115 'chain':7,38,235 'check':33,60,121,156,169 'ci':32,285 'cli':288 'command':92 'commit':296 'complet':237 'config':104,118,190 'configur':49,112,133,248 'contain':136,143,152 'dep':1 'depend':9,145,147,159,215 'dependency-review':144 'descript':245 'detail':187 'detect':45,57,87,99,102 'display':231 'e.g':263 'end':178 'exec':266 'exist':103,111,140,149,157 'file':96,185,194 'flag':14,123,197 'gh':289 'git':270,298 'github':283,287 'github/workflows':134,141,150 'harden':4,35,54,108,236 'high':198,206,213,217 'hook':271 'host':281 'huski':267 'impact':193 'individu':122 'initialis':300 'instal':25 'install-tim':24 'instruct':188 'integr':155,220 'js/ts':41,277 'key':128 'list':239,249 'lock':22 'lockfil':62,81,153,154,219 'look':293 'manag':59,89,100,117 'manual':255 'measur':55 'medium':202,209,221 'miss':53 'npm':5,36,78 'npmrc':12,113,195 'order':65 'output':224 'packag':58,88,116 'package-lock.json':77 'package.json':130,158,276 'pass':171 'pin':8,165,205 'pnpm':68,265 'pnpm-lock.yaml':67 'post':260 'post-setup':259 'prefix':163 'present':120 'process':230 'project':42,273,278,279,303 'quarantin':201 'rang':30 'read':182 'reason':254 'registri':28 'reinitialis':269 'releas':200 'renov':18,127,131,208 'renovate.json':124 'renovaterc':125 'renovaterc.json':126 'replac':93 'report':172 'requir':257 'review':146,148,216 'rule':95,167,181,184,192,228,241,251 'rules/audit-workflow.md':214 'rules/dependency-review.md':218 'rules/lockfile-integrity.md':222 'rules/npmrc.md':199 'rules/release-quarantine.md':203 'rules/renovate.md':210 'rules/version-pinning.md':207 'run':264 'scan':109 'script':27 'secur':13,39,196 'set':16 'setup':261 'shas':297 'skill' 'skill-deps' 'skip':166,175,246,252 'source-tartinerlabs' 'step':256,262 'summari':225,233 'suppli':6,37,234 'templat':191 'time':26 'topic-agent-skills' 'topic-automation' 'topic-claude-code' 'topic-claude-code-skills' 'topic-cli' 'topic-code-quality' 'topic-developer-tools' 'topic-github-actions' 'topic-productivity' 'topic-tailwind-css' 'use':2,85 'user':84 'version':10,29,160,204 'whose':168 'without':161 'workflow':21,139,212,286 'yarn':75 'yarn.lock':74 'yarnrc.yml':114 'yml':135,142,151","prices":[{"id":"68a5dce2-f728-4cbf-b58a-a0412845cd11","listingId":"c2c0ed83-a5d3-4726-83fb-92398ef1250c","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"tartinerlabs","category":"skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:21:00.808Z"}],"sources":[{"listingId":"c2c0ed83-a5d3-4726-83fb-92398ef1250c","source":"github","sourceId":"tartinerlabs/skills/deps","sourceUrl":"https://github.com/tartinerlabs/skills/tree/main/skills/deps","isPrimary":false,"firstSeenAt":"2026-05-18T13:21:00.808Z","lastSeenAt":"2026-05-18T19:13:56.382Z"}],"details":{"listingId":"c2c0ed83-a5d3-4726-83fb-92398ef1250c","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"tartinerlabs","slug":"deps","github":{"repo":"tartinerlabs/skills","stars":7,"topics":["agent-skills","automation","claude-code","claude-code-skills","cli","code-quality","developer-tools","github-actions","productivity","tailwind-css"],"license":"mit","html_url":"https://github.com/tartinerlabs/skills","pushed_at":"2026-05-17T09:09:47Z","description":"Claude Code skills for git workflows, GitHub automation, security audits, code refactoring, and project tooling","skill_md_sha":"70e5aa0b08fc67b91a53a00c2aad05e87dabb5fd","skill_md_path":"skills/deps/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/tartinerlabs/skills/tree/main/skills/deps"},"layout":"multi","source":"github","category":"skills","frontmatter":{"name":"deps","description":"Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks."},"skills_sh_url":"https://skills.sh/tartinerlabs/skills/deps"},"updatedAt":"2026-05-18T19:13:56.382Z"}}